

OpenX.org compromised and downloads injected with a backdoor - daviddede
http://blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.html

======
alternize
the openx team has unfortunately a long history for not really caring about
bugs in their opensource offering.

a few years ago, i had to maintain an openx installation and found quite a few
critical bugs, for which i submitted patches to their then-active jira
bugtracking. as far as i know, the bugs are still in the "current" 2.8.10
release.

the opensource version was unofficially abandoned when the Enterprise editions
where announced - without really telling the users that they would not
maintain it anymore.

i'm not at all surprised about the new problems and their lack of
communication.

~~~
troni
I had a similar experience, briefly maintaining an OpenX install until one day
we had a security issue. Turns out that nobody had been applying software
updates and that software has lots of problems with it. I spent a week getting
it up-to-date to be sure I had everything cleaned out from the hack.

At the end of the week I decided that the client wasn't allowed to run OpenX
anymore and we found a different solution that worked within their CMS. Less
bells and whistles, less problems.

------
tlongren
If you were using OpenX at one time and never removed it from your webserver,
you can consider yourself compromised. Get that shit removed.

~~~
daviddede
+1. Most of the compromises we find is due to old/test/never used/demo/debug
tools that were once installed and forgotten.

~~~
tlongren
Right. It's amazing how many companies have public-facing openx installs that
are no longer used or updated. Makes for an extremely easy target.

------
grey-area
I suspect this goes back longer than 7 months ago. I saw a customer site using
openx with constant unusually high CPU usage over 1 year ago. It was also
running a custom drupal and I didn't get a chance for a close look but I
suspect the openx was compromised, as even with low visitor nos to drupal and
caching it was using high CPU constantly. Thank goodness the server has now
been replaced and the data migrated to another system... In the logs for
months after replacing the site I saw odd requests for long openx urls, so it
was probably serving up files for someone, and google had over 100,000 urls
indexed...

------
digitalzombie
I'm not surprise at all.

Their products are a bit shotty and so is their website. I can go on and point
out even more problems with their websites... but that would be consulting.

I applied there and got shot down, it seems like they only hired people from
prestige university (caltech, stanford, etc..). This view is also backed by a
few reviews on indeed. They're very smart and create some very very unique
stuff (rolled their own db on top of riak, live auctions, erlang),
unfortunately all those awesome algorithms doesn't help their shotty products.

------
riledhel
I understand the concerns brought up in this thread as I experienced some of
them myself in the past; but what good open source/free software can you
recommend to replace OpenX?

------
ziodave
OpenX downloads are not working on OpenX web site, e.g.
[http://download.openx.org/openx-2.8.10.zip](http://download.openx.org/openx-2.8.10.zip)

~~~
pan69
This seems to be the latest version:
[http://download.openx.org/openx-2.8.9.zip](http://download.openx.org/openx-2.8.9.zip)
with time stamp 2013-08-05T18:00:31.000Z.

------
wvh
How does PHP code inside a JS file get executed? Sounds to me like that's not
the only problem in the code...

~~~
daviddede
The .js file is actually included in one of their templates (using include()).
So the <?php code is executed at that point.

~~~
mahmud
Why isn't the Javascript code in a PHP comment? That is the usual way of
"embedding" stringly-typed languages.

