My organization has recently undergone a security incident having to do with our openx server (we use version 2.8.7).
What we know -
1. The attacker most probably exploited SQL Injection vulnerability in axmlrpc.php as an enrty point into our organization.
2. From there he went on to modify 2 files in /var/cache to contain malicious code in the "compiledlimitation" key. (This code created a web shell in the plugins directory).
3. Besides the shell created by the malicious files in /var/cache he was also able to create another shell in the plugins directory. This is a publicly available shell, known to be used in the context of openx (https://www.badwarebusters.org/stories/show/19972), titled "Web Shell by oRb". we have no idea how it was created.
4. After a few days the attacker modified the contents of \openx\plugins\deliveryCacheStore\oxCacheFile\oxCacheFile.delivery.php to contain code that infects the openx cache in a way that creates another entry in /var/cache which causes openx to server malicious iframes to users. The attacker modified the oxCacheFile.delivery.php file to contain the code that can be found here: http://ninjafirewall.com/malware/?threat=2014-02-20.01
Our Database and openx installations are on different servers.
We have no idea how the attacker was able to create the malicious files in \var\cache or how he was able to modify the contents of oxCacheFile.delivery.php.
Does anyone have experience with this type of attack vector?
Any help you can provide in understanding the what happened would be greatly appreciated.