Orocos.org was cracked

Hi guys,

Earlier this week, some users warned us that their browsers complained about
Orocos.org containing malware. I searched the database for offending words and
links (ok, call me naive) but couldn't find any. Since the user reported the
warning had gone away I ceased my investigation. However, something changed on
the website. The top-level 'breadcrumb' had changed characters. So I mailed
the support desk of our hosting service. These guys found out that there was
code injection in our PHP code. It had hidden links in it (some 'encrypted' in
base64 encoding) which allowed to insert hidden content in all our pages. What
the content was, I couldnt figure out. File analysis learned that the breach
was done on 27/11/2008. It's also not clear which user account did the harm.

So what has been done in reaction to this ?
* The site was brought off-line
* The inserted PHP code was analysed. What we found was only page output
modifications, no SQL queries or so.
* We overwrote the modified php code with the original code.
* We upgraded to the latest Drupal 5 bug-fix release
* The API documentation on Orocos.org was uploaded again
* Some drupal modules were upgraded as well
* The site went online again.

What we don't know 100% sure yet:
* If the SQL database was modified
* if some existing user escalated privileges on the site (I checked using a
user search and it seems not)
* which user account caused the trouble

I'd like to thank the people who reported the problem. I've been warned...

Peter