tom83 Posted April 9, 2017 Report Posted April 9, 2017 Hi, I am using Revive 4.0.0 (which I upgraded from OpenX a couple of weeks ago). If I enter the admin backend of Revive and trying to display a banner in one of the zones there (with show banner function) then Kaspersky puts an alarm with HEUR:Trojan.Script.Generic for http://www.example.com/favicon.ico Might it possible that this a Revive bug? In terms of a potential security vulnerability I also checked the ox_banner and ox_zone for prepend/append modifications, but everything is normal there (no changes at all). What can be the reason for that? Tom Quote
andrewatfornax Posted April 9, 2017 Report Posted April 9, 2017 Hi @tom83, Two possibilities that I can think of. Kapersky is reporting a false positive; or Your old OpenX Source installation has been compromised, and there is something wrong. To test, I would get a completely clean, new server, and install Revive Adserver from scratch. Set up some new zones and banners, and test displaying them. If you still get the warning, then I would say it's a false positive; if you get no warning, then chances are it's that your system has been compromised. Quote
tom83 Posted April 10, 2017 Author Report Posted April 10, 2017 Hi andrew, thanks for the reply. Proposed Option 2 seems a little bit to heavy at this point of time, because prior to the update to Revive I was regularly in the backend of my old openx version and I never received such a Kaspersky alarm by showing a banner in the backend. There is also no Kaspersky warning when I run the ads on the frontend. I also checked carfully all options under http://www.adserveropenx.com/how-to-remove-malware-or-injection-from-openx/ and found nothing. Only Step – 5: Some times hacker was created fake Administrator user via backdoor in our files.You should check this one ,if you found any fake user you should remove from your database.Check this one by below mentioned Query. SELECT u.user_id, u.contact_name, u.email_address, u.username FROM ox_users AS u, ox_account_user_assoc AS aua WHERE u.user_id=aua.user_id AND aua.account_id = (SELECT value FROM ox_application_variable WHERE name='admin_account_id'); was not working (maybe this is due to the new Revive version). Are there no other possibilities? Why is there an alert in the context of the favicon.ico? Thanks in advance again. Tom Quote
andrewatfornax Posted April 11, 2017 Report Posted April 11, 2017 Hi @tom83 , What was the error with the SQL? It might be worth asking Kapersky why there is an alert in the context of the favicon.ico! I would hope that this is something that's easy for them to answer - I really don't have any idea about why Kapersky would do this :-) Quote
tom83 Posted April 11, 2017 Author Report Posted April 11, 2017 Hi andrew, first of all I did something wrong yesterday and Step 4 of the manual was not working: Step – 4: Some times malware was attacked in “details” in “ox_audit” tables in your Data Base .You can remove this one by this MySQL query. UPDATE ox_audit set details= '' where details like “%Check details filed in this table and placed the most occurring text in that field ,mostly frames%”; I am receiving the following error message: SQL Error (1064): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%Check details filed in this table and placed the most occurring text in that fi' at line 1 */ Secondly the Kaspersky alert shows up in all zones and banners when I try to open the preview banner in the backend and is always linked to favicon.ico. Thanks again for your support. Tom Quote
tom83 Posted May 2, 2017 Author Report Posted May 2, 2017 Dear all, I would like to come back to this issue. Is there anybody else using Revive 4.0.0 with Kaspersky who ist getting this alert? Once again, the Kaspersky alert is always the following: - Object Name: HEUR.Trojan.Script.Generic - Object: http://www.example.com/favicon.ico It only occurs in the Administration-Backend when opening a preview of any banner in any zone. Maybe this is also related to a script within the Revive source code, which is interpreted by the virus protection wrongly? Thanks for your feedback. Tom Quote
andrewatfornax Posted May 5, 2017 Report Posted May 5, 2017 On 4/12/2017 at 7:12 AM, tom83 said: SQL Error (1064): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%Check details filed in this table and placed the most occurring text in that fi' at line 1 */ Looks like the copy & paste has just turned the double quotes into non-ASCII double quotes. Try changing them to normal ASCII double quotes? Quote
tom83 Posted May 6, 2017 Author Report Posted May 6, 2017 ..and how would this look like? I have the description from: http://www.adserveropenx.com/how-to-remove-malware-or-injection-from-openx/ Thanks. Tom Quote
andrewatfornax Posted May 8, 2017 Report Posted May 8, 2017 Hi @tom83, Sorry, I am not sure what you are asking! (PS. The site you have listed isn't something the core Revive Adserver team manager, so I can't really comment on what's on it.) Quote
tom83 Posted May 14, 2017 Author Report Posted May 14, 2017 On 5.5.2017 at 3:06 AM, andrewatfornax said: Looks like the copy & paste has just turned the double quotes into non-ASCII double quotes. Try changing them to normal ASCII double quotes? I was just asking how the above mentioned source-code would look like in normal ASCII double quotes? Tom Quote
andrewatfornax Posted May 14, 2017 Report Posted May 14, 2017 Just delete every double quote in the original source, and replace it with a typed double quote, in the SQL command line. It will look exactly the same to the eye, probably, but will be different as far as the SQL engine is concerned. Quote
tom83 Posted May 17, 2017 Author Report Posted May 17, 2017 ...like this?: UPDATE ox_audit set details= " where details like "Check details filed in this table and placed the most occurring text in that field ,mostly frames"; Thanks Tom Quote
andrewatfornax Posted May 21, 2017 Report Posted May 21, 2017 Hi @tom83, No, that looks like you have a double quote where there should be two single quotes, after the details=. By the way, I'm not saying that running that SQL is a good idea - I have no idea if it will do what you're hoping. Or indeed, what you're hoping it will do either! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.