Jump to content

vinmhas

Approved members
  • Content Count

    2
  • Joined

  • Last visited

    Never

Posts posted by vinmhas


  1. Thank you @tvvpmi. That did the trick!

    I've been searching through a database-dump of the database for traces of suspicious JavaScript or iframes, but they only tempered with one specific ad for some reason. There were no PHP-files in the images folder though..
    Like you've suggested: I've removed the ability to execute PHP-files in the images-folder, and the installation haven't been compromised since.


  2. We are having the exact problem and symptoms:

    • Injection in the zones table of the Revive database.
    • The file genericText.delivery.php has been compromised.
    • I found the following suspicious entries in the NGINX log-file:

    176.31.187.82 - - [17/Dec/2018:10:07:33 +0100] "POST /adxmlrpc.php HTTP/1.1" 200 11329 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 0.210 x.x.x.x -
    176.31.187.82 - - [17/Dec/2018:10:07:36 +0100] "POST /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank HTTP/1.1" 200 76 "https://google.com/serach?q=https://adsserver.xxx/www/delivery&aqs=chrome.1.69i57j0j7&sourceid=chrome&ie=UTF-8" "AdsBot-Google (+http://www.google.com/adsbot.html)" 0.439 x.x.x.x -

    Running an upgraded Revive 4.1.3. Have been upgrading every version since 2011. ( when it was still called Open-X )

×
×
  • Create New...