Submitted by Art Williams on Wed, 12/28/2011 - 3:55pm

Good comments, all.

We never did isolate the exact original hack. We chose to put our time into upgrading Drupal instead.

@Matthew Connerton: The hacker was adding an eval(base64_decode()) command at the begining of every php file in the entire file system of the site. That's what was performing the redirect logic. Running a grep for the string "eval(base64_decode" was enough to track down all of the hacked files.

@Cameron Eagans: I agree that properly configuring input formats would likely have prevented the initial hack, but sadly they were not properly configured. To be clear it was the hacker who used eval() not anyone here. We know better. The code pasted in the blog post was inserted by the hacker as a backdoor to be able to execute any code desired in the future.

The content of this field is kept private and will not be shown publicly.
About text formats

Plain text

  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.