Orocos.org was cracked

Hi guys,

Earlier this week, some users warned us that their browsers complained about
Orocos.org containing malware. I searched the database for offending words and
links (ok, call me naive) but couldn't find any. Since the user reported the
warning had gone away I ceased my investigation. However, something changed on
the website. The top-level 'breadcrumb' had changed characters. So I mailed
the support desk of our hosting service. These guys found out that there was
code injection in our PHP code. It had hidden links in it (some 'encrypted' in
base64 encoding) which allowed to insert hidden content in all our pages. What
the content was, I couldnt figure out. File analysis learned that the breach
was done on 27/11/2008. It's also not clear which user account did the harm.

So what has been done in reaction to this ?
* The site was brought off-line
* The inserted PHP code was analysed. What we found was only page output
modifications, no SQL queries or so.
* We overwrote the modified php code with the original code.
* We upgraded to the latest Drupal 5 bug-fix release
* The API documentation on Orocos.org was uploaded again
* Some drupal modules were upgraded as well
* The site went online again.

What we don't know 100% sure yet:
* If the SQL database was modified
* if some existing user escalated privileges on the site (I checked using a
user search and it seems not)
* which user account caused the trouble

I'd like to thank the people who reported the problem. I've been warned...

Peter

Orocos.org was cracked

Peter,

glad to see you traced the problem and took measures.
I do not mean to nag, but actually I already had problems (and reported it) on 26/11/2008, at 19.52h.
I indicated at that time that I had a virus warning also; later I learned that the virus infection was obtained after submitting to this forum.
Can it be that I have been introducing the trouble at your site without knowing it?

Theo.

Orocos.org was cracked

On Sunday 07 December 2008 22:20:45 t [dot] j [dot] a [dot] devries [..] ... wrote:
> Peter,
>
> glad to see you traced the problem and took measures.
> I do not mean to nag, but actually I already had problems (and reported it)
> on 26/11/2008, at 19.52h. I indicated at that time that I had a virus
> warning also; later I learned that the virus infection was obtained after
> submitting to this forum. Can it be that I have been introducing the
> trouble at your site without knowing it?

I believe the opposite would be true. The crack exploited a bug in your
browser and installed as such a virus on your computer. I remember you warned
me, but I couldn't find that email back... Stephen warned us again the monday
after. So with your evidence, the site was cracked for at least 10 days.

Peter