By now, most of you should be aware of the recent attack on the MetService website that hit in a very busy period and infected many visitors computers. It was noticeable in the form of fake virus scanner alerts on infected computers.
Everything that I have read so far explains what the trojan virus does (see this blog post) and the type of vulnerability:
We now know that the ad server was compromised by a malicious attack, through a vulnerability which allowed someone to upload a binary file into the database. This file contained JavaScript code which redirects the browser to a website which downloads malware files to the client machine.
What these sites don’t tell us is what applications on MetService’s ad server resulted in them being compromised.
I decided to do a little poking around while sitting outside in the sun on a quiet Friday.
Firstly, I used the chrome debugger to find out details about their ad server.
Turns out that the address is simply: ads.metservice.com. With all the magical (php) scripts living in ads.metservice.com/openx-2.6.3/www/delivery. Please turn off directory indexing MetService developers (we really don’t need to see this information).
From this we can see that they are running ‘openx-2.6.3’
So a quick search at on the web for exploits on this version of the ‘OpenX’ ad tool comes up with exploits-7883. This exploit works simply by using the following url to return passwords:
http://ads.metservice.com/openx/www/delivery/fc.php?MAX_type=%20../../../../../../../../../../../../../../../etc/passwd%00
This exploit is a mix of ‘Poison Null Byte‘ and ‘Local File Inclusion‘.
This is most likely how the hacker forced their way through MetService’s security although there are more exploits found in this list which are also possible. Or perhaps I am being too harsh and this is a zero day exploit.
If we assume that it is the security vulnerability mentioned above, then this could have been avoided by keeping OpenX up to date with patches.
MetService does not appear to be keeping their PHP scripts up to date if we go by the folder naming conventions. The OpenX website tells me that the latest version is ‘2.8.7’ while it looks like they are only sitting on ‘2.6.3’. It does apear that another development team has fallen victim to a PHP application vulnerability.
But lets not forget that ultimately it was the hacker initiated this attack on MetService users.
Time for me to uninstall wordpress yet?