[development] Fully patched site hacked and cloaked

Gerhard Killesreiter gerhard at killesreiter.de
Wed Jan 27 11:45:33 UTC 2010

Hash: SHA1

Tomáš Fülöpp (vacilando.org) schrieb:
> Hi,
> This is to share an (unpleasant) experience I had yesterday on a hacked
> site of a client (hacked despite fully patched modules and D6.15).
> It was apparent hackers used a cloaking method, i.e. the site appeared
> just fine to users but search engines saw a page full of drug
> advertisements.
> I found no trace of changes via user activity (revisions, user last
> access, etc.) and there was nothing suspicious in the source code of the
> cloaked pages.
> Eventually I found that the file bootstrap.inc had been altered (without
> changing the time stamp!) -- a whole chunk of obfuscated PHP code was
> added at the top of the usual Drupal code.

I've seen a similar method used in a hacked Joomla install.

> I responded by reloading Drupal and locking up the site even more than
> up to now.

Were you able to determine the attach vector that was used to be able
to modify bootstrap.inc? Was it Drupal related? Do you run any custom

> This is to warn others about this hacking method, which may not be
> immediately apparent to webmasters.
> If anybody is interested in studying the obfuscated PHP code I found
> there, please contact me off the list.
> I also wonder whether Drupal could be adjusted so as to automatically
> set file bootstrap.inc, and perhaps other critical ones, as read-only.
> So far it is done only with settings.php file.

If the Apache-User can do that, it can also be used to change this
property again, so it makes little sense to do that from within
Drupal. When deploying code I usually consider it mandatory that the
webuser does not have this permission, ie the files belong to a
different user. Unfortunately most/all fcgi setups have one user for

Version: GnuPG v1.4.9 (GNU/Linux)


More information about the development mailing list