Re: [Jack-Devel] www.jackaudio.org defacement
On 12/30/2011 10:18 AM, Robin Gareus wrote:
> On 12/30/2011 02:23 AM, Paul Davis wrote:
>> On Thu, Dec 29, 2011 at 7:48 PM, Fred Gleason <[hidden]> wrote:
>>> On Dec 29, 2011, at 19:29 05, Patrick Shirkey wrote:
>>>
>>>> The main difference is the number of cogentco servers in the path. Is it
>>>> possible that one of those is proxy caching and serving a corrupted
>>>> version of the site?
>>>
>>> Anything is possible, I suppose. My connection here is direct to Cogent's tier 1 network.
>>>
>>> That could also explain why I'm now seeing the defacement showing up in Google's cache. Just search for 'jack audio' and look at the results.
>>
>> my conclusion is that the site was hacked and restored by the web
>> hosting service without telling me (or anyone else).
>
> nope. It is still hacked and shows different content depending on the
> user-agent and both Accept-language HTTP header.
>
> Try `curl "http://jackaudio.org/"` - that prints out the weird stuff
> that google also sees.
>
> however:
>
> curl -A "Mozilla/5.0 (X11; Linux i686; rv:9.0.1) Gecko/20100101
> Firefox/9.0.1 Iceweasel/9.0.1" -H
> "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H
> "Accept-Language: en-us,en;q=0.9" "http://jackaudio.org/"
OOPs some copy/paste error slipped in: there's a missing "Accept:" for
the first content-negotiation header. NTL the decision seems to be based
mainly the user-agent string.
> shows the original site content!
>
> I'd hazard a guess at trac; which is not too hard to hack, but the
> problem could be more deeply rooted..
The fact that the html-header, page-menu and page-footer resemble a
template from 2006 points toward trac.
..more worrisome is that email to the list does not go through, ..or
does it now?
> Cheers!
> robin
1325274560.15457_0.ltw:2,a <4EFD8917.5050008 at gareus dot org>