Zhivko Posted November 10, 2022 Report Share Posted November 10, 2022 Hello everyone, The company i work for uses revive adserver for placing ad banners on its multiple wordpress websites. We detected a malware that comes in form of redirect after we visit the login screen for revive administration (not yet logged in, just the logging screen). https://imgur.com/a/f0PVqUM (here is the screenshot on where it happens) I investigated where this could possibly trigger and i found out that it happens in the OA_Start($checkRedirectFunc = null) function after this line: phpAds_SessionDataRegister(OA_Auth::login($checkRedirectFunc)); The $checkRedirectFunc is null at that moment. Could you help me please? the link is https://rev.balkanmediagroup.com/www/admin/index.php Regards, Zhivko Quote Link to comment Share on other sites More sharing options...
Ian Posted November 10, 2022 Report Share Posted November 10, 2022 Hi! It doesn't redirect for me? best, Ian Quote Link to comment Share on other sites More sharing options...
Zhivko Posted November 10, 2022 Author Report Share Posted November 10, 2022 I found the malicious code. It was in assets/js/jquery-1.2.3.js and assets/js/jquery-1.2.6-mod.js in form of: eval(String.fromCharCode(<BUNCH INTEGERS SEPARATED BY COMMA HERE>)) which translates to a malicious code that sets the location source to "news.weatherplllatform.com" which injects two javascript scripts into the page: counter.js and stat.js which are setting some cookies and so on. I removed the code from the jquery-1.2.6-mod.js that is used, but if you want i can revert it cause i saved a backup .bak file of it. Due to some investigation purposes on our end, i left the jquery-1.2.3.js as it is (with the malicious code in it). Please let me know if i should provide anything else or if i should revert back the malicious code so you can check if it came from your side somehow, and if not, confirm that to us so we can count that out and continue with our investigation deeper. Regards, Zhivko Just now, Zhivko said: I found the malicious code. It was in assets/js/jquery-1.2.3.js and assets/js/jquery-1.2.6-mod.js in form of: eval(String.fromCharCode(<BUNCH INTEGERS SEPARATED BY COMMA HERE>)) which translates to a malicious code that sets the location source to "news.weatherplllatform.com" which injects two javascript scripts into the page: counter.js and stat.js which are setting some cookies and so on. I removed the code from the jquery-1.2.6-mod.js that is used, but if you want i can revert it cause i saved a backup .bak file of it. Due to some investigation purposes on our end, i left the jquery-1.2.3.js as it is (with the malicious code in it). Please let me know if i should provide anything else or if i should revert back the malicious code so you can check if it came from your side somehow, and if not, confirm that to us so we can count that out and continue with our investigation deeper. Regards, Zhivko Since i removed the malicious code from the jquery-.1.2.6-mod.js, you are no longer able to experience the redirect, just to clarify. Quote Link to comment Share on other sites More sharing options...
Ian Posted November 10, 2022 Report Share Posted November 10, 2022 thanks for sharing, i've never seen that kind of infection before. i don't think we would be able to reproduce how it initially got there, but lets hope your experience will help someone in feature. which version did you run whilst you got infected? Quote Link to comment Share on other sites More sharing options...
Zhivko Posted November 11, 2022 Author Report Share Posted November 11, 2022 We ran 5.4.1 as i recall correctly Quote Link to comment Share on other sites More sharing options...
Ian Posted November 11, 2022 Report Share Posted November 11, 2022 Does your server run only Revive Adserver, or are there also any other applications running on that server like for e.g. wordpress? Quote Link to comment Share on other sites More sharing options...
Zhivko Posted November 11, 2022 Author Report Share Posted November 11, 2022 There are other applications running on it indeed, wordpress sites. They also got infected. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.