Matteo Beccati

During the installation, you should have seen something like: Installing Revive Adserver Plugin: Banner Types PluginOK while the installer was installing all the bundled plugins, e.g.

The installation is not over at that point

Then there is something very wrong with your setup or hosting, or apache security modules. One of the last steps of the installer does also install the plugins.

Perhaps the standard plugins are disabled or not installed.

Did you just change that? Your logs where explicitly mentioning OA_Maintenance_Auto. Also 5 minutes operation interval is an extremely bad idea. Try setting it back to 60 minutes and schedule 1 cron job at minute 0. PS @andrewatfornax I really think we should remove the option.

If you have messages stating that maintenance is complete, there is nothing you should be worrying about. You're using automatic maintenance and concurrent requests will try to trigger it: one will succeed and the others will rigthfully fail. I'd suggest disabling auto-maintenance and setting up scheduled maintenance via cron.

My suggestion would be to try and restart MySQL. I do remember having seen once or twice such lock being stuck and not released.

To everyone else that I haven't already contacted, if you are interested to help pls PM me. I'll send you my IP and SSH key to see if I can find any more clues.

Research is still ongoing: we are in touch with a few affected users, but until now we haven't received enough evidence to understand how the malicious plugin or the php files in the images folder are being planted.

Hi @scott001, I'm sorry - we must have missed this. We've had similar reports, but until now no one was able to provide any useful information on how the malware or compromised plugin files were injected in the first place. Do you have any older logs that could help?

@Snaggy yes, absolutely. An/or you can find a pristine file in etc/plugins/openXBannerTypes.zip. The zipfile can be used together with the "Import" button in the plugin screen to overwrite the existing files.

@tvvpmi Yes, please clean up your plugins/bannerTypeText/oxText/genericText.delivery.php file, which has most likely been compromised at some point. Unfortunately the logs sent by @sunech didn't cover the time when that happened.

Thanks for your help. Would any of you allow me to have a closer look, in order to see if I can spot anything else that's unusual and possibly gather more information?

data-revive-id is a hash calculated using the delivery and deliverySSL config values. @Adi The old one had "www" in the path while the new one doesn't, that's why you're getting a different id.

It's a known incompatibility with the utf8mb4 charset: https://github.com/revive-adserver/revive-adserver/issues/740