[consulting] Strange issue with client's site

[Brian Vuyk]

Hi all.

I am having a strange issue with a client's site. I am hoping someone 
here has had similar, so we can compare notes / find a solution.

Monday, this long-time client called me up to tell me that when he goes 
to certain paths on his site, instead of showing his pages, they would 
show pages from 'Canadian Pharmacy'. The pages are exactly as those 
shown in this spamwiki article:

http://spamtrackers.eu/wiki/index.php/Canadian_Pharmacy

At the time, I wasn't able to reproduce the issue. However, it was 
affecting more and more of his visitors - soon he started forwarding 
emails from his users indicating similar issues.

Eventually, it happened to me too - at certain paths, the Canadian 
Pharmacy pages would come up. The attack seems to be cookie-based, 
because once I cleared my browser cookies, the problem went away. The 
same fix worked to clear it up on the client's machine. Unfortunately, I 
haven't been able to make it happen again so I can see exactly *what* 
cookies are set.

Now, I've since updated core and every module on the site to the latest 
versions. I've checked all the non-Drupal files on the server, and 
examined the database very closely, and can say with relative certainty 
that there is no rogue code running on the site. However, the problem is 
still occurring for my client's visitors on and off.

Does anyone have any idea how this is being accomplished / what we can 
do to try to find a solution for this? Has anyone seen anything like 
this before?

Any help or suggestions is very much appreciated.

Brian