openx
OpenX Source archive backdoored
The official OpenX Source 2.8.10 distribution archives were compromised for months, shipping a remote PHP code execution backdoor in the open-source ad server. The payload hid obfuscated PHP inside flowplayer-3.1.1.min.js, while modified delivery code invoked it through MAX_commonReadFile and require_once. Compromised ad servers could be taken over and then used for malvertising, phishing, or drive-by download campaigns against site visitors.
- Date
- 2012-11-01 to 2013-08-08
- Category
- Open Source
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Backdoor
- Cause
- Compromised Infrastructure
What Was Affected
Package
openx
LanguagePHP
ComponentApplication
Artifact typesource archive
Domain typeproject download host
Domain
openx.com
Compromised Versions
- OpenX Source 2.8.10
Incident Context
- Motive
- Financial Gain
- Attribution
- Cybercriminal Gang
- Transitive
- No
- Observed Duration
- 280 days
Evidence
Compromised Artifacts
- openx.org/download/openx-source-2.8.10.zip
- openx.org/download/openx-source-2.8.10.tar.gz
- openx.org/download/openx-source-2.8.10.tar.bz2
- web.archive.org/web/20131201000000*/http://www.openx.org/download/openx-source-2.8.10.zip
Current Artifacts and Analysis
Indicators and Changes
Hashes
md5:3cf59a7b8996dcc52370cf918f248ee4md5:558c80e601fb996e5f6bbc99a9ee0051md5:fa4991d5fd3bf4a947b6ab0b15ce10b2md5:5014c31b479094c0b32221ae1f1473acmd5:6b3459f16238aa717f379565650cb0cf
External References
Source Data
Source record: oss/attacks/openx/meta.yaml