[nsp-sec] iframe on OpenX server: similar experiences exploit experiences with AS6851
Carles Fragoso
cfragoso at cesicat.cat
Thu Aug 19 06:42:01 EDT 2010
Hi Thomas! :)
> A lot of badness is hosted on that /23..
Someone from Latvia has tried to phone them? It would be great to know if the contact data on whois registry is fake or not. If I'm not wrong most RIR policies (RIPE on this case) says whois database data must be correct.
+371 20034981
Ieriku 67a, Riga, LATVIA
bkc at bkc.lv
Their transit providers are AS5518 (TELIA LATVIJA) and AS6747 (LATTELEKOM), anyone on the list with trusted contacts there?
>These OpenX server compromises really suck!
>I've seen new compromised OpenX servers every day for several weeks now.
>Most of the injected IFRAMEs point to SUTRA installations in 85.234.190.0/23
>which then redirect to exploit kits on different sites. The IP changes regularly,
>currently they are using 85.234.190.62 with new injections.
Sorry ... what's SUTRA?
>I've notified dozens of admins of the compromise of their OpenX servers during
>the past weeks. Some admins told me the current version OpenX 2.8.5 is still
>vulnerable and the attackers are using some "append" function in OpenX
>for the IFRAME injection. So if you don't need this function, you could change
>the database type for that field from TEXT to INTEGER for mitigation.
>I contacted OpenX on this twice last month but they haven't responded yet.
Interesting ... thanks for the feedback. It would be great to find which is the way they are taking profit of append function.
http://www.thewebhostinghero.com/articles/openx-vulnerability-this-site-may-harm-your-computer.html
Thanks a lot!
-- Carlos Fragoso (CESICAT-CERT)
More information about the nsp-security
mailing list