So for last few days i was faced with the Trojan which was injected into OpenX.
So here is my guide how to remove it.
1. First of all create
`banners` copy like `banners_2` ( so it be backup if you will need it ).
2. Lanch the query to remove unwanted virus / trojan code snippets
UPDATE `banners` SET `htmltemplate` = '', `htmlcache` = '', `append` = ''
WHERE 1
AND
(
`htmltemplate` LIKE '%BrowserDetect%' OR `htmltemplate` LIKE '%function hex2a(hex)%' OR`htmlcache` LIKE '%BrowserDetect%' OR ` htmlcache ` LIKE '%function hex2a(hex)%' OR`append` LIKE '%BrowserDetect%' OR ` append ` LIKE '%function hex2a(hex)%')
[EDIT]
Launch same query for zones table
UPDATE `zones` SET `append` = ''
WHERE 1
AND
(
`append` LIKE '%BrowserDetect%' OR ` append ` LIKE '%function hex2a(hex)%')
[EDIT end]
3. Do OpenX update to latest version ( 2.8.9 for current moment )
4. After you update your OpenX, lanch query at (2) for one more time.
5. At this stage you will need to clear cache or just wait to renew it by itself.. I didnt deleted it, so i cant tell you anything about how to do it. If you OpenX is huge i dont recommend you to delete it., better ask someone who knows anything about "grep" ( Google scan command? ).
Cache exists in var/cache/
[EDIT]
6. After all this cleanings we still couldn't find the trojan by itself, but banners and zones position were infected from time to time...
Solution for this was to limit`append` field attribute length to '10' symbols. It helped us for now...
[EDIT end]
These are steps which we took and a bit more..
Hope it will help you. Good luck, you will need it.
p.s. a bit more information can be fount here:
http://www.openxconsultant.com/blog/2011/10/what-to-do-when-you-suspect-your-openx-system-has-been-hacked/
