Hijack / Hack Via cache folder ?

[ZenAlien]

Hi everyone,  (TL;DR at the end)

been a long time user of openx+revive (since around 2008).
Just to say, that we know the product ?

Since a few month, we noticed that we had some adverts being hijacked with suspects links, etc... BUT ONLY FOR MOBILES PHONES

Being a long time user, we checked everything (append and prepend on zones + banners), nothing there because we locked these tables since a long time.
All password were changes and so on, php execition is allready forbiden in the image foder since a long time.

Because we did not find the cause, we did a deep investigations, we also had a look at this thread :

Nothing there was useful to us, and  all our files in the delivery folder are clean.

So we did continue our investigation.

And there, we noticed that in the cache folder, sometimes were generated some files with all the global config, in clear plain text, with all password, database access and passwords...

See image here : https://www.dropbox.com/s/8bor7737lsx4o3h/rads.jpg?dl=1

 

So we started to panic ?

We wanted to be sure our server had not been backdoored, so we did a fresh install in a localhost environment and we noticed the the same behaviour was happening on a fresh install.

Has anyone noticed this ?



TL;DR :
- we got some advert being hijacked with link only on mobiles phones and we cant find where it is coming from
- while investigating we noticed that in the cache folder, is generated a file with all criticals informations (DB PWD, etc...)

 

 

We did not find a solution to our problem, still investigating since a few months.

[jpm]

The var folder including all subfolders are not accessable from outside.
See .htaccess