Jump to content

Malware Detected


Recommended Posts

Hi all,

I was running Revive 4.2.0 on my site and we started to get warnings from the Norton anti-virus program that's installed on our local machines when browsing on our site.  We were able to narrow it down to realize that it's definitely being triggered by our Revive banner ads that are running throughout the site, as when we remove the Revive code the Norton warning goes away.

The warnings all reference the domain ouh3igaeb.com.

I ran an upgrade to 4.2.1 to see if that would get rid of the issue, but it didn't.  This is occurring on multiple machine, and I know it's not limited to Norton detecting it as Google sent me a notification that they're turning off a bunch of our ads as they're detecting malware on our site.

Anyone have a recommendation on what I should do next?

Link to comment
Share on other sites

I've been continuing to dig, trying to figure out what's going on and I noticed a PHP file inside the www/images folder of the revive files on my server.  Should there be a PHP file in there?  In case this helps, the PHP file is named cfddc4dc03af18ba854a57065caea20e.php and it's the only PHP file in the images directory. Its code has something to do with http://phpminiadmin.sourceforge.net/ which seems to be a mini web version of PHPMyAdmin.

Link to comment
Share on other sites

Link to comment
Share on other sites

  • 3 weeks later...
  • 1 month later...
  • 8 months later...

Very late reply but I encountered the same issue... (I'm posting in case that may help someone else). The file in the images directory (with a similar kind of name) was used from time to time to load a shell on my server (which would be erased after the "work" was done). The hacker was free to directly connect to my DB and put its payload to the banners (Zone's PREPEND fields were loaded with Malicious Javascript) or do anything he/she wanted.

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...