Yesterday proved to be a stressful day at SquareDigital HQ after it became apparent that our wesbites had been hacked.
We've decided to blog about this for two reasons: i) if you tried to visit our sites yesterday and encountered a warning, we want to reassure you that they're just fine ii) if you own a site and use the OpenX adserver, to ensure you are aware of a vulnerability with version 2.8.5.
So, what started out as a fairly normal day took a turn for the worse when we received notification that attempts to access some of our sites through Google's Chrome browser was resulting in a message warning users: "Visiting this site may harm your computer".
Not the most appealing of messsages to a potential visitor!
Fortunately, from here we were very quickly able to identify that the problem was associated with adverts on our site.
Unforuntately, we had to switch off every single one! Not a great thing for revenue but at least doing so meant the warning messages stopped and the immediate threat was contained.
Things took a slightly surreal turn when we were contacted by the Government's Computer Emergency Response Team to see whether we were aware of the problem, they themselves having been alerted to it by their colleagues in Germany.
The problem contained, we then set about finding out exactly what caused it. Given the lack of Twitter buzz surrounding the issue, it became apparent it wasn't - as the conspiracy theorists in the team had it - part of some wider attack on websites possibly brought about by anger over the treatment of WikiLeaks.
It was rather more mundane and localised; our efforts focused on our ad server and the adverts they were serving.
Eventually a bit of Googling turned up a known issue with OpenX.
From there we were able to upgrade from version 2.8.5 to 2.8.7 which closes off the vulnerability that was exploited.
This ensured the problem would not reoccur, but we still had to clear the malicious code from our database. At around 5pm, with now pretty much the whole day wasted, we found it and deleted every last bit of it.
All is now thankfully back to normal, and there don't appear to be any lasting implications.
You can check out our sites through Google's safebrowing diagnostic tool:
And while you're there, why not compare us with: