OpenX Source archive backdoored

OpenX sat between publishers, advertisers, and every visitor who loaded an ad slot. In 2013, heise Security found that official OpenX Source 2.8.10 downloads from the project server contained a hidden PHP execution path. The compromised ZIP, tar.gz, and tar.bz2 archives came from the trusted download channel.

The attacker hid PHP inside flowplayer-3.1.1.min.js, a JavaScript file nested under the video ads plugin. OpenX delivery code then read that file through MAX_commonReadFile and reached it through require_once, turning an innocuous-looking asset into server-side code. Rapid7 later described exploitation as a single request with a ROT13-encoded and reversed payload.

Heise reported that the backdoor appeared to have been present for almost a year and was already being used against ad servers. OpenX 2.8.10 was the current open-source release, so administrators who installed or refreshed the package during the window could inherit the backdoor as part of ordinary deployment.

Remediation required more than removing one line. Acunetix and other advisories recommended upgrading to OpenX 2.8.11 or later, auditing the server for prior compromise, rotating credentials and API keys, and considering a clean reinstall if exploitation evidence existed. A compromised ad server could also deliver attacks to site visitors.

Motive

Financial Gain

Attribution

Group

Cause

Compromised Infrastructure

Transitive

No

Actor

Cybercriminal Gang

• Backdoor Found in OpenX Open Source version 2.8.10 - Some Thoughtsclearmind.cc
• oss-security: CVE request - OpenX 2.8.10 Backdoorseclists.org
• OpenX Releases Security Updatecisa.gov
• Backdoor in popular ad-serving software opens websites to remote hijackingarstechnica.com
• OpenX 2.8.10 Backdoortenable.com
• OpenX Compromise Serving Malwareblog.sucuri.net
• OpenX 2.8.10 backdooracunetix.com
• Achtung: Anzeigen-Server OpenX enthält eine Hintertürheise.de
• OpenX Backdoor PHP Code Executionrapid7.com