Re: [Jack-Devel] www.jackaudio.org defacement
On Fri, Dec 30, 2011 at 9:22 AM, Paul Davis <[hidden]> wrote:
> On Fri, Dec 30, 2011 at 4:49 AM, Robin Gareus <[hidden]> wrote:
>
>>> nope. It is still hacked and shows different content depending on the
>>> user-agent and both Accept-language HTTP header.
>>>
>>> Try `curl "http://jackaudio.org/"` - that prints out the weird stuff
>>> that google also sees.
>
> indeed.
>
> but this is not trac, its drupal.
Someone manged to inject some byte-compiled PHP code into index.php.
I've removed it, and made the file non-writable by anyone.
I don't know if this was done via a weakness in drupal 6 (of which
there are many) or via some login access. My suspicion is that it was
web-based but the access log, while showing an access right at the
time the index.php was altered (Dec 26th 00:46) doesn't suggest
anything odd. I guess I'll have to write to Dreamhost and ask if they
are aware of other cracks like this.
I've checked the md5sum on the tarball of 0.121.3 and its unaltered. I
suspect this was a PHP-only attack.
1325276029.17622_0.ltw:2,a <CAFa_cKkTvqexM4cgUO4+prfNE2WRehO=Gx1OSVC2joao-epzFQ at mail dot gmail dot com>