Revive Adserver Marked as Phishing

[Carlos Ramos]

Hi there,

I setup a Revive Adserver about a month ago and right now is marked as a phishing site by Google and others. The installation is stock the the exception of a plugin for video ads. I plan to install from scratch again and not use this plugin anymore. But I wanted to ask if there is any know issue that could provoke this problem. Google is marking this paths as deceptive pages:

• /www/admin/
• /www/admin/dashboard.php
• /www/admin/index.php
• /www/admin/stats.php

Any advice you may have is welcome.

Thanks.

The video plugin we use is http://www.reviveadserverplugin.com/product/html5-video-audio-ads-plugin/

[Erik Geurts]

I'm surprised that those URLs are marked as deceptive. With many many thousands of known installations of the software, this is the first time I've ever heard about this, so it must be something specific to your installation. It is possible that your ad server has been compromised and something malicious was inserted by an intruder. The pages that you listed as being labeled suspicious by Google are part of the core application, not of any plugin. That doesn't mean that plugin you mentioned is not involved, but there is no evidence for it in your post. 

However, those URLs are not something a site visitor would ever need to go to. I'm assuming you have your Revive Adserver installed in a sub folder under your site, like www.example.com/adserver/. As such, Google's bots can still "see" it, which is not necessary at all. You might want to block bots from accessing the /www/admin folder to begin with.

Removing that third party plugin, at least as a test for the theory it is responsible, could also be a good idea. Then file for the site to be reconsidered by Webmaster tools.

Is there a way for you to post a screen shot of what it looks like, when you see the warning(s) about deceptive pages? Is it in Webmaster tools or is it something else?

[Carlos Ramos]

Hi Erik,

Thanks for your reply. The adserver is installed at the root of the site, no sub-folder. Something like adserver.example.com. And yes this is google webmaster tools. The problem has escalated and now the hosting provider is saying the same about the phishing. I'll proceed with the cleanup today and see what happens. Here is the screenshot you asked:

 

[Carlos Ramos]

So for the new installation, I cloned the code from github and switch to tag v4.0.0 (hopefully this way I know if a file have changed). Copied the config file and the plugins directory from my previous installation and uninstalled the VideoAds plugin from the web app, only the default plugins remain. Also had to do a `composer install`. All this in order to keep the database intact and not have to configure the entire adserver again. Just two questions remain:

1. Since the plugins directory is not directly under source control. How can I make sure none of the default plugins are compromised?.
2. Does Revive store any code in the database, is there a chance that the problematic code is in the database and not in the files?

Thanks for your time.

[Erik Geurts]

You should never use the code from Github, just download from https://www.revive-adserver.com/download/ . Installation instructions are to be found here: https://www.revive-adserver.com/support/installation/

[Carlos Ramos]

Thanks for the advice, will switch to the release files and create the git repo myself, ¿any Idea about the questions?

[Erik Geurts]

17 hours ago, Carlos Ramos said:

create the git repo myself

As said: You should never use the code from Github, just download from https://www.revive-adserver.com/download/ . 

On 11/26/2016 at 0:55 AM, Carlos Ramos said:

• Since the plugins directory is not directly under source control. How can I make sure none of the default plugins are compromised?.
• Does Revive store any code in the database, is there a chance that the problematic code is in the database and not in the files?

First question is not relevant if you use the official releases.

Second question: theoretically yes, but in this case it is not likely that this is the explanation.

[Display Name]

Called it " www.example.com/adserver/ " is the best way to get blocked by an AV and other System.