OpenX ad server found to have 7 month old mass compromise

scv

Massive Nerd
Verified Provider
Javascript has nothing to do with this though. The backdoor was inlined PHP code.

The package is unpacked apparently in a normal installation. On the server being analyzed, the burglars used the back door to a PHP shell in /www/images/debugs.php store, then they had full access to the server. Their entries in the log file ultimately led to the discovery.
If you look at an exploit for the vulnerability[1] you can see the issue is triggered through another script that apparently calls include() to deliver static content instead of file_get_contents (a pretty big issue in its own right). This inlined PHP code is then executed and presumably allows the attacker to run arbitrary PHP code or system commands. Disclaimer: I haven't actually looked at the backdoor, this is just what I gathered from reading about the issue.

[1] http://packetstorm.foofus.com/1308-exploits/openx_backdoor_php.rb.txt
 

wlanboy

Content Contributer
Yup, just another "because they did not know what a function is doing" security hole...
 
Top