OpenX ad servers “pre-compromised” – official distro contained remote code backdoor

You don’t always have to break into someone’s web server to get them to deliver your malware for you.

You may be able to implant malware onto a site from which your victim fetches third-party content, and thus serve up your malware one step removed.

You compromise the third party’s servers; they pass on the compromise to their customers; and those customers pass the compromised files onto users as they browse.

As you can probably imagine, ad servers are a prime target for this sort of indirect compromise: their whole purpose is to take content they didn’t originate themselves and to push it out as widely as they can.

→ Malware foisted on you by an ad server can also be harder to track down and analyse because ads on a site are deliberately varied from visitor to visitor, and from visit to visit. So a URL reported as malicious by a user might have no (or different) malware when visited again later.

We’ve written regularly about this problem over the years, and the freebie ad server OpenX has popped up in the saga on numerous occasions.

Like running a self-hosted blog site, operating your own ad server is not an undertaking to be entered into lightly, not least because you represent potentially serious ill-gotten profits to a Malware-as-a-Service cybercrook.

So it was no surprise to see the Federal Office of Information Security in Germany (BSI, or Bundesamt für Sicherheit in der Informationstechnik), pushing out warnings about poisoned online adverts in January and in April 2013.

Once again, the BSI pointed the finger at OpenX installations:

In the past few days, online criminals have again carried out large-scale compromises of OpenX servers delivering advertising banners. The BSI already warned about this problem in January of this year.

Then, two days ago, the BSI issued another press release on this topic that may help to explain the prevalence of OpenX in reports about poisoned ads:

The BSI is reporting a backdoor in the current version of (2.8.10) of the OpenX ad server...The backdoor gives an attacker remote code execution of PHP programs.

If fact, it looks as though the Trojanised content was hidden in the OpenX distribution back in November 2012, ten months ago.

Update: OpenX emailed us at 2013-08-07T22:12Z to say that 2.8.11 is out, fixing the problem. Details of how to see if you were affected are on the OpenX forum.

What the Trojanised content looks like

I don’t have a complete set of malicious files to show you – happily, 2.8.10 has been pulled from the OpenX download site.

But the core of the attack code is written in PHP and buried, rather unusually, in a JavaScript file that is part of a video player plugin (vastServeVideoPlayer) in the OpenX distribution:

PHP and JavaScript don’t usually mix.

JavaScript is delivered to your browser and executed there in order to adjust the look and feel of web pages; PHP is processed on the web server, where it generates web content before it is served.

In this case, the JavaScript you see inside the PHP code fragment above is just there as a visual disguise, consisting entirely of comments that are ignored anyway.

With the comments chopped out, the PHP remaining reads like this:

And this boils down to a short but bitter payload:

This takes anything that attacker posts, via a form field called vastPlayer, reverses it, rot13s it [*], and finally submits it to the PHP engine for execution via the eval() function.


This implies that an OpenX server installed from the compromised 2.8.10 sources may very well have been pre-owned, ready for cybcercrooks to wade in and take over as soon as you made it live.

OpenX doesn’t seem to have made any public announcement so far; indeed, the 2.8.10 version is still listed as the current official download from the OpenX servers:

However, as mentioned above, the files have been removed:

Suggestions for mitigation

In you are using OpenX, you can look for evidence of this compromise, or anything orchestrated similarly, by searching through the JavaScript files in your OpenX installation directory for embedded PHP code.

Since embedded PHP code appears between the delimiters <?php and ?>, looking for the opening delimiter is a good start:

$ grep -i '<\?php' $(find /your/openx/tree -name '*.js')

If you have 2.8.10, reports are (and the infected file I received suggests this) that the malicious PHP remote code execution fragment is in a file named:


This file was unchanged from OpenX 2.8.9, so you can replace it from the 2.8.9 download if you like.

(The vastServeVideoPlayer is found inside the file in the etc/plugins directory.)

What next?

I hope this helps, and I hope even more that OpenX comes up soon with some official statements that will help OpenX users determine whether they were affected by this hole.

Sophos Anti-Virus on all platforms detects and blocks this malware as Troj/PHP-M.