jerry2 Posted May 19, 2016 Report Share Posted May 19, 2016 (edited) Is there any new exploit in Revive Adserver 3.2.4? Some script or something is putting prepend script to our ads and removing them few hours later. They log in in audit log as me, but the password is impossible to guess and the scripts are intact on the revive folder, server seem not to be compromised... Any ideas? Edited May 24, 2016 by Erik Geurts Corrected product name spelling Quote Link to comment Share on other sites More sharing options...
Ian Posted May 19, 2016 Report Share Posted May 19, 2016 Did you try changing your password ? I'm not aware of a recent exploit. Quote Link to comment Share on other sites More sharing options...
jerry2 Posted May 19, 2016 Author Report Share Posted May 19, 2016 Yes today I canhged password. This logins started happening at the end of february, is it possible somebody exploited some old backdoor to get password? I'll see if it will happen again now, but I would like to know how they got my password in the first place. So was there some exploit before end of february that could get the attacker password? I don't know what this JS iframes did, as I didn't get infected by browsing my website and I did that a lot... Quote Link to comment Share on other sites More sharing options...
Ian Posted May 19, 2016 Report Share Posted May 19, 2016 I cannot tell you how they have gotten your password(s). Those JS-iframes can be vicious, but you should be fine if you applied your browser patches/updates. The ones I have seen are mostly targeted on older IE versions. Quote Link to comment Share on other sites More sharing options...
jerry2 Posted May 20, 2016 Author Report Share Posted May 20, 2016 Thank you for your answer. Now they don't log in any longer.. Quote Link to comment Share on other sites More sharing options...
anshul123 Posted May 21, 2016 Report Share Posted May 21, 2016 Are you hosting this adserver on https:// Quote Link to comment Share on other sites More sharing options...
andrewatfornax Posted May 23, 2016 Report Share Posted May 23, 2016 Just a reminder as well to anyone following - if you've upgraded from a version that was older, it's possible the instance was already compromised - simply upgrading doesn't mean that someone who already has access will now no longer have access. There are specific steps you'll need to take if you've been compromised. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.