[development] Fully patched site hacked and cloaked
gerhard at killesreiter.de
Thu Jan 28 00:39:57 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
> On Jan 27, 2010, at Wed 1/27/10 4:45am, Gerhard Killesreiter wrote:
>> Were you able to determine the attach vector that was used to be able
>> to modify bootstrap.inc?
> I just saw this performed on a D5 site. Bootstrap.inc was indeed
> altered, an additional system.php file was inserted in the modules
> folder, and the pernicious (drug) website files were inserted into
> the cgi folder *above* the webroot. The code was sniffing
You mean the code was sniffing the passwords that the users entered
into the Drupal site?
> Several files contained nothing but hashes.
Password hashes? Or were these obfuscated scripts? Feel free to sent
them to me in private.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the development