Jump to content


Approved members
  • Content Count

  • Joined

  • Last visited


Posts posted by vinmhas

  1. Thank you @tvvpmi. That did the trick!

    I've been searching through a database-dump of the database for traces of suspicious JavaScript or iframes, but they only tempered with one specific ad for some reason. There were no PHP-files in the images folder though..
    Like you've suggested: I've removed the ability to execute PHP-files in the images-folder, and the installation haven't been compromised since.

  2. We are having the exact problem and symptoms:

    • Injection in the zones table of the Revive database.
    • The file genericText.delivery.php has been compromised.
    • I found the following suspicious entries in the NGINX log-file: - - [17/Dec/2018:10:07:33 +0100] "POST /adxmlrpc.php HTTP/1.1" 200 11329 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 0.210 x.x.x.x - - - [17/Dec/2018:10:07:36 +0100] "POST /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank HTTP/1.1" 200 76 "https://google.com/serach?q=https://adsserver.xxx/www/delivery&aqs=chrome.1.69i57j0j7&sourceid=chrome&ie=UTF-8" "AdsBot-Google (+http://www.google.com/adsbot.html)" 0.439 x.x.x.x -

    Running an upgraded Revive 4.1.3. Have been upgrading every version since 2011. ( when it was still called Open-X )

  • Create New...