We become aware of a malware infection affecting WhoIsHostingThis.com users a few hours ago.

Our ad server, OpenX, was compromised and used to serve malware for several hours today. The malicious code was removed within minutes of our team becoming aware of the issue.

The number of users we believe were at risk was low (c. 43 users) as a proportion of our traffic. Obviously we consider any risk to any of our users to be unacceptable.

The Good News

• We are not aware of any confirmed infections as a result at the time of writing.
• Visiting WhoIsHostingThis.com was not enough to infect your computer (more below)
• The IP address serving malware (93.186.170.0) appears to have been already flagged by StopBadware.org by the time the infected code was served.
• This means content from this IP address was automatically blocked for users of up-to-date web browsers.

The Bad News

We estimate that approximately 43 users were potentially at risk, since:

• The infected code was served by our ad server for 2.5 to 3 hours (9.28am EDT onwards).
• Around 500 users visited the site during this time.
• 11% of our users use old browsers without malware blocking, like Internet Explorer 6.

Any of the 43 users using any regular computer security tool, like Sophos, would have been alerted to a security risk before an infection could take place.

Do I Now Have Malware?

It’s highly unlikely that you have contracted malware as a result of this attack. In order to be at risk, you would have to:

1. Visit WhoIsHostingThis.com during the infection period.
2. Use an old/vulnerable web browser.
3. Agree to download a mysterious PDF/Java app
4. Run/opened the mysterious PDF/Java app

If you believe this may be the case, Sophos Labs have an explanation of how to clean up an infection. Furthermore, please contact us so we can update this post to help other users.

How Do I Know The Site Is Now Malware Free?

The Google Safe Browsing tool will verify that Who Is Hosting This does not pose a malware risk.

How to Block Malware Automatically

The best way to avoid malware infections is to use a web browser that has ‘anti-malware’ blocking built in, such as:

• Firefox
• Chrome
• Opera

Even the latest version of Internet Explorer – version 8 – including malware detection as standard. Additionaly, we strongly recommend:

• Not disabling your browsers automatic malware detection tool
• Upgrading to the latest version of your web browser.
• Running AdAware or a similar tool regularly.

How the OpenX Exploit Works

We were running version 2.81 of OpenX ad server. We’d missed an upgrade by mistake.

Unlike WordPress and other software we use, OpenX doesn’t warn you if you are not running the latest version.

A security vulnerability in OpenX 2.81 allows unauthorized users to edit your banner ad code. The attacker used this to add one line of code to each ad (the ‘Prepend’ settings, if you are an OpenX user).

The additional code looks very much like any regular ad served by OpenX:

This was visible only you edited a banner ads ‘Advanced’ properties or happened to check the site’s HTML very closely.

Further Reading

Sophos Labs have a detailed blog post on the OpenX vulnerability. This Google search shows many other sites using OpenX that have been compromised, including:

• ToolKing.com
• AussieExotics.com
• PSDA.org
• WebHostingBreak.com

Going Fowards

We immediately removed OpenX code from the live site. Over the coming days, we’ll be looking at alternative options for ad serving, such as the hosted version of OpenX or Google Ad Planner.

If you have any questions about this incident, you may contact me personally via our contact form.

Richard Kershaw
WhoIsHostingThis.com

Related posts:

1. 5 of the Best Deals at WhoIsHostingThis If you aren’t aware, WhoIsHostingThis is not only a great...
2. PHP on DreamHost PHP (Hypertext Preprocessor) is a common server-side scripting language. If...

Tags:   malware • openx