andrewatfornax Posted February 19, 2019 Report Posted February 19, 2019 Hi @TYWebmaster, Thanks for this information - can you please confirm if in addition to changing the database user password and Revive Adserver admin login password: Did you change all other DB user account passwords that may exist? Are there any DB user accounts present that you don't recognise? Did you change all other Revive Adserver login passwords that may exist? Are there any logins that you don't recognise? Did you change all other O/S level account passwords that may exist? Are there any O/S level accounts present that you don't recognise? Thanks, Andrew 10 hours ago, jacopotediosi said: Someone makes POST requests to /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank and is able to adds code to plugins/bannerTypeText/oxText/genericText.delivery.php and to upload backdoor php scripts inside /www/images/ I temporarily solved disabling PHP Engine inside the image folder and adding two lines of code inside fc.php to log POST request. @jacopotediosi, Please do create a HackerOne report once you have managed to capture the post details! Thanks, Andrew Quote
TYWebmaster Posted February 19, 2019 Report Posted February 19, 2019 5 minutes ago, andrewatfornax said: Hi @TYWebmaster, Thanks for this information - can you please confirm if in addition to changing the database user password and Revive Adserver admin login password: Did you change all other DB user account passwords that may exist? Are there any DB user accounts present that you don't recognise? Did you change all other Revive Adserver login passwords that may exist? Are there any logins that you don't recognise? Did you change all other O/S level account passwords that may exist? Are there any O/S level accounts present that you don't recognise? Thanks, Andrew There is only one DB user account to log into, there is only one Revive login account all others are deleted. I am using Plesk to manage multiple sites so are you referring to another possible PW to log into PHPmyAdmin? Quote
andrewatfornax Posted February 19, 2019 Report Posted February 19, 2019 1 minute ago, TYWebmaster said: There is only one DB user account to log into, there is only one Revive login account all others are deleted. I am using Plesk to manage multiple sites so are you referring to another possible PW to log into PHPmyAdmin? Either that or at the O/S level - but if you are on a hosting service that only offers Plesk access, you may not be able to tell. It would be worth asking your hosting provider to check for unexpected accounts or activity at the O/S level, though, just to be sure. Quote
TYWebmaster Posted February 19, 2019 Report Posted February 19, 2019 1 minute ago, andrewatfornax said: Either that or at the O/S level - but if you are on a hosting service that only offers Plesk access, you may not be able to tell. It would be worth asking your hosting provider to check for unexpected accounts or activity at the O/S level, though, just to be sure. I will do that, is there anything else you can suggest? Any other ways to possibly block them from injecting the code in the prepend? Quote
andrewatfornax Posted February 19, 2019 Report Posted February 19, 2019 No, sorry, at this stage, without details on exactly what is happening, it's hard to know what to suggest. Some of the posts above around possible vectors are interesting, and hopefully we will get some concrete details soon. Quote
Matteo Beccati Posted February 19, 2019 Report Posted February 19, 2019 To everyone else that I haven't already contacted, if you are interested to help pls PM me. I'll send you my IP and SSH key to see if I can find any more clues. andrewatfornax 1 Quote
Michael L Posted July 1, 2020 Report Posted July 1, 2020 On 1/4/2019 at 9:24 PM, sunech said: Hello, I've been running adserver for 2 years now. Now all my sites has been hijacked and everytime visited with an iPhone spam banners appears, but only once. I upgraded to the latest version of adserver and everything worked great for a while. But this week it came back again. I tried look in genericText.delivery.php but nothing is there. Please help!!! Quote
Ian Posted July 1, 2020 Report Posted July 1, 2020 32 minutes ago, Michael L said: did you change all passwords? Quote
Michael L Posted July 1, 2020 Report Posted July 1, 2020 Yes Also found what they did. They changed asyncjs.php and put code in that file Quote
Thierry Posted July 3, 2020 Report Posted July 3, 2020 Beware that they did not also leave a backdoor on your site... I just published a new topic on that subjet. Once a hacker has access to your site like they could have with the security hole in 4.x their possibilities are endless. Check your www/images directory for php files. T. Quote
Michael L Posted July 3, 2020 Report Posted July 3, 2020 Thanks. Saw that too. Wonder why this information not was in the forum. Quote
tvvpmi Posted July 3, 2020 Report Posted July 3, 2020 For extra protection ... you can disable php execution on www/images Quote
Michael L Posted July 3, 2020 Report Posted July 3, 2020 6 minutes ago, tvvpmi said: For extra protection ... you can disable php execution on www/images Thanx Good info! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.