Jump to content

Recommended Posts

Hi all,

I was running Revive 4.2.0 on my site and we started to get warnings from the Norton anti-virus program that's installed on our local machines when browsing on our site.  We were able to narrow it down to realize that it's definitely being triggered by our Revive banner ads that are running throughout the site, as when we remove the Revive code the Norton warning goes away.

The warnings all reference the domain ouh3igaeb.com.

I ran an upgrade to 4.2.1 to see if that would get rid of the issue, but it didn't.  This is occurring on multiple machine, and I know it's not limited to Norton detecting it as Google sent me a notification that they're turning off a bunch of our ads as they're detecting malware on our site.

Anyone have a recommendation on what I should do next?

Share this post


Link to post
Share on other sites

I've been continuing to dig, trying to figure out what's going on and I noticed a PHP file inside the www/images folder of the revive files on my server.  Should there be a PHP file in there?  In case this helps, the PHP file is named cfddc4dc03af18ba854a57065caea20e.php and it's the only PHP file in the images directory. Its code has something to do with http://phpminiadmin.sourceforge.net/ which seems to be a mini web version of PHPMyAdmin.

Share this post


Link to post
Share on other sites

Did the Google Ad Manager indicate deloplen.com and prombanner.com among the malware domains infecting your tags?

We had reports from a few of our publishers about the GAM malware block on our tags.

Share this post


Link to post
Share on other sites

Very late reply but I encountered the same issue... (I'm posting in case that may help someone else). The file in the images directory (with a similar kind of name) was used from time to time to load a shell on my server (which would be erased after the "work" was done). The hacker was free to directly connect to my DB and put its payload to the banners (Zone's PREPEND fields were loaded with Malicious Javascript) or do anything he/she wanted.

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.




×
×
  • Create New...