Jump to content

Mobile ads have been hijacked

Snaggy

By Snaggy
in Using Revive Adserver

 Share

Recommended Posts

andrewatfornax Master

andrewatfornax

Posted
Posted

Hi @TYWebmaster,

Thanks for this information - can you please confirm if in addition to changing the database user password and Revive Adserver admin login password:

  • Did you change all other DB user account passwords that may exist? Are there any DB user accounts present that you don't recognise?
  • Did you change all other Revive Adserver login passwords that may exist? Are there any logins that you don't recognise?
  • Did you change all other O/S level account passwords that may exist? Are there any O/S level accounts present that you don't recognise?

Thanks,

Andrew

10 hours ago, jacopotediosi said:

Someone makes POST requests to /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank and is able to adds code to plugins/bannerTypeText/oxText/genericText.delivery.php and to upload backdoor php scripts inside /www/images/
I temporarily solved disabling PHP Engine inside the image folder and adding two lines of code inside fc.php to log POST request.

@jacopotediosi

Please do create a HackerOne report once you have managed to capture the post details!

Thanks,

Andrew

Link to comment
Share on other sites
  • Replies 62
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

tvvpmi
tvvpmi

Hi @vinmhas, I was in the same situation. You should review your file: plugins/bannerTypeText/oxText/genericText.delivery.php Problably it has been modified, adding a line like this at the end:

Ian
Ian

@vinmhas thanks for your report

rmu
rmu

I had the same issue. The injection also changed my DB structure for the append column in the ox_zones  table. No other files were modified, but I do believe the code put in the file, did the other mo

TYWebmaster Newbie

TYWebmaster

Posted
Posted
5 minutes ago, andrewatfornax said:

Hi @TYWebmaster,

Thanks for this information - can you please confirm if in addition to changing the database user password and Revive Adserver admin login password:

  • Did you change all other DB user account passwords that may exist? Are there any DB user accounts present that you don't recognise?
  • Did you change all other Revive Adserver login passwords that may exist? Are there any logins that you don't recognise?
  • Did you change all other O/S level account passwords that may exist? Are there any O/S level accounts present that you don't recognise?

Thanks,

Andrew

There is only one DB user account to log into, there is only one Revive  login account all others are deleted. I am using Plesk to manage multiple sites so are you referring to another possible PW to log into PHPmyAdmin?

Link to comment
Share on other sites
andrewatfornax Master

andrewatfornax

Posted
Posted
1 minute ago, TYWebmaster said:

There is only one DB user account to log into, there is only one Revive  login account all others are deleted. I am using Plesk to manage multiple sites so are you referring to another possible PW to log into PHPmyAdmin?

Either that or at the O/S level - but if you are on a hosting service that only offers Plesk access, you may not be able to tell. It would be worth asking your hosting provider to check for unexpected accounts or activity at the O/S level, though, just to be sure.

Link to comment
Share on other sites
TYWebmaster Newbie

TYWebmaster

Posted
Posted
1 minute ago, andrewatfornax said:

Either that or at the O/S level - but if you are on a hosting service that only offers Plesk access, you may not be able to tell. It would be worth asking your hosting provider to check for unexpected accounts or activity at the O/S level, though, just to be sure.

I will do that, is there anything else you can suggest? Any other ways to possibly block them from injecting the code in the prepend?

Link to comment
Share on other sites
  • 1 year later...
Michael L Newbie

Michael L

Posted
Posted
On 1/4/2019 at 9:24 PM, sunech said:

Hello, I've been running adserver for 2 years now. Now all my sites has been hijacked and everytime visited with an iPhone spam banners appears, but only once. I upgraded to the latest version of adserver and everything worked great for a while. But this week it came back again. 
I tried look in genericText.delivery.php but nothing is there. Please help!!!

 

 

Link to comment
Share on other sites
Thierry Newbie

Thierry

Posted
Posted

Beware that they did not also leave a backdoor on your site... I just published a new topic on that subjet. Once a hacker has access to your site like they could have with the security hole in 4.x their possibilities are endless. Check your www/images directory for php files.

T.

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing


×
×
  • Create New...