Recently while at work at Phase2Technology, we got a report of bogus links being returned when searching for their site. After doing a quick search of the terms that should return their site, I got confirmation the issue was legit:
What was weird though, was that when I went to the page and viewed source, there was nothing to indicate the issue. None of the links appeared at all. A coworker noted that it might only be occurring for bots, and not for regular users. After installing User-Agent Switcher for Firefox, I could confirm that this only happened when the user-agent was a known spider:
So I dumped the database to a flat file and started regex searching for script tags, base64_encode, or anything that seemed out of the ordinary for a Drupal 5 site. Nothing came up. Finally, I did an svn status on the site itself, and noted that one file was shown as modified, that should not have been:
I did an svn diff on that file and noted the following:
Basically, someone was able to modify the
cache.inc file to run foreign code. I would have just done an
svn revert on the file, but sometimes developers will make local modifications to core (bad, I know, but it’s uncommon). So, instead I merely deleted that line in the file with vim.
I would have left this up to google for folks to find an answer to, but apparently I’m the only one who’s posting the answer to this.Tags: drupal 5 investigation spam svn