Re: [Jack-Devel] www.jackaudio.org defacement

Prev	Next Index
Date	Fri, 30 Dec 2011 09:47:56 -0500
From	Paul Davis <[hidden] at linuxaudiosystems dot com>
To	Robin Gareus <[hidden] at gareus dot org>
Cc	JACK <[hidden] at lists dot jackaudio dot org>
In-Reply-To	Paul Davis Re: [Jack-Devel] www.jackaudio.org defacement
Follow-Up	Paul Davis Re: [Jack-Devel] www.jackaudio.org defacement
Follow-Up	Fred Gleason Re: [Jack-Devel] www.jackaudio.org defacement

On Fri, Dec 30, 2011 at 9:22 AM, Paul Davis <[hidden]> wrote:
> On Fri, Dec 30, 2011 at 4:49 AM, Robin Gareus <[hidden]> wrote:
>
>>> nope. It is still hacked and shows different content depending on the
>>> user-agent and both Accept-language HTTP header.
>>>
>>> Try `curl "http://jackaudio.org/"` - that prints out the weird stuff
>>> that google also sees.
>
> indeed.
>
> but this is not trac, its drupal.

Someone manged to inject some byte-compiled PHP code into index.php.
I've removed it, and made the file non-writable by anyone.

I don't know if this was done via a weakness in drupal 6 (of which
there are many) or via some login access. My suspicion is that it was
web-based but the access log, while showing an access right at the
time the index.php was altered (Dec 26th 00:46) doesn't suggest
anything odd. I guess I'll have to write to Dreamhost and ask if they
are aware of other cracks like this.

I've checked the md5sum on the tarball of 0.121.3 and its unaltered. I
suspect this was a PHP-only attack.

Prev	Next Index

1325276029.17622_0.ltw:2,a <CAFa_cKkTvqexM4cgUO4+prfNE2WRehO=Gx1OSVC2joao-epzFQ at mail dot gmail dot com>