Backdoor in current download packages of OpenX-2.8.10

by accident we stumbled across what seems to be a backdoor in the download archive (.zip, .bz2, .tgz) of the current version of the OpenX software. It allows arbitrary PHP code to be executed from remote. The problem is currently exploited in the wild.

This is critical and needs immediate reaction.

If you’re the admin of an openx adserver, you can verify if you installation contains the backdoor:

find . -name \*.js -exec grep -l '<?php' {} \;

When you get a result, it is the infected code

this.each(function(){l=flashembed(this,k,j)} {jQuery.tools=jQuery.tools||{version:
{}};jQuery.tools.version.flashembed='1.0.2';
*/$j='ex'./**/'plode'; /* if(this.className ...

In combination, another part of manipulated code uses require_once() instead of file_get_contents() so serve it.

If you’re not serving videos you can get rid of the infected plugin by deleting the plugin openXVideoAds.

For german version see: http://www.heise.de/security/meldung/Achtung-Anzeigen-Server-OpenX-enthaelt-eine-Hintertuer-1929769.html

Update: The OpenX security team has removed the invected packages and is working on an advisory.