Joomla! Version: Joomla! 1.0.15 Stable [ Daytime ] 22 February 2008 23:00 UTC
I have not used Joomla before, and am tasked with solving the vulnerability of a server that has been working for a lone time. I have spent a few days poking around at files, and looking to see how things work, reading docs, etc.
I template that goes by the name of "jw_bubblicious" keeps getting config.ini and header.php files put into it. configuration.php had a bunch of php appended to the end of it. Apparently this has happened several times in the past, but only files have been deleted. I am looking to understand this exploit, so I can solve it once and for all.
"jw_bubblicious" seems to have a strange history, the site linked in the xml file is just a spam site now. I can not find a lot about it.
A do not think switching templates is going to make my client happy. Can anyone make any guesses as to how this is happening? It amounts to url's being injected into the pages, via including the config.ini file that contains a huge list of url's.
Does anyone know if "jw_bubblicious" has been taken over by someone else and renamed, or where to go to look to update that file?
Looking at the file, I see SQL code that looks like it would be open to injection attacks.
Code: Select all
$sql = "SELECT m.* FROM #__menu AS m" . "\nWHERE menutype='". $menutype ."' AND published='1' AND parent=0" . "\nORDER BY ordering";
Any suggestions are appreciated.