Good morning to all
I'm currently having the same problem with my Revive Adserver installation updated at the last version (4.1.4).
Someone makes POST requests to /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank and is able to adds code to plugins/bannerTypeText/oxText/genericText.delivery.php and to upload backdoor php scripts inside /www/images/
I temporarily solved disabling PHP Engine inside the image folder and adding two lines of code inside fc.php to log POST request. @tvvpmi maybe can you send to me your logged POST requests while I'm waiting to be attacked again?
I want to reverse this attack in order to understand how it works and to help Revive support team to fix it