Hi, This is to share an (unpleasant) experience I had yesterday on a hacked site of a client (hacked despite fully patched modules and D6.15).
It was apparent hackers used a cloaking method, i.e. the site appeared just fine to users but search engines saw a page full of drug advertisements. I found no trace of changes via user activity (revisions, user last access, etc.) and there was nothing suspicious in the source code of the cloaked pages. Eventually I found that the file bootstrap.inc had been altered (without changing the time stamp!) -- a whole chunk of obfuscated PHP code was added at the top of the usual Drupal code. I responded by reloading Drupal and locking up the site even more than up to now. This is to warn others about this hacking method, which may not be immediately apparent to webmasters. If anybody is interested in studying the obfuscated PHP code I found there, please contact me off the list. I also wonder whether Drupal could be adjusted so as to automatically set file bootstrap.inc, and perhaps other critical ones, as read-only. So far it is done only with settings.php file. Cheers, vacilando -- Tomáš J. Fülöpp http://vacilando.net
