[consulting] Strange issue with client's site

Khalid Baheyeldin kb at 2bits.com
Thu Jan 28 22:07:47 UTC 2010 

Hmm ...

Pharma spam. That rings a bell.

Looks like the issue reported by Tomas Fulopp and Laura Scott yesterday
on the development mailing list.

So far, it seems the attack vector is something outside of Drupal, but
causes
Drupal to get infected by modifying some of its files.

Can you check the client's bootstrap.inc against a pristine version of the
same
version of Drupal?

Also check for a w.php file somewhere in your Drupal directory.

If there are differences, please email me and Cc the security team at
security at drupal.org

On Thu, Jan 28, 2010 at 4:57 PM, Brian Vuyk <brian at brianvuyk.com> wrote:

> Hi all.
>
> I am having a strange issue with a client's site. I am hoping someone
> here has had similar, so we can compare notes / find a solution.
>
> Monday, this long-time client called me up to tell me that when he goes
> to certain paths on his site, instead of showing his pages, they would
> show pages from 'Canadian Pharmacy'. The pages are exactly as those
> shown in this spamwiki article:
>
> http://spamtrackers.eu/wiki/index.php/Canadian_Pharmacy
>
> At the time, I wasn't able to reproduce the issue. However, it was
> affecting more and more of his visitors - soon he started forwarding
> emails from his users indicating similar issues.
>
> Eventually, it happened to me too - at certain paths, the Canadian
> Pharmacy pages would come up. The attack seems to be cookie-based,
> because once I cleared my browser cookies, the problem went away. The
> same fix worked to clear it up on the client's machine. Unfortunately, I
> haven't been able to make it happen again so I can see exactly *what*
> cookies are set.
>
> Now, I've since updated core and every module on the site to the latest
> versions. I've checked all the non-Drupal files on the server, and
> examined the database very closely, and can say with relative certainty
> that there is no rogue code running on the site. However, the problem is
> still occurring for my client's visitors on and off.
>
> Does anyone have any idea how this is being accomplished / what we can
> do to try to find a solution for this? Has anyone seen anything like
> this before?
>
> Any help or suggestions is very much appreciated.
>
> Brian
> _______________________________________________
> consulting mailing list
> consulting at drupal.org
> http://lists.drupal.org/mailman/listinfo/consulting
>



-- 
Khalid M. Baheyeldin
2bits.com, Inc.
http://2bits.com
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/consulting/attachments/20100128/4cf96b37/attachment.html

More information about the consulting mailing list