vinmhas
-
Posts
2 -
Joined
-
Last visited
Never
Posts posted by vinmhas
-
-
We are having the exact problem and symptoms:
- Injection in the zones table of the Revive database.
- The file genericText.delivery.php has been compromised.
- I found the following suspicious entries in the NGINX log-file:
176.31.187.82 - - [17/Dec/2018:10:07:33 +0100] "POST /adxmlrpc.php HTTP/1.1" 200 11329 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 0.210 x.x.x.x -
176.31.187.82 - - [17/Dec/2018:10:07:36 +0100] "POST /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank HTTP/1.1" 200 76 "https://google.com/serach?q=https://adsserver.xxx/www/delivery&aqs=chrome.1.69i57j0j7&sourceid=chrome&ie=UTF-8" "AdsBot-Google (+http://www.google.com/adsbot.html)" 0.439 x.x.x.x -Running an upgraded Revive 4.1.3. Have been upgrading every version since 2011. ( when it was still called Open-X )
Mobile ads have been hijacked
in Using Revive Adserver
Posted
Thank you @tvvpmi. That did the trick!
I've been searching through a database-dump of the database for traces of suspicious JavaScript or iframes, but they only tempered with one specific ad for some reason. There were no PHP-files in the images folder though..
Like you've suggested: I've removed the ability to execute PHP-files in the images-folder, and the installation haven't been compromised since.