Jump to content


Approved members
  • Content Count

  • Joined

About Thierry

  • Rank

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. at least we can help one another... this is what I'm trying to do sharing my experience & findings (I wouldn't have done it without this forum otherwise).
  2. Tricky issue! While during any upgrade they could (should?) check that particular folder for php files (none should be there...) and alert users that the server was compromised. The course of action after is beyond their hands depending of what the hackers did. There is also no garantee that they would catch all compromised servers -- the hackers would certainly rush to add more backdoors to the servers they have access to... Having a false sense of security is worst than knowing you are exposed 😞 😞 😞 T.
  3. Glad I could help! I did not find any other file. To spy on my hacker I did replace their file by one of my own that would capture their payload and allow me to understand what they were trying to do... The hacker tried to connect a few more times to my server last July then quitted for a while. He made another attempt last January, I haven't heard back since. As I sadly cannot assume there isn't another backdoor left somewhere... 😞😞😞 I did set a cron job to check on the PREPEND fields every 5 minutes and alert me if something goes wrong (that's probably their favorite ways of delivering
  4. Very late reply but I encountered the same issue... (I'm posting in case that may help someone else). The file in the images directory (with a similar kind of name) was used from time to time to load a shell on my server (which would be erased after the "work" was done). The hacker was free to directly connect to my DB and put its payload to the banners (Zone's PREPEND fields were loaded with Malicious Javascript) or do anything he/she wanted.
  5. Beware that they did not also leave a backdoor on your site... I just published a new topic on that subjet. Once a hacker has access to your site like they could have with the security hole in 4.x their possibilities are endless. Check your www/images directory for php files. T.
  6. My previous 4.x install got compromised, some of my users were complaining about malware alert and/or unwanted advertising (it was not all the time nor on all platform, making the issue difficult to pinpoint). I thought cleaning the Revive DB and upgrading my Revive install would be enough to secure my site but sadly no, PREPEND payloads kept being added from time to time despite running the latest version of Revive. It took some hunting but I eventually discovered the hacker left a tiny PHP file in my Revive www/images directory. As I'm keeping that directory during upgrades, the se
  • Create New...