[development] Fully patched site hacked and cloaked

Andrew Berry andrewberry at sentex.net
Sun Jan 31 16:23:40 UTC 2010

On 2010-01-27, at 3:57 PM, Ivan Sergio Borgonovo wrote:

> [1] you'd have to store the revision # somewhere outside the working
> copy and diff with the remote repo.
> Still if you're actively developing a site you'd have to find some
> way to compare working copy with a moving code base... and maybe
> glue everything with some rcs hook.

Just use a different branch for your live sites. I ran into exactly this same issue with a client, and sites in VCS were much quicker to deal with.

Most hacks I've encountered recently used base64decode(), so grepping for that was helpful. As well, a .htaccess rule redirecting the advertising pages is a useful stopgap to prevent from being delisted. Finally, those running their own machines can set up a firewall to block outgoing connections for the Apache user except to specific hosts (updates.drupal.org, configured RSS feeds, etc).

Also, be sure to check your PHP tmp directory, as there may be scripts there running re-infecting your site.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2676 bytes
Desc: not available
Url : http://lists.drupal.org/pipermail/development/attachments/20100131/3cd82452/attachment.bin 

More information about the development mailing list