hxtp://ads.cigarweekly.com/www/delivery/afr.php?zoneid=1_target=_blank is being reported as infected/malware URL
I don’t know why - I scan it with VirusTotal and it comes up clean
Please tell me how to get this unblocked? or what’s causing the detection? because it seems that even people not using Avast are being blocked from this URL - this is a private advertising server that I run that does NOT server ‘open’ ads, only the one we publish for our advertisers.
Well that can be done here: http://jsunpack.jeek.org/?report=b226d4d4301a7821a45bb94edd48735caab9b728
(visit with script blocking active and in a VM)
The location line in the header above has redirected the request to: htxp://ads.cigarweekly.com/www/admin/index.php
(conditional redirect)
Content after the < /html> tag should be considered suspicious. line 93 has been cleansed?
This should not be online: htxp://ads.cigarweekly.com/www/admin/index.php because of PHP exploit via iFrame…
Vulnerabilities for the PHP version used: http://www.cvedetails.com/version/136532/PHP-PHP-5.3.17.html
see: http://www.cvedetails.com/cve/CVE-2013-1635/
PHP does not validate the configration directive soap.wsdl_cache_dir
before writing SOAP wsdl cache files to the filesystem. Thus an
attacker is able to write remote wsdl files to arbitrary locations
(CVE-2013-1635).
PHP allows the use of external entities while parsing SOAP wsdl
files which allows an attacker to read arbitrary files. If a web
application unserializes user-supplied data and tries to execute
any method of it, an attacker can send serialized SoapClient
object initialized in non-wsdl mode which will make PHP to parse
automatically remote XML-document specified in the location option
parameter (CVE-2013-1643).
User should update to 5.3.22 version which
is not vulnerable to these issues.
Polonus - thanks for that;
The server is running PHP:
PHP Version: 5.3.17
Web Server: Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
WebServer to PHP interface: cgi-fcgi
The software running is OpenX = and I really need that to stay running until I can find a replacement!
This server is only running ads that I post - so how can it be vulnerable? Avast is scanning and warning on a ‘possibility’ rather than a factual infection…
This was the detected URL:
htxp://wxw.googlecodehosting.net/openx/js/zone_functions.js?cp=620
I discovered that, while it was not impacting my ad-server, that this was indeed suspect code that was inserted somehow into my data.
I’ve now removed it.
This code does not appear to be malicious unless you are using OpenX a certain way. Fortunately I was not doing what would be bad. My customers are safe -but please be advised!
yes. it does seem that the googlecodehosting was somehow injected into one of my ad-zones.
Software has been upgraded and updated (including the PHP on the server itself), and now it’s been re-submitted for review to Google to have the malware alerts removed.