[nsp-sec] iframe on OpenX server: similar experiences exploit experiences with AS6851
Thomas Hungenberg
th.lab at hungenberg.net
Thu Aug 19 06:00:08 EDT 2010
Hi Carles!
Carles Fragoso schrieb:
> One well-known website here in Catalonia has been recently infected with an iframe on its OpenX Ad server that was pointing to 85.234.190.64.
fcbarcelona.com ? :)
I noticed the compromise of their OpenX server on Tuesday and reported it
to our colleagues at CCN-CERT.
> I still don't have the complete info to share.
>
> Anyone has had similar experiences with this AS6851 (ATECH-SAGADE)?
>
> ---
> 6851 | 85.234.190.64 | BKCNET _SIA_ IZZI
>
> inetnum: 85.234.190.0 - 85.234.191.255
A lot of badness is hosted on that /23...
These OpenX server compromises really suck!
I've seen new compromised OpenX servers every day for several weeks now.
Most of the injected IFRAMEs point to SUTRA installations in 85.234.190.0/23
which then redirect to exploit kits on different sites. The IP changes regularly,
currently they are using 85.234.190.62 with new injections.
I've notified dozens of admins of the compromise of their OpenX servers during
the past weeks. Some admins told me the current version OpenX 2.8.5 is still
vulnerable and the attackers are using some "append" function in OpenX
for the IFRAME injection. So if you don't need this function, you could change
the database type for that field from TEXT to INTEGER for mitigation.
I contacted OpenX on this twice last month but they haven't responded yet.
- Thomas
CERT-Bund Incident Response & Anti-Malware Team
More information about the nsp-security
mailing list