Categories
t3ch

Spam Links in Head Tags of Drupal 5

Recently while at work at Phase2Technology, we got a report of bogus links being returned when searching for their site.  After doing a quick search of the terms that should return their site, I got confirmation the issue was legit:

What was weird though, was that when I went to the page and viewed source, there was nothing to indicate the issue. None of the links appeared at all. A coworker noted that it might only be occurring for bots, and not for regular users. After installing User-Agent Switcher for Firefox, I could confirm that this only happened when the user-agent was a known spider:

So I dumped the database to a flat file and started regex searching for script tags, base64_encode, or anything that seemed out of the ordinary for a Drupal 5 site. Nothing came up. Finally, I did an svn status on the site itself, and noted that one file was shown as modified, that should not have been:
includes/cache.inc

I did an svn diff on that file and noted the following:
+error_reporting(0);eval(base64_decode(

Basically, someone was able to modify the cache.inc file to run foreign code. I would have just done an svn revert on the file, but sometimes developers will make local modifications to core (bad, I know, but it’s uncommon). So, instead I merely deleted that line in the file with vim.

I would have left this up to google for folks to find an answer to, but apparently I’m the only one who’s posting the answer to this.

Leave a Reply