[development] Fully patched site hacked and cloaked
Gerhard Killesreiter
gerhard at killesreiter.de
Thu Jan 28 00:39:57 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Laura schrieb:
> On Jan 27, 2010, at Wed 1/27/10 4:45am, Gerhard Killesreiter wrote:
>
>> Were you able to determine the attach vector that was used to be able
>> to modify bootstrap.inc?
>
> I just saw this performed on a D5 site. Bootstrap.inc was indeed
> altered, an additional system.php file was inserted in the modules
> folder, and the pernicious (drug) website files were inserted into
> the cgi folder *above* the webroot. The code was sniffing
> passwords.
You mean the code was sniffing the passwords that the users entered
into the Drupal site?
> Several files contained nothing but hashes.
Password hashes? Or were these obfuscated scripts? Feel free to sent
them to me in private.
Cheers,
Gerhard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAktg3NwACgkQfg6TFvELooQw6gCferHAGyPCl4Ifed+x6r4eeMgT
0a4AnA8gb9Ms4X96Tss+8PnCsNTV4xVj
=0uE0
-----END PGP SIGNATURE-----
More information about the development
mailing list