Jump to content
Snaggy

Mobile ads have been hijacked

Recommended Posts

Hi @TYWebmaster,

Thanks for this information - can you please confirm if in addition to changing the database user password and Revive Adserver admin login password:

  • Did you change all other DB user account passwords that may exist? Are there any DB user accounts present that you don't recognise?
  • Did you change all other Revive Adserver login passwords that may exist? Are there any logins that you don't recognise?
  • Did you change all other O/S level account passwords that may exist? Are there any O/S level accounts present that you don't recognise?

Thanks,

Andrew

10 hours ago, jacopotediosi said:

Someone makes POST requests to /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank and is able to adds code to plugins/bannerTypeText/oxText/genericText.delivery.php and to upload backdoor php scripts inside /www/images/
I temporarily solved disabling PHP Engine inside the image folder and adding two lines of code inside fc.php to log POST request.

@jacopotediosi

Please do create a HackerOne report once you have managed to capture the post details!

Thanks,

Andrew

Share this post


Link to post
Share on other sites
5 minutes ago, andrewatfornax said:

Hi @TYWebmaster,

Thanks for this information - can you please confirm if in addition to changing the database user password and Revive Adserver admin login password:

  • Did you change all other DB user account passwords that may exist? Are there any DB user accounts present that you don't recognise?
  • Did you change all other Revive Adserver login passwords that may exist? Are there any logins that you don't recognise?
  • Did you change all other O/S level account passwords that may exist? Are there any O/S level accounts present that you don't recognise?

Thanks,

Andrew

There is only one DB user account to log into, there is only one Revive  login account all others are deleted. I am using Plesk to manage multiple sites so are you referring to another possible PW to log into PHPmyAdmin?

Share this post


Link to post
Share on other sites
1 minute ago, TYWebmaster said:

There is only one DB user account to log into, there is only one Revive  login account all others are deleted. I am using Plesk to manage multiple sites so are you referring to another possible PW to log into PHPmyAdmin?

Either that or at the O/S level - but if you are on a hosting service that only offers Plesk access, you may not be able to tell. It would be worth asking your hosting provider to check for unexpected accounts or activity at the O/S level, though, just to be sure.

Share this post


Link to post
Share on other sites
1 minute ago, andrewatfornax said:

Either that or at the O/S level - but if you are on a hosting service that only offers Plesk access, you may not be able to tell. It would be worth asking your hosting provider to check for unexpected accounts or activity at the O/S level, though, just to be sure.

I will do that, is there anything else you can suggest? Any other ways to possibly block them from injecting the code in the prepend?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.




×
×
  • Create New...