Most of you have probably received a “reported attack site” warning on their browser when visiting cinema5D during the weekend. Unfortunately it turns out that our system was infected with a virus by a hacker who used our platform to infiltrate our user’s systems. The hacker has come in through a vulnerability in one of our installed softwares.

Our Servers:

As I’m writing this our site is still flagged as serving bad code, but the system itself has been cleaned, we have removed the malicious code and updated to the latest release of the software in question. The warning messages will disappear as soon as google has rescanned our site (this hasn’t happened in more than 10 hours so far).
I have received and read reports that we are not the only site affected. For a detailed explanation of how we were infected scroll down.

Your Computer:

Here’s the good part:

The IP address serving malware (93.186.170.0) had already been flagged by StopBadware.org by the time the infected code was served. This means content from this IP address was automatically blocked for users of up-to-date web browsers.
Mac users don’t seem to be affected.
If you had a security tool, like Sophos, you would have been alerted to a security risk before an infection could have taken place.
It seems like you needed to click on a popup and install software to get infected

Here’s the shitty part:

Those users with old web browsers like Internet Explorers 6 on a PC didn’t get a “reported attack site” warning and might have been infected.
We have received word of some users having an infected PC after clicking a link that said “install the software to view the video”…

Do I Now Have Malware?

In order to be at risk, you would have to:

1. Use an old/vulnerable web browser.
2. Agree to download a PDF/Java app
3. Run/opened the PDF/Java app

If you believe this may be the case, Sophos Labs have an explanation of how to clean up an infection. Furthermore, please contact us so we can update this post to help other users.

How Do I Know cinema5D Is Now Malware Free?

The Google Safe Browsing tool will verify that cinema5D does not pose a malware risk hopefully within the next hours. You can check back there.

Sorry

We’re very sorry for any inconvenience this issue might have caused for you and for the unavailability of our resources. We will look for better security and regular updates of our software in the future. These weren’t fun days for cinema5D and we definitely have learned a lesson.

Apologies from the cinema5D home base in Austria,
if you have any questions about this incident you may contact me here
Sebastian Wöber

(cinema5D admin)

Details about the attack

We were running version 2.82 of OpenX ad server.

A security vulnerability in OpenX 2.82 allows unauthorized users to edit your banner ad code. The attacker used this to add one line of code to each ad (in the ‘Advanced’ tab, if you are an OpenX user).

The additional code looks very much like any regular ad served by OpenX:

This was visible only when you edited a banner ads ‘Advanced’ properties or happened to check the site’s HTML very closely.