Exploit in Revive Adserver?

[jerry2]

Is there any new exploit in Revive Adserver 3.2.4? Some script or something is putting prepend script to our ads and removing them few hours later. They log in in audit log as me, but the password is impossible to guess and the scripts are intact on the revive folder, server seem not to be compromised...

Any ideas?

Edited May 24, 2016 by Erik Geurts
Corrected product name spelling

[Ian]

Did you try changing your password ?

I'm not aware of a recent exploit.

[jerry2]

Yes today I canhged password. This logins started happening at the end of february, is it possible somebody exploited some old backdoor to get password? I'll see if it will happen again now, but I would like to know how they got my password in the first place. So was there some exploit before end of february that could get the attacker password?

I don't know what this JS iframes did, as I didn't get infected by browsing my website and I did that a lot...

[Ian]

I cannot tell you how they have gotten your password(s).

Those JS-iframes can be vicious, but you should be fine if you applied your browser patches/updates. The ones I have seen are mostly targeted on older IE versions.

[jerry2]

Thank you for your answer. Now they don't log in any longer..

[anshul123]

Are you hosting this adserver on https:// 

[andrewatfornax]

Just a reminder as well to anyone following - if you've upgraded from a version that was older, it's possible the instance was already compromised - simply upgrading doesn't mean that someone who already has access will now no longer have access. There are specific steps you'll need to take if you've been compromised.