Linux Ubuntu

Linux Ubuntu

Linux Ubuntu an more

Linux Ubuntu News and help

Warning: OpenX Ad Server contains a back door

Linux NyheterSkapad av Jörgen Halex tis, augusti 06, 2013 20:13:47

The current version of OpenX Ad Server software contains a backdoor through which an attacker can inject and execute arbitrary PHP code in the server. The previously unknown backdoor code can be found in the download package of the current version of OpenX 2.10 and is used for acute attacks.
OpenX is an open source software for the delivery of advertising materials. In a "routine check" Display a server heise Security reader Heiko Weber discovered strange log entries, the analysis of the discovery of a backdoor in source code led OpenX. He informed heise Security, we could understand his observations and reported the situation on Monday morning, the Security contact of the OpenX team. However, so far no reaction was. The H Security also informed of CERT-Bund explained that you can confirm the presence of the backdoor.
The backdoor can be found in the download archive server OpenX - both in openx-2.8.10.zip and in the tgz and the bz2 version. It is not yet known which versions may also be affected, nor how the code got there. However, the back door is already a download from November 2012, so it must have been at least three quarters of a year unnoticed online.
Who administers a OpenX server itself can track the backdoor code with the following command:
place. .-Name \ * js-exec grep-l '? <Php' {} \;
If the reports a file name, it is a JavaScipt file containing interspersed with comments obfuszierten PHP code:
this.each (function () {l = flashembed (this, k, j)} <? php / * if (s)
{JQuery.tools jQuery.tools = | | {version:
{}}; JQuery.tools.version.flashembed = '1 .0.2 ';
. * / $ J = 'ex' / ** / 'plode' / * if (this.className ...
The file is activated by a call to require_once (), which can be triggered using the exact URL from the outside, it is contained in a zip archive, which is dated 12.9.2012:
openx-2.8.10/etc/plugins/openXVideoAds.zip
md5: 6b3459f16238aa717f379565650cb0cf
The package is unpacked apparently in a normal installation. On the server being analyzed, the burglars used the back door to store a PHP shell in / www / images / debugs.php, then they had full access to the server. Their entries in the log file ultimately led to the discovery.
Who manages an affected server, should take this immediately and make a detailed analysis of the log files. Once the OpenX team responds, we will publish more information.
A few months ago, the BSI had warned of massive attacks in which unknown attempted to infect the visitors of web pages display with Trojans. Many of the observed servers deliver up the malicious advertising, ran with OpenX. A backdoor in the current version this can be displayed in a new light.
7:50 Update 06/08/2013: The OpenX security team has confirmed that it has removed the affected files from the server and working on an official advisory.



  • Kommentarer(0)//linux-ubuntu.it-losningar-och-it-sakerhet.se/#post1