Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Posts Tagged ‘cleaning’
January 13th, 2014

How to clean your hacked OpenX server

cleanup_noframeChristmas is a time of peace, but it does not apply to hackers and creators of malware. In the middle of the holidays, the AVAST Virus Lab found a new type of infection targeting advertisement servers with OpenX installed. Unfortunately, the only antivirus detecting this threat is avast! which leads to the erroneous conclusion that there is a false positive on our side, but it is actual danger.

This infection is called JS:Redirector-BJB or JS:Redirector-BJC and it has been confirmed on 930 servers running OpenX over the world. This means that at least 130 thousand people are saved by avast! from malware infection in advertisements every day, so please be reasonable and update your server as soon as possible.

Infection and consequences for users visiting a malicious website are described in our recent post about malvertising, but today let’s look at how to successfully clean, update, and secure your application. Below are the top 5 most visited and infected sites. Is yours on this list?

  1. pub.akinator.com
  2. ads.locafilm.com
  3. ads.novsport.com
  4. ads.svetplus.com
  5. 116.66.206.132

If you are using OpenX or Revive AdServer’s prior version 3.0.2 your system is vulnerable!

Below you can find a few steps that will lead you through cleaning, but updating to the latest version of Revive AdServer is necessary. Otherwise your server will still have known security flaws.

backup1. Backup Files – Download all files from FTP to your computer and scan them with antivirus. If any of the files are marked as a threat, delete it from FTP instantly. If it is possible, also backup your database to ensure calm upgrading.

check2. Check for Backdoor - Search FTP for files that do not belong there. You can find them by their date of creation (file with different date than others in the directory) or by obfuscated content in source files. You can also compare your source codes with official installation and reveal newly added files. If you are using OpenX version 2.8.10, delete file “flowplayer-3.1.1.min.js” because it contains a backdoor.

cleandb3. Clean the Database – The first step is to change passwords both for admin and for database, and also check if there are no unknown users. This will ensure no disturbance during the cleaning process. Next, you must examine tables “Banners” and “Zones” in the database. Find and delete any malicious javascript located there. Usually its located in “Append” or “Prepend” fields. The last step is to update the new database password in config, because it will be needed during the upgrade.

upgrade4. Upgrade Application – Download the latest version of Revive AdServer to your hard drive. OpenX changed its name in summer 2013 so the newest version can be downloaded only from link above. Follow the steps that you find in the article from the official pages about upgrading OpenX or Revive AdServer application.

secure5. Secure Server – After the upgrade you have only a few things to do. Check that the database and all users have their password unbreakable. Do not use any passwords from before. Do not leave any installation or old files on FTP. Change the password to the FTP because hackers could discover it too.

Someone might think “upgrading must help solve my problem,” but that’s unfortunately not true. In this and as well in many other cases, website administrators and owners must perform the described steps in order to get rid of the infection completely. Do not forget to change all passwords.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

Categories: How to, lab, Virus Lab Tags: , ,
Comments off
May 27th, 2011

Friendship and an immortal virus

Yes, an immortal virus seems to exist … at least in comparison to the usual life cycle of malware. While there are lots of malware families with very short half-life, there are only few with a long life. Parite (aka Pinfi) – a real long-playing evergreen – is one of them. Parite will reach the 10-year milestone this October. Gosh! Ten years! Can you remember what your computer looked like ten years ago? Ten years is an eternity in the world of IT. Just try to list what has changed and evolved during this period. There’s the obvious evolution of Windows and antivirus software for starters. But, despite all these changes, Parite is still with us.

Read more…

June 16th, 2010

How I met the optimization and other stories

Hello again, I’m gonna tell you a story about an emulator that becomes 5x faster during one day. In the beginning there was an disassembler and a virtual execution environment. The disassembler liked the environment so much that they got together one day and the framework for our emulator was born. It was growing day by day, line by line – up to 20k+ lines of code – and here the “problem” begins.

Read more…

January 8th, 2010

File infectors – part 2

Hello in 2010. I would like to wish you all the best in this year and I hope that our upcoming v5 will be your good fella starting from this January. Let me resume the previous article “Buggy file infectors” -  as the release date for v5 is getting closer and closer, I think it would be good to inform you what to expect regarding the file infectors cleaning. Version 4.x was sometimes criticised due to its lower ability to cure most recent file infector families (more on this will be written later in this text). Good news for you – v5 will perform better.

Read more…