eLiX
-
Posts
6 -
Joined
-
Last visited
Posts posted by eLiX
-
-
So that means, that upgrading to revive likely did not solve my problem then ...
In case I am reinstalling the revive adserver completely blank on a totally different server under a different domain - how can I safely import our data to the new system? Do I need to copy&paste every banner by hand to be sure, that there is no malicious code or anything else into it?
-
15 hours ago, Erik Geurts said:
Yes, when you perform an upgrade, any and all plugins in the previous version will be ported along to the upgraded version. This includes anything that a malicious user might have added or modified. If an ad server is compromised, it should be cleaned up first, and then upgraded.
Ok, we made a second installation in a different folder with a blank revive adserver 3.2.4 and followed the instructions here https://www.revive-adserver.com/support/upgrading/.
In the old OpenX we removed the injected code from the ox_zones tables and a user with the userid 999 with admin rights named "Maintenance" and then we copied the database, because it seemed to be clean then. I followed the instructions from here: http://www.adserveropenx.com/how-to-remove-malware-or-injection-from-openx/
Anything wrong in this procedure? I thought, that will do the job.
15 hours ago, Ian van Marwijk said:Be sure to check if there is not a file outside of your Revive folder which infects it again. Or maybe even a cronjob (i've seen it happening) also be sure to htaccess your /www/api and change passwords from all users.
Passwords were all changed, I'll htaccess the api - folder too now.
I removed the file adxmlrpc.php from the root folder to "disable" XML-RPC - is there a better way to disable this than removing the file?
Thanks for your hints and tips!
-
8 minutes ago, Ian van Marwijk said:
I hope like every sane user who uses OpenX 2.8.7, he has upgraded to the latest Revive version...
Sure, as I said before: We updated the system to the latest revive version :).
6 hours ago, eLiX said:After being hacked in the old OpenX version 2.8.x we updated to the latest Revive version 3.2.4 and the compromised database kept clean since then.
But the cache file hack is/was still active...
-
15 minutes ago, dJAX said:
Elix,
Revive Cache plug-in hacks the ad server. If you provide revive login and server detail, we will check " is they followed security tips or not?".
Hello dJAX,
thank you for your reply. Our sysadmin will not provide any login information to unknown people, sorry ;).
Our admin area is protected by .htaccess.
I am very interested into the attack vector of the scenario the topic owner posted to prevent further modifications.
-
I know, that this is an old topic, but we are facing the almost same problem right now. After being hacked in the old OpenX version 2.8.x we updated to the latest Revive version 3.2.4 and the compromised database kept clean since then. But the hackers are now using the way like described from the topic opener.
I found malicious code into the /plugins/deliveryCacheStore/oxCacheFile/oxCacheFile.delivery.php and a fake cache file under /var/cache/deliverycache_aaq22kik12944a6de781d37d3g0fd972nac6a9.php, which included a link to the hidden iframes, which were injected for Internet Explorers. So I googled and found this: http://www.malekal.com/en-openx-hacks-example-malvertising/ which describes almost the same issue - but I don't know how to fix the entry point right now? Can anyone help?
User named "maintenance"
in Managing Revive Adserver
Posted · Edited by Erik Geurts
removed e-mail address from topic title
Is there a default user with the username "maintenance" and the email address "support @ revive-adserver.com" with the user_id 999?
Checking our database for a possible hack we found this user account and don't really know what this is, but I expect this user to be fake. date_created and date_last_login were both NULL.