Sascha Posted May 1, 2020 Report Posted May 1, 2020 Hello dear service team, i run my own webserver with the Revice-version 4.13 and it seems to have been hacked in the last days or weeks. https://blog.confiant.com/tag-barnakle-the-malvertiser-that-hacks-revive-ad-servers-redirects-victims-to-malware-50cdc57435b1 Unfortunately I don't have a backup of a version before the hack. Is there a possibility to restore my adserver by updating to the new version? Or is the attack so deep that I have to completely rebuild the server? Do you have a tip for me how I can fix the current server and how I can then update to the latest version. Is the new version safe from this hack? I would also like to use the services of an experienced developer to solve the problem. I would be very happy about your help! Many greetings! Sascha Quote
Ian Posted May 1, 2020 Report Posted May 1, 2020 If you have no backup ... of course you can't go back to a previous point in time. I'd advice you to start over on a fresh installation, or sign up at https://www.revive-adserver.net/ Quote
Sascha Posted May 1, 2020 Author Report Posted May 1, 2020 7 minutes ago, Ian vM said: If you have no backup ... of course you can't go back to a previous point in time. I'd advice you to start over on a fresh installation, or sign up at https://www.revive-adserver.net/ Hello, Ian, thanks for your answer! Do you know if this hack only compromises the files on the server or are the databases also affected? I might be able to recover the files. Quote
Ian Posted May 1, 2020 Report Posted May 1, 2020 I'm sorry, i'm not familiar with it. But in most other cases i've seen the database is comprimised. Quote
Sascha Posted May 2, 2020 Author Report Posted May 2, 2020 12 hours ago, Ian vM said: I'm sorry, i'm not familiar with it. But in most other cases i've seen the database is comprimised. I did a little research. The hacker injected the malicious code into the "append" column in each zone under "rv_zones" in the database. The table "rv_banners" seems not to be affected. Additionally, there was a malicious PHP code under \www\delivery\ with the name "js.php". According to the virus scanner a malicious code named "PHP.Filesman". With this the hackers probably have access to the website. Quote
andrewatfornax Posted May 11, 2020 Report Posted May 11, 2020 Links that may help: https://www.reviveconsultant.com/articles/what-to-do-when-you-suspect-your-openx-source-system-has-been-hacked/ https://blog.avast.com/2014/01/13/how-to-clean-your-hacked-openx-server/ Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.