Page 1 of 1

Advice about my 1.5.22 Installation.

Posted: Mon Mar 18, 2013 2:49 pm
by cpeppler
Hello Joomla! support forum,

I have a v1.5.22 installation that has been running on an IIS server for several years. I watch the weblogs very carefully, pretty much every day. This morning I found something that indicates someone found their way in to Joomla! over the weekend.

Someone found a way to upload a file named mesbocana.php to the \media directory. It had a http code of 200 in the weblog, so they were able to execute the file.

I have blocked the IP address (sourced in the Ukraine), changed the name of the file (which I have captured), but I have no idea what happened when they executed the file.

I opened it, looked at it, and found a new $auth_pass string, and a long preg_replace string.

The site is still functioning, I don't want to take it down, and am looking for specific advice about next steps:

Upgrade from 1.5.22 to something more modern?
How do I identify if they've placed other backdoors, and seal them?

Glad for any advice from the community before I take next steps.

Charlie Peppler