Hi,<br><br>This is to share an (unpleasant) experience I had yesterday on a hacked site of a client (hacked despite fully patched modules and D6.15).<br><br>It was apparent hackers used a cloaking method, i.e. the site appeared just fine to users but search engines saw a page full of drug advertisements.<br>
<br>I found no trace of changes via user activity (revisions, user last access, etc.) and there was nothing suspicious in the source code of the cloaked pages.<br><br>Eventually I found that the file bootstrap.inc had been altered (without changing the time stamp!) -- a whole chunk of obfuscated PHP code was added at the top of the usual Drupal code.<br>
<br>I responded by reloading Drupal and locking up the site even more than up to now.<br><br>This is to warn others about this hacking method, which may not be immediately apparent to webmasters.<br><br>If anybody is interested in studying the obfuscated PHP code I found there, please contact me off the list.<br>
<br>I also wonder whether Drupal could be adjusted so as to automatically set file bootstrap.inc, and perhaps other critical ones, as read-only. So far it is done only with settings.php file.<br><br>Cheers,<br><br>vacilando<br>
<br clear="all">--<br>Tomáš J. Fülöpp<br><a href="http://vacilando.net">http://vacilando.net</a><br><br>