OpenX Ad Server Exploits - How to remove one and protect yourself

A vulnerability from the inside

For the second time in 18 months one of the most popular sites my company manages was compromised via our ad serving platform OpenX. OpenX is a really good advertising management and delivery system that offers a self-hosted, free open source version which we have been using for around 5 years now to monetize a media site. Unfortunately OpenX has taken some poorly thought out and executed measures to attempt to monetize their open source version of the software which has introduced some major security flaws.


The way that the malware spreads is by using a database column called `append` or `prepend` to, you guessed it, append arbitrary code to the delivery of an advertisement. Once a site is infected itwill begin to serve up ads with malware attached to it. This can happen in several ways but usually comes in the form of an iframe containing malicious code or javascript attempting to download software or redirect the user to another website.

There are two primary ways your self-hosted installation can be exploited by OpenX:

1) OpenX Dashboard


By default, you are taken to an OpenX dashboard when you log into the system which displays a type of portal from OpenX. This dashboard which feeds information into your ad server has been responsible for the majority of the security exploits. When OpenX has their own environment compromised (which seems to happen kind of often), they are then capable of infecting remote installs by way of the skyscraper ad in the dashboard. When you log into the administration panel and visit the dashboard, you will be served up malicious code via OpenX's own skyscraper ad.

2) OpenX Market

OpenXMarket is a plugin (installed by default) which allows OpenX to use their advertiser inventory to serve 3rd party ads in your normal ad zones if you currently have an empty zone, or if you set a baseline CPM cost that it can beat. If OpenX has been exploited, they can serve your customers malware using the append attack described above.

Identifying and Removing an exploit

There are some telltale signs that your system has been compromised. If you see any of the following you're likely a victim of an exploit:

  • Your site is being flagged by Google as malicious

  • You're experiencing redirects, download attempts, or pop-ups on your site

  • You see a new OpenX user named openx-manager in the admin panel

To clean up your system, you'll need to take a few steps.

First, you'll want to delete any rogue users that have been created in your OpenX system. To do this, log into your admin panel, then set your Working as mode to "Administrator Account".


Next click on the Inventory menu, then Admin Access in the sidebar. If you see any users other than yourself (or accounts you know to be legit), delete them. Particularly any account named openx-manager. This is also a good time to update your password.

Next you want to check your server for any malicious content that may have been downloaded, or unwanted changes that have been made to the code. To do this, SSH into your linux server and navigate to your openx install path. use the "find" command to look for any modified files like so:

find /path/to/openx/www /path/to/openx/plugins -mtime -7

Remove any files that have unexpectedly been created or modified, paying special attention to any .php files. It's helpful to empty out the cache directory first.

Next, you need to remove the exploit from the database. Log into your MySQL admin tool, such as phpMyAdmin, and run the following queries:

SELECT prepend,append FROM banners where prepend != '' or append != '' 

SELECT prepend,append FROM zones where prepend != '' or append != ''

This will show you the zones which have been serving malicious code, unless of course you have been using those fields purposely. If any results are returned run the following query to eliminate the exploit:

UPDATE banners SET prepend = '', append = '' 

UPDATE zones SET prepend = '', append = ''

Finally, update your OpenX installation to the latest version to hopefully patch the vulnerability. Instructions for performing the update can be found at the OpenX site.

Protecting yourself from future exploits

If your system has not been affected, that's great. You should still follow these steps to protect yourself from being infected in the future.

First and most importantly, disable the OpenX dashboard. To do this, log into the admin panel and set your Working as mode to "Administrator Account". Click on the Configuration menu, then click on User Interface Settings. At the bottom of this page, uncheck the box next to Enable dashboard then press Save.


Next, do not use the OpenXMarket feature if you can avoid it. This will protect you from having OpenX serve malicious code to your visitors.

Next, lock down your configuration file to prevent unwanted changes. To do this, SSH into your server and navigate to /path/to/openx/var then execute the following command:

sudo chmod 755 thenameofyourserver.conf.php

To confirm that this worked, reload the configuration page in the admin panel. Everything should be grayed out and a message should appear saying the file is locked.

Finally, make sure you deleted the install.php file after you performed the software upgrade. SSH or FTP into your server and navigate to /path/to/openx/www/admin and look for a file named install.php. If it exists, delete it.


It's a shame that such a useful product is tarnished by these serious security flaws. System administrators know that it's hard enough to fend off attacks on your own products without having to deal with an attack from the inside. If you're already using self-hosted OpenX, be cautious. If you're not and are evaluating it, definitely take this into consideration.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon