[consulting] Strange issue with client's site

Laura pinglaura at gmail.com
Thu Jan 28 22:03:43 UTC 2010 

See this Development list thread from yesterday. http://lists.drupal.org/pipermail/development/2010-January/034894.html

Look for malicious code in your filesystem -- bootstrap.inc for example was modified in some reported attacks.

What host is this site on? There might be some correlation there.

On Jan 28, 2010, at Thu 1/28/10 2:57pm, Brian Vuyk wrote:

> Hi all.
> 
> I am having a strange issue with a client's site. I am hoping someone 
> here has had similar, so we can compare notes / find a solution.
> 
> Monday, this long-time client called me up to tell me that when he goes 
> to certain paths on his site, instead of showing his pages, they would 
> show pages from 'Canadian Pharmacy'. The pages are exactly as those 
> shown in this spamwiki article:
> 
> http://spamtrackers.eu/wiki/index.php/Canadian_Pharmacy
> 
> At the time, I wasn't able to reproduce the issue. However, it was 
> affecting more and more of his visitors - soon he started forwarding 
> emails from his users indicating similar issues.
> 
> Eventually, it happened to me too - at certain paths, the Canadian 
> Pharmacy pages would come up. The attack seems to be cookie-based, 
> because once I cleared my browser cookies, the problem went away. The 
> same fix worked to clear it up on the client's machine. Unfortunately, I 
> haven't been able to make it happen again so I can see exactly *what* 
> cookies are set.
> 
> Now, I've since updated core and every module on the site to the latest 
> versions. I've checked all the non-Drupal files on the server, and 
> examined the database very closely, and can say with relative certainty 
> that there is no rogue code running on the site. However, the problem is 
> still occurring for my client's visitors on and off.
> 
> Does anyone have any idea how this is being accomplished / what we can 
> do to try to find a solution for this? Has anyone seen anything like 
> this before?
> 
> Any help or suggestions is very much appreciated.
> 
> Brian
> _______________________________________________
> consulting mailing list
> consulting at drupal.org
> http://lists.drupal.org/mailman/listinfo/consulting

More information about the consulting mailing list