Hi there, After moved several websites to ISPConfig, we see that some websites, gets randomfilename.php uploaded in the root directory, like /var/www/clients/clientX/webX/web The file is 100 % an exploit, in order to see directories, eval_base64 etc. How to prevent this?
Your best chance would be to replace this very old Joomla version with a more recent one without the security hole the attacker uses.
Our 1.5.x are all on latest version 1.5.26, and cannot be upgraded to 2.5 or later. Possible chmod on the web folder, so that no one can create files there ?
Never allow execution of scripts in upload dirs!!! have a look at this link http://blog.kupchanko.cv.ua/2012/09...de-execution-in-directory-and-subdirectories/
I think I found the issue - JCE BOT - The Joomla installations had outdated JCE versions, according to http://docs.joomla.org/Vulnerable_Extensions_List 41.107.141.X - - [08/May/2013:23:07:11 +0200] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.0" 200 67 "-" "BOT/0.1 (BOT for JCE)" 41.107.141.X - - [08/May/2013:23:07:12 +0200] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20 HTTP/1.0" 200 36 "-" "BOT/0.1 (BOT for JCE)" 41.107.141.X - - [08/May/2013:23:07:12 +0200] "GET /images/stories/gh.php?ghz HTTP/1.1" 200 20 "-" "BOT/0.1 (BOT for JCE)" 41.107.141.X - - [08/May/2013:23:07:13 +0200] "GET /gh.html HTTP/1.1" 200 446 "-" "BOT/0.1 (BOT for JCE)" 41.107.141.X - - [08/May/2013:23:07:16 +0200] "GET / HTTP/1.1" 500 1852 "-" "BOT/0.1 (BOT for JCE)" Now JCE is updated
