Jump to content

Recommended Posts

Posted

Hi,

I am using Revive 4.0.0 (which I upgraded from OpenX a couple of weeks ago).

If I enter the admin backend of Revive and trying to display a banner in one of the zones there (with show banner function) then Kaspersky puts an alarm with HEUR:Trojan.Script.Generic for http://www.example.com/favicon.ico

Might it possible that this a Revive bug?

In terms of a potential security vulnerability I also checked the ox_banner and ox_zone for prepend/append modifications, but everything is normal there (no changes at all).

What can be the reason for that?

Tom

Posted

Hi @tom83,

Two possibilities that I can think of.

  1. Kapersky is reporting a false positive; or
  2. Your old OpenX Source installation has been compromised, and there is something wrong.

To test, I would get a completely clean, new server, and install Revive Adserver from scratch. Set up some new zones and banners, and test displaying them. If you still get the warning, then I would say it's a false positive; if you get no warning, then chances are it's that your system has been compromised.

Posted

Hi andrew,

thanks for the reply.

Proposed Option 2 seems a little bit to heavy at this point of time, because prior to the update to Revive I was regularly in the backend of my old openx version and I never received such a Kaspersky alarm by showing a banner in the backend. There is also no Kaspersky warning when I run the ads on the frontend.

I also checked carfully all options under http://www.adserveropenx.com/how-to-remove-malware-or-injection-from-openx/ and found nothing. Only

Step – 5:

Some times hacker was created fake Administrator user via  backdoor in our files.You should check this one ,if you found any fake user you should remove from your database.Check this one by below mentioned Query.

SELECT u.user_id, u.contact_name, u.email_address, u.username FROM ox_users AS u, ox_account_user_assoc AS aua WHERE u.user_id=aua.user_id AND aua.account_id = (SELECT value FROM ox_application_variable WHERE name='admin_account_id');

was not working (maybe this is due to the new Revive version).

Are there no other possibilities? Why is there an alert in the context of the favicon.ico?

Thanks in advance again.

Tom

Posted

Hi @tom83 ,

What was the error with the SQL?

It might be worth asking Kapersky why there is an alert in the context of the favicon.ico! I would hope that this is something that's easy for them to answer - I really don't have any idea about why Kapersky would do this :-)

Posted

Hi andrew,

first of all I did something wrong yesterday and Step 4 of the manual was not working:

Step – 4:

Some times  malware was attacked in “details” in “ox_audit” tables in your Data Base .You can remove this one by this MySQL query.

UPDATE ox_audit set details= '' where details like “%Check details filed in this table and placed the most occurring text in that field ,mostly frames%”;

I am receiving the following error message:

SQL Error (1064): You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version
for the right syntax to use near '%Check details filed in this
table and placed the most occurring text in that fi' at line 1 */

Secondly the Kaspersky alert shows up in all zones and banners when I try to open the preview banner in the backend and is always linked to favicon.ico.

Thanks again for your support.

Tom

  • 3 weeks later...
Posted

Dear all,

I would like to come back to this issue.

Is there anybody else using Revive 4.0.0 with Kaspersky who ist getting this alert?

Once again, the Kaspersky alert is always the following:

- Object Name: HEUR.Trojan.Script.Generic

- Object: http://www.example.com/favicon.ico

It only occurs in the Administration-Backend when opening a preview of any banner in any zone.

Maybe this is also related to a script within the Revive source code, which is interpreted by the virus protection wrongly?

Thanks for your feedback.

Tom

Posted
On 4/12/2017 at 7:12 AM, tom83 said:

SQL Error (1064): You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version
for the right syntax to use near '%Check details filed in this
table and placed the most occurring text in that fi' at line 1 */

 

Looks like the copy & paste has just turned the double quotes into non-ASCII double quotes. Try changing them to normal ASCII double quotes?

Posted
On 5.5.2017 at 3:06 AM, andrewatfornax said:

Looks like the copy & paste has just turned the double quotes into non-ASCII double quotes. Try changing them to normal ASCII double quotes?

I was just asking how the above mentioned source-code would look like in normal ASCII double quotes?

Tom

Posted

Just delete every double quote in the original source, and replace it with a typed double quote, in the SQL command line.

It will look exactly the same to the eye, probably, but will be different as far as the SQL engine is concerned.

Posted

...like this?:

UPDATE ox_audit set details= " where details like "Check details filed in this table and placed the most occurring text in that field ,mostly frames";

Thanks

Tom

Posted

Hi @tom83,

No, that looks like you have a double quote where there should be two single quotes, after the details=.

By the way, I'm not saying that running that SQL is a good idea - I have no idea if it will do what you're hoping. Or indeed, what you're hoping it will do either!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...