OpenX Advertising Network hacked and backdoor Injected

2013-08-07T06:07:00
ID THN:DB37DFCB1F1905997C3B5687ECC24178
Type thn
Reporter Mohit Kumar
Modified 2013-08-09T17:39:36

Description

OpenX, a leading provider of digital and mobile advertising technology has accordingly served backdoors that are injected into the Code and allows hackers to control over your Web server.

German tech site the Heise notified Germany's computer emergency response team (CERT) this week about the OpenX Ad Server (2.8.10) backdoor, allowing an attacker to execute any PHP code via the "eval" function and could have provided attackers full access to their web sites.
The OpenX team has confirmed the breach and OpenX senior application security engineer Nick Soracco said that two files in the binary distribution of 2.8.10 had been replaced with modified files that contained a remote code execution vulnerability.

The attack code is written in PHP but is hidden in a JavaScript file that is part of a video player plugin (vastServeVideoPlayer) in the OpenX distribution.

This vulnerability only applies to the free downloadable open source product, OpenX Source. It’s important to note that all of OpenX’s main suite of products, including OpenX Enterprise (ad serving), OpenX Market (exchange) and OpenX Lift (SSP) are not affected.

Server administrators can find out if they are running the OpenX version that contains the backdoor by searching for PHP tags inside .js files. Researchers from Sucuri provide a simple command for this:

> $ grep -r --include "*.js" '<?php' DIRECTORYWHEREYOURSITEIS

This is not the first time when Opex.org has been hacked. Last year in March 2012, it was hacked and served malware to users.

OpenX has now released OpenX Source v2.8.11, which according to Soracco is a mandatory upgrade for all users of 2.8.10 that should be applied immediately.