joesc230 Posted August 6, 2019 Report Posted August 6, 2019 Hi all, I was running Revive 4.2.0 on my site and we started to get warnings from the Norton anti-virus program that's installed on our local machines when browsing on our site. We were able to narrow it down to realize that it's definitely being triggered by our Revive banner ads that are running throughout the site, as when we remove the Revive code the Norton warning goes away. The warnings all reference the domain ouh3igaeb.com. I ran an upgrade to 4.2.1 to see if that would get rid of the issue, but it didn't. This is occurring on multiple machine, and I know it's not limited to Norton detecting it as Google sent me a notification that they're turning off a bunch of our ads as they're detecting malware on our site. Anyone have a recommendation on what I should do next? Quote
joesc230 Posted August 7, 2019 Author Report Posted August 7, 2019 I've been continuing to dig, trying to figure out what's going on and I noticed a PHP file inside the www/images folder of the revive files on my server. Should there be a PHP file in there? In case this helps, the PHP file is named cfddc4dc03af18ba854a57065caea20e.php and it's the only PHP file in the images directory. Its code has something to do with http://phpminiadmin.sourceforge.net/ which seems to be a mini web version of PHPMyAdmin. Quote
joesc230 Posted August 8, 2019 Author Report Posted August 8, 2019 I got in touch with Google's Adwords support team and they said the following links were found by their system on my site: https://myvilight.com/adsbanner.htmlhttps://myvilight.com/scripts/ga.js?link=aHR0cHM6Ly93d3cuYW1lcmljYW5kaXNjb3VudGNydWlzZXMuY29tL2NydWlzZWxpbmVzL3JveWFsLWNhcmliYmVhbi9pbmRleC5odG1shttps://www.bcloudhost.com/33ef8aceaac0b182d986e21532731062/invoke.jshttps://www.bcloudhost.com/e3f3a08fbbe7ad3c21d0d21d11f3afee/invoke.jshttps://myvilight.com/adsbanner.htmlhttps://myvilight.com/scripts/ga.js?link=aHR0cHM6Ly93d3cuYW1lcmljYW5kaXNjb3VudGNydWlzZXMuY29tL3NhbGVzL2xhc3QtbWludXRlLWNydWlzZXMuaHRtbA==https://www.bcloudhost.com/33ef8aceaac0b182d986e21532731062/invoke.jshttps://www.bcloudhost.com/e3f3a08fbbe7ad3c21d0d21d11f3afee/invoke.js Since I don't know what's wrong or how to fix it I have removed the revive code from my site, but I would like to know if anyone has an idea of what is wrong, as I would like to use it again. Also - should I remove the revive database from my server in case it's infected? Quote
andrewatfornax Posted August 29, 2019 Report Posted August 29, 2019 https://www.reviveconsultant.com/articles/what-to-do-when-you-suspect-your-openx-source-system-has-been-hacked/ may be of assistance here. scott001 1 Quote
tkat Posted October 29, 2019 Report Posted October 29, 2019 Did the Google Ad Manager indicate deloplen.com and prombanner.com among the malware domains infecting your tags? We had reports from a few of our publishers about the GAM malware block on our tags. Quote
Thierry Posted July 3, 2020 Report Posted July 3, 2020 Very late reply but I encountered the same issue... (I'm posting in case that may help someone else). The file in the images directory (with a similar kind of name) was used from time to time to load a shell on my server (which would be erased after the "work" was done). The hacker was free to directly connect to my DB and put its payload to the banners (Zone's PREPEND fields were loaded with Malicious Javascript) or do anything he/she wanted. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.