[consulting] Strange issue with client's site

Laura pinglaura at gmail.com
Thu Jan 28 22:13:49 UTC 2010 

Report to Mosso support. They may have a vulnerability somewhere.

Laura

On Jan 28, 2010, at Thu 1/28/10 3:08pm, Brian Vuyk wrote:

> After seeing that, I definately checked the bootstrap.inc, but it's clean.
> 
> The host is (surprise, surprise) Rackspace / Mosso.
> 
> Brian
> 
> Laura wrote:
>> See this Development list thread from yesterday. http://lists.drupal.org/pipermail/development/2010-January/034894.html
>> 
>> 
>> Look for malicious code in your filesystem -- bootstrap.inc for example was modified in some reported attacks.
>> 
>> What host is this site on? There might be some correlation there.
>> 
>> On Jan 28, 2010, at Thu 1/28/10 2:57pm, Brian Vuyk wrote:
>> 
>>   
>> 
>>> Hi all.
>>> 
>>> I am having a strange issue with a client's site. I am hoping someone 
>>> here has had similar, so we can compare notes / find a solution.
>>> 
>>> Monday, this long-time client called me up to tell me that when he goes 
>>> to certain paths on his site, instead of showing his pages, they would 
>>> show pages from 'Canadian Pharmacy'. The pages are exactly as those 
>>> shown in this spamwiki article:
>>> 
>>> 
>>> http://spamtrackers.eu/wiki/index.php/Canadian_Pharmacy
>>> 
>>> 
>>> At the time, I wasn't able to reproduce the issue. However, it was 
>>> affecting more and more of his visitors - soon he started forwarding 
>>> emails from his users indicating similar issues.
>>> 
>>> Eventually, it happened to me too - at certain paths, the Canadian 
>>> Pharmacy pages would come up. The attack seems to be cookie-based, 
>>> because once I cleared my browser cookies, the problem went away. The 
>>> same fix worked to clear it up on the client's machine. Unfortunately, I 
>>> haven't been able to make it happen again so I can see exactly *what* 
>>> cookies are set.
>>> 
>>> Now, I've since updated core and every module on the site to the latest 
>>> versions. I've checked all the non-Drupal files on the server, and 
>>> examined the database very closely, and can say with relative certainty 
>>> that there is no rogue code running on the site. However, the problem is 
>>> still occurring for my client's visitors on and off.
>>> 
>>> Does anyone have any idea how this is being accomplished / what we can 
>>> do to try to find a solution for this? Has anyone seen anything like 
>>> this before?
>>> 
>>> Any help or suggestions is very much appreciated.
>>> 
>>> Brian
>>> _______________________________________________
>>> consulting mailing list
>>> 
>>> consulting at drupal.org
>>> http://lists.drupal.org/mailman/listinfo/consulting
>>> 
>>>     
>>> 
>> 
>> _______________________________________________
>> consulting mailing list
>> 
>> consulting at drupal.org
>> http://lists.drupal.org/mailman/listinfo/consulting
>> 
>>   
>> 
> 
> _______________________________________________
> consulting mailing list
> consulting at drupal.org
> http://lists.drupal.org/mailman/listinfo/consulting

More information about the consulting mailing list