Zhivko

There are other applications running on it indeed, wordpress sites. They also got infected.

We ran 5.4.1 as i recall correctly

I found the malicious code. It was in assets/js/jquery-1.2.3.js and assets/js/jquery-1.2.6-mod.js in form of: eval(String.fromCharCode(<BUNCH INTEGERS SEPARATED BY COMMA HERE>)) which translates to a malicious code that sets the location source to "news.weatherplllatform.com" which injects two javascript scripts into the page: counter.js and stat.js which are setting some cookies and so on. I removed the code from the jquery-1.2.6-mod.js that is used, but if you want i can revert it cause i saved a backup .bak file of it. Due to some investigation purposes on our end, i left the jquery-1.2.3.js as it is (with the malicious code in it). Please let me know if i should provide anything else or if i should revert back the malicious code so you can check if it came from your side somehow, and if not, confirm that to us so we can count that out and continue with our investigation deeper. Regards, Zhivko Since i removed the malicious code from the jquery-.1.2.6-mod.js, you are no longer able to experience the redirect, just to clarify.

Hello everyone, The company i work for uses revive adserver for placing ad banners on its multiple wordpress websites. We detected a malware that comes in form of redirect after we visit the login screen for revive administration (not yet logged in, just the logging screen). https://imgur.com/a/f0PVqUM (here is the screenshot on where it happens) I investigated where this could possibly trigger and i found out that it happens in the OA_Start($checkRedirectFunc = null) function after this line: phpAds_SessionDataRegister(OA_Auth::login($checkRedirectFunc)); The $checkRedirectFunc is null at that moment. Could you help me please? the link is https://rev.balkanmediagroup.com/www/admin/index.php Regards, Zhivko