Jump to content

Avast Detecting Trojan In The Openx Delivery

Recommended Posts

Hi and HNY to all here!
If you have problems with AVAST blocking the banner deliveries as described here:

and here:

you must be aware that simply upgrading to revive 3.0.2 is not enough, because the malicious JS code is probably injected in your database before the upgrade (and the upgrade script obviously does not fix this).


I think revive team should explain how to remove the infection in a clear way!


Until then - that procedure worked for me:

1. Stop the ad-server
2. Remove all the files under /var/cache subfolder (some of them will contain the javascript code within)
3. The affected tables in mysql are named 'audit' and 'zones' (plus prefixes in front if you use them)
4. Open the admin panel and for each of the zones:
4.1. Click on the 'Advanced' tab and remove the malicious script from the prepend/append fields, then save the changes
4.2. For each of the zones, there would be a record in the 'audit' table containing the script in its 'details' field. Delete these records and you should be fine - Avast should stop complaining from now on.

Link to comment
Share on other sites

The audit table just contains an audit trail of what happened elsewhere in the application, there is no need to clean it. It is not used for ad delivery and is therefore invisible to a malware scanner.



To be honest - i have no idea what this table is used for - just found the code within and that is why i pointed it out.

But - the need Revive to explain how to resolve the problem still exist.

Link to comment
Share on other sites

I wouldn't have a better way to cleaning things up, but I have a pretty good way to avoiding such things.


One of the way we have been able to keep the bugs out of our DB is by only exposing the pages which are used for ad serving. All the admin and on ad serving pages are either behind a basic auth or something stronger.


However, when I had to do cleanups for clients, I use a tool that indexes by database and then I just do searches on the stuff that I feel is iffy. It works out pretty well. 

Link to comment
Share on other sites

  • 1 year later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...