Advice about my 1.5.22 Installation.

This forum is for issues with installing Joomla! on IIS webservers.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Joomla! Apprentice
Joomla! Apprentice
Posts: 15
Joined: Sat Nov 22, 2008 4:17 am

Advice about my 1.5.22 Installation.

Post by cpeppler » Mon Mar 18, 2013 2:49 pm

Hello Joomla! support forum,

I have a v1.5.22 installation that has been running on an IIS server for several years. I watch the weblogs very carefully, pretty much every day. This morning I found something that indicates someone found their way in to Joomla! over the weekend.

Someone found a way to upload a file named mesbocana.php to the \media directory. It had a http code of 200 in the weblog, so they were able to execute the file.

I have blocked the IP address (sourced in the Ukraine), changed the name of the file (which I have captured), but I have no idea what happened when they executed the file.

I opened it, looked at it, and found a new $auth_pass string, and a long preg_replace string.

The site is still functioning, I don't want to take it down, and am looking for specific advice about next steps:

Upgrade from 1.5.22 to something more modern?
How do I identify if they've placed other backdoors, and seal them?

Glad for any advice from the community before I take next steps.

Charlie Peppler


Return to “Joomla! 1.5 on IIS webserver”