I have a system that uses openx for serving banners. I have recently noticed that several cache file in /var/cache contain infected code. The code contains sql queries that create several php files in the filesystem. These files are web shells that contain code that enables an attacker to execute operation system commands on the openx server. My problem is I have no idea how the cache is infected. I am ignorant as to how new files are created in the cache and how an attacker can control their content. Is anyone familiar with this situation or can point my in the right direction?
ultimately I intend to upgrade my openx version but as part of my forensics it is important for me to understand what was the attacker's modus operandi?