<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Khalid,<br>
<br>
I completely replaced all the Drupal files on the server, so it's
running a pristine, clean copy of D5.21.<br>
<br>
w.php is nowhere on the server. I can account for every file there -
it's strictly drupal and some modules (cck, views, tinymce), and they
have all been updated as of wednesday afternoon.<br>
<br>
Brian<br>
<br>
Khalid Baheyeldin wrote:
<blockquote
cite="mid:4a9fdc631001281407o416c8e0eid1fec0db353371df@mail.gmail.com"
type="cite">Hmm ... <br>
<br>
Pharma spam. That rings a bell.<br>
<br>
Looks like the issue reported by Tomas Fulopp and Laura Scott yesterday<br>
on the development mailing list.<br>
<br>
So far, it seems the attack vector is something outside of Drupal, but
causes<br>
Drupal to get infected by modifying some of its files.<br>
<br>
Can you check the client's bootstrap.inc against a pristine version of
the same<br>
version of Drupal? <br>
<br>
Also check for a w.php file somewhere in your Drupal directory.<br>
<br>
If there are differences, please email me and Cc the security team at <a
moz-do-not-send="true" href="mailto:security@drupal.org">security@drupal.org</a><br>
<br>
<div class="gmail_quote">On Thu, Jan 28, 2010 at 4:57 PM, Brian Vuyk <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:brian@brianvuyk.com">brian@brianvuyk.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi
all.<br>
<br>
I am having a strange issue with a client's site. I am hoping someone<br>
here has had similar, so we can compare notes / find a solution.<br>
<br>
Monday, this long-time client called me up to tell me that when he goes<br>
to certain paths on his site, instead of showing his pages, they would<br>
show pages from 'Canadian Pharmacy'. The pages are exactly as those<br>
shown in this spamwiki article:<br>
<br>
<a moz-do-not-send="true"
href="http://spamtrackers.eu/wiki/index.php/Canadian_Pharmacy"
target="_blank">http://spamtrackers.eu/wiki/index.php/Canadian_Pharmacy</a><br>
<br>
At the time, I wasn't able to reproduce the issue. However, it was<br>
affecting more and more of his visitors - soon he started forwarding<br>
emails from his users indicating similar issues.<br>
<br>
Eventually, it happened to me too - at certain paths, the Canadian<br>
Pharmacy pages would come up. The attack seems to be cookie-based,<br>
because once I cleared my browser cookies, the problem went away. The<br>
same fix worked to clear it up on the client's machine. Unfortunately, I<br>
haven't been able to make it happen again so I can see exactly *what*<br>
cookies are set.<br>
<br>
Now, I've since updated core and every module on the site to the latest<br>
versions. I've checked all the non-Drupal files on the server, and<br>
examined the database very closely, and can say with relative certainty<br>
that there is no rogue code running on the site. However, the problem is<br>
still occurring for my client's visitors on and off.<br>
<br>
Does anyone have any idea how this is being accomplished / what we can<br>
do to try to find a solution for this? Has anyone seen anything like<br>
this before?<br>
<br>
Any help or suggestions is very much appreciated.<br>
<br>
Brian<br>
_______________________________________________<br>
consulting mailing list<br>
<a moz-do-not-send="true" href="mailto:consulting@drupal.org">consulting@drupal.org</a><br>
<a moz-do-not-send="true"
href="http://lists.drupal.org/mailman/listinfo/consulting"
target="_blank">http://lists.drupal.org/mailman/listinfo/consulting</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
Khalid M. Baheyeldin<br>
<a moz-do-not-send="true" href="http://2bits.com">2bits.com</a>, Inc.<br>
<a moz-do-not-send="true" href="http://2bits.com">http://2bits.com</a><br>
Drupal optimization, development, customization and consulting.<br>
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra<br>
Simplicity is the ultimate sophistication. -- Leonardo da Vinci<br>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
consulting mailing list
<a class="moz-txt-link-abbreviated" href="mailto:consulting@drupal.org">consulting@drupal.org</a>
<a class="moz-txt-link-freetext" href="http://lists.drupal.org/mailman/listinfo/consulting">http://lists.drupal.org/mailman/listinfo/consulting</a>
</pre>
</blockquote>
<br>
</body>
</html>