bizi10 Posted August 23, 2016 Report Posted August 23, 2016 Does anyone else have a problem with Kaspersky Total Security? I got informed that it reports our ads zones as some kind of Trojan but I didn't find anything wrong at our ads server. We have the latest Revive Adserver v3.2.4 the site that displays ads is www.racunalniske-novice.com Any thoughts on whats wrong? Is Kaspersky reporting a false positive? A few errors reported by Kaspersky: 23.08.2016 21.14.18 Download blocked http://ads.racunalniske-novice.com/openx/www/delivery/afr.php?zoneid=21&cb=INSERT_RANDOM_NUMBER_HERE Object name: HEUR:Trojan.Script.Generic Object: http://ads.racunalniske-novice.com/openx/www/delivery/afr.php?zoneid=21&cb=INSERT_RANDOM_NUMBER_HERE Application: Internet Explorer Object type: Trojan program Time: 8/23/2016 9:14 PM 23.08.2016 21.14.18 Object (file) detected http://ads.racunalniske-novice.com/openx/www/delivery/afr.php?zoneid=21&cb=INSERT_RANDOM_NUMBER_HERE Object name: HEUR:Trojan.Script.Generic Object: http://ads.racunalniske-novice.com/openx/www/delivery/afr.php?zoneid=21&cb=INSERT_RANDOM_NUMBER_HERE Application: Internet Explorer Object type: Trojan program Time: 8/23/2016 9:14 PM 23.08.2016 21.14.18 Download blocked http://ads.racunalniske-novice.com/openx/www/delivery/afr.php?zoneid=29&cb=INSERT_RANDOM_NUMBER_HERE Object name: HEUR:Trojan.Script.Generic Object: http://ads.racunalniske-novice.com/openx/www/delivery/afr.php?zoneid=29&cb=INSERT_RANDOM_NUMBER_HERE Application: Internet Explorer Object type: Trojan program Time: 8/23/2016 9:14 PM 23.08.2016 21.14.18 Object (file) detected http://ads.racunalniske-novice.com/openx/www/delivery/afr.php?zoneid=29&cb=INSERT_RANDOM_NUMBER_HERE Object name: HEUR:Trojan.Script.Generic Object: http://ads.racunalniske-novice.com/openx/www/delivery/afr.php?zoneid=29&cb=INSERT_RANDOM_NUMBER_HERE Application: Internet Explorer Object type: Trojan program Time: 8/23/2016 9:14 PM And an image of the reported errors. But it doesn't even get to the banner id. Is it blocking the normal invocation script? Thanks for any help you can give me. Quote
Erik Geurts Posted August 23, 2016 Report Posted August 23, 2016 Either the scanner has a false positive or your own installation of Revive Adserver was compromised. Quote
bizi10 Posted August 23, 2016 Author Report Posted August 23, 2016 1 minute ago, Erik Geurts said: Either the scanner has a false positive or your own installation of Revive Adserver was compromised. Well yeah I figured out that too. :) But how to tell if it's the first or the second option? Can someone else check with free trial of Kaspersky Total Security on his Revive installation? Quote
Erik Geurts Posted August 24, 2016 Report Posted August 24, 2016 My best guess is that your ad server was compromised. You could start by checking the prepend and append fields of all the banners and zones. If someone managed to access your installation, they may have added malicious javascript code there. Quote
bizi10 Posted August 24, 2016 Author Report Posted August 24, 2016 On the banners the only append I found was this (that doesn't seem problematic): After contacting Kaspersky support they didn't find anything wrong either and now all is back to normal. Weird stuff. Quote
Erik Geurts Posted August 25, 2016 Report Posted August 25, 2016 That append code looks very suspicious. Did you put it in yourself? If not, it might be the cause of all this (or a symptom of a bigger problem). Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.