vinmhas

Thank you @tvvpmi. That did the trick! I've been searching through a database-dump of the database for traces of suspicious JavaScript or iframes, but they only tempered with one specific ad for some reason. There were no PHP-files in the images folder though.. Like you've suggested: I've removed the ability to execute PHP-files in the images-folder, and the installation haven't been compromised since.

We are having the exact problem and symptoms: Injection in the zones table of the Revive database. The file genericText.delivery.php has been compromised. I found the following suspicious entries in the NGINX log-file: 176.31.187.82 - - [17/Dec/2018:10:07:33 +0100] "POST /adxmlrpc.php HTTP/1.1" 200 11329 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 0.210 x.x.x.x - 176.31.187.82 - - [17/Dec/2018:10:07:36 +0100] "POST /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank HTTP/1.1" 200 76 "https://google.com/serach?q=https://adsserver.xxx/www/delivery&aqs=chrome.1.69i57j0j7&sourceid=chrome&ie=UTF-8" "AdsBot-Google (+http://www.google.com/adsbot.html)" 0.439 x.x.x.x - Running an upgraded Revive 4.1.3. Have been upgrading every version since 2011. ( when it was still called Open-X )