Now that I have made the post again (mandville posted on page 1 about how) about how to contact the JSST.....
I do not believe the issue is with 2.5.6, but rather with the individual sites and how they were updated, not updated or otherwise improperly cleaned after a previous hack.
Earlier in this thread Brian stated:
.........you really need to understand the basics of web site security
1. The original poster was running out of date, unsupported versions of Joomla with known security issues
2. A hacker after finding a hole needs to place a file on your site so they can do even more nasty things. It makes the hackers life much much easier if they always put their file i the same place on every site that they exploit. So clearly any folder which is part of the core installation of joomla is a good place for them to place their files.
The location of the file does not have any relevance to the location of the hack. In fact it almost certainly means that the folder is not the source of the hole. Think about it if you can write to any folder on the server why would you chose the one with the hole in it. Thats just too obvious
Finally any webhost that says "they have had lots of sites with the same issue" is clearly indicating that their server was exploited and through that a file was placed in every site.
This exploit is therefore either at a server level or most likely through one of the old software version on one of the site and the host doesnt understand how to setup a secure web server where one exploited site doesnt mean that all the sites on the server will e exploited.
Time to get a new host who does understand the basics of secure web hosting and make sure that you keep your own web site up to date.
It is far too easy to blame others when the problem is staring you in the mirror each morning
What Brian has said would apply to everyone posting about 2.5 issues here.
As stated by both Brian and webdongle, locating a few files that don't belong will not get rid of the exploit. By not properly cleaning and repairing a hacked site you will cause an up to date Joomla install to be hacked as you never actually got rid of the backdoor files.
Everything I have read here so far has pointed to improper cleaning of sites/domains after being hacked. No one person has posted the results of running the FPA script from a hacked site. There is no magic pill, you must follow the proper procedures (all of them) or it is very likely the site(s) will remain hacked.
To assist with properly fixing your site(s) I am posting a copy of the before you post checklist viewtopic.php?f=621&t=582854
following all of the checklist is important. Following what is convenient or taking shortcuts will probably leave the site hacked. I won't get into the why/how, but If there is more than one domain or site under a master account, then all must be cleaned, repaired properly as they are likely all infected.
Before you post your security/been hacked topic, it is suggested to do all of the following. Failure to follow the suggestions below may leave your site vulnerable to being hacked again in the future.You must state what version of Joomla you were using when when the site first became hacked. This can make a difference as to how we approach your individual situation.
[ ] Download and RUN the Forum Post Assistant / FPA
Instructions available here
and are also included in the download package. Post the generated results in your security/been hacked topic. Use these links to download the FPA:Download .tar.gz version
or Download the .zip version NOTE: Do not download the FPA from any other website or links found on the Internet.
[ ] Ensure you have the latest version of Joomla
for your 1.5 or 2.5 version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.
[ ] Review Vulnerable Extensions List
to make sure any 3rd party extensions versions used appear on the vulnerable list.
[ ] Review and action Security Checklist 7
Make sure you've gone through all of the steps.
[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.
[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.
[ ] Use proper permissions on files and directories. They should never be 777
, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.
[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).
[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.
[ ] Ensure you do not have anonymous ftp enabled.
[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.
[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories
More detailed information can be found in the security Checklist 7 link below.Note: The forum post tool will work with all versions of Joomla. The FPA is written and maintained by the Joomla Security forum moderators.