They made some hard core changes in the most recent security update. http://www.joomla.org/content/view/1843/74/
In previous updates you just untarred the patch over your installation and were done this one requires a bit more.
In the most recent update some things weren't completely obvious like overwriting your .htaccess file with the htaccess.txt file they provided,
setting safe mode and magic quotes on, register globals off.
The htaccess.txt file they included takes care of the malformed URL's that are typically used to hack joomla extensions and php scripts in general.
If the web server has mod rewrite I'd recommend turning on the search engine friendly links too.
Any joomla extensions that don't work with register globals off should be replaced anyway.

The most recent update (1.0.11) required a few changes:

Set Register Globals off
Set Magic Quotes on
Change the .htaccess to match the htaccess.txt file.
edit globals.txt and change RG_EMULATION to 0: define( 'RG_EMULATION', 0 );

If your host has register globals on you can change it by adding this to the top of the .htaccess file:
php_flag register_globals 0

Add this if magic quotes are off:

php_flag magic_quotes_gpc on



If you're not sure, create a php file in the web root and look at the
php
output:

<? phpinfo(); ?>

In some cases I've had to download the full install and overwrite all of the Joomla files to eliminate issues with upgrading.
For older Mambo sites you have to update the database too.

One of my joomla sites was hacked a few months ago.. they used com_extcalendar and malformed URL's that use php to overwrite the configuration files.
In my case they created a bunch of shell scripts in my /tmp directory and used php to launch them to do ssh scanning.
If you grep your apache access log for 'mosConfig_absolute_path=http' you'll likely find the hack attempts.

JD
Technomage wrote:

need some help with security (firewall, etc?)?

I am working on a machine in california right now that has similar programs 
running. got sdome firewall ideas that might do the trick.

let me know.

TMH

On Tuesday 05 September 2006 07:37, Alan Dayley wrote:

The PLUG website is down.  It was hacked sometime early this morning.
(Joomla! and or it's addons is proving to be quite insecure.)

I don't have time to do much with it right now.  It'll have to wait till
tonight.  Sorry about that.  Please be as patient as possible.

Alan


---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

-- 
JD Austin
Twin Geckos Technology Services LLC
email: jd@twingeckos.com
http://www.twingeckos.com
phone/fax: 480.288.8195