Hmm ... <br><br>Pharma spam. That rings a bell.<br><br>Looks like the issue reported by Tomas Fulopp and Laura Scott yesterday<br>on the development mailing list.<br><br>So far, it seems the attack vector is something outside of Drupal, but causes<br>
Drupal to get infected by modifying some of its files.<br><br>Can you check the client's bootstrap.inc against a pristine version of the same<br>version of Drupal? <br><br>Also check for a w.php file somewhere in your Drupal directory.<br>
<br>If there are differences, please email me and Cc the security team at <a href="mailto:security@drupal.org">security@drupal.org</a><br><br><div class="gmail_quote">On Thu, Jan 28, 2010 at 4:57 PM, Brian Vuyk <span dir="ltr"><<a href="mailto:brian@brianvuyk.com">brian@brianvuyk.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi all.<br>
<br>
I am having a strange issue with a client's site. I am hoping someone<br>
here has had similar, so we can compare notes / find a solution.<br>
<br>
Monday, this long-time client called me up to tell me that when he goes<br>
to certain paths on his site, instead of showing his pages, they would<br>
show pages from 'Canadian Pharmacy'. The pages are exactly as those<br>
shown in this spamwiki article:<br>
<br>
<a href="http://spamtrackers.eu/wiki/index.php/Canadian_Pharmacy" target="_blank">http://spamtrackers.eu/wiki/index.php/Canadian_Pharmacy</a><br>
<br>
At the time, I wasn't able to reproduce the issue. However, it was<br>
affecting more and more of his visitors - soon he started forwarding<br>
emails from his users indicating similar issues.<br>
<br>
Eventually, it happened to me too - at certain paths, the Canadian<br>
Pharmacy pages would come up. The attack seems to be cookie-based,<br>
because once I cleared my browser cookies, the problem went away. The<br>
same fix worked to clear it up on the client's machine. Unfortunately, I<br>
haven't been able to make it happen again so I can see exactly *what*<br>
cookies are set.<br>
<br>
Now, I've since updated core and every module on the site to the latest<br>
versions. I've checked all the non-Drupal files on the server, and<br>
examined the database very closely, and can say with relative certainty<br>
that there is no rogue code running on the site. However, the problem is<br>
still occurring for my client's visitors on and off.<br>
<br>
Does anyone have any idea how this is being accomplished / what we can<br>
do to try to find a solution for this? Has anyone seen anything like<br>
this before?<br>
<br>
Any help or suggestions is very much appreciated.<br>
<br>
Brian<br>
_______________________________________________<br>
consulting mailing list<br>
<a href="mailto:consulting@drupal.org">consulting@drupal.org</a><br>
<a href="http://lists.drupal.org/mailman/listinfo/consulting" target="_blank">http://lists.drupal.org/mailman/listinfo/consulting</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Khalid M. Baheyeldin<br><a href="http://2bits.com">2bits.com</a>, Inc.<br><a href="http://2bits.com">http://2bits.com</a><br>Drupal optimization, development, customization and consulting.<br>
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra<br>Simplicity is the ultimate sophistication. -- Leonardo da Vinci<br>