Looks like it's now resolved. Site is looking normal again here. Begin forwarded message:
> From: Paul Davis <[email protected]> > Date: December 30, 2011 09:47:56 EST > To: Robin Gareus <[email protected]> > Cc: Fred Gleason <[email protected]>, JACK > <[email protected]> > Subject: Re: [Jack-Devel] www.jackaudio.org defacement > > On Fri, Dec 30, 2011 at 9:22 AM, Paul Davis <[email protected]> > wrote: >> On Fri, Dec 30, 2011 at 4:49 AM, Robin Gareus <[email protected]> wrote: >> >>>> nope. It is still hacked and shows different content depending on the >>>> user-agent and both Accept-language HTTP header. >>>> >>>> Try `curl "http://jackaudio.org/"` - that prints out the weird stuff >>>> that google also sees. >> >> indeed. >> >> but this is not trac, its drupal. > > Someone manged to inject some byte-compiled PHP code into index.php. > I've removed it, and made the file non-writable by anyone. > > I don't know if this was done via a weakness in drupal 6 (of which > there are many) or via some login access. My suspicion is that it was > web-based but the access log, while showing an access right at the > time the index.php was altered (Dec 26th 00:46) doesn't suggest > anything odd. I guess I'll have to write to Dreamhost and ask if they > are aware of other cracks like this. > > I've checked the md5sum on the tarball of 0.121.3 and its unaltered. I > suspect this was a PHP-only attack. > On Fri, Dec 30, 2011 at 9:47 AM, Paul Davis <[email protected]> > wrote: > > looks like we got pharmed: > > http://redleg-redleg.blogspot.com/2011/02/pharmacy-hack.html _______________________________________________ Rivendell-dev mailing list [email protected] http://lists.rivendellaudio.org/mailman/listinfo/rivendell-dev
