Edit: The hacker did upload a php script with a JPG extension, but that is not the complete story of how he did the hack. For security reasons, I am not going to post more about the actual exploit.
It appears that the hacker was then able to upload a separate PHP script that he used to send out spam.
I was running Joombah 1.3.3 and, admittedly, Joomla 2.5.4 (which I have since updated to 2.5.8). I have PM'd the Admin of the Joombah forums (approx 15 hours ago) and posted on their forums but still have not received a response.
Problem Description :: Forum Post Assistant (v1.2.3) : 14th November 2012 wrote:Site hacked by uploading PHP script disguised as JPG or possibly DOC/DOCX file
Actions Taken To Resolve by Forum Post Assistant (v1.2.3) 14th November 2012 wrote:Site taken offiline.
Upgraded Joomla from 2.5.4 to 2.5.8
Contacted (and still awaiting response) Joombah RE the hack
Additional log information below (with hacker's IP and my domain obfuscated)Forum Post Assistant (v1.2.3) : 14th November 2012 wrote:Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.8-Stable (Ember) 8-November-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: WEBSITE (uid: 1/gid: 1) | Group: WEBSITE (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes
Host Configuration :: OS: Linux | OS Version: 2.6.32.49-grsec | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/WEBSITE/www/www | System TMP Writable: Yes
PHP Configuration :: Version: 5.3.17 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: -1 | Max. Execution Time: 120 | Memory Limit: 80M
MySQL Configuration :: Version: 5.5.27-percona-sure1-log (Client:5.5.27-percona-sure1) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 17.36 MiB | #of Tables: 180Detailed Environment :: wrote:PHP Extensions :: Core (5.3.17) | date (5.3.17) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | pcntl () | standard (5.3.17) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | pspell () | Reflection ($Id: 593a0506b01337cfaf9f63ebc12cd60523fc2c41 $) | imap () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | sureacct (0.1) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |
Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: NoFolder Permissions :: wrote:Core Folders :: --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) |
Elevated Permissions (First 10) :: --protected-- (775) | --protected-- (775) | --protected-- (775) | --protected-- (775) | --protected-- (775) |Extensions Discovered :: wrote:Strict Information Privacy was selected. Nothing to display.Templates Discovered :: wrote:_FPA_STRICT Information Privacy Nothing to display.
MODS: I have a copy of the fake JPG file/PHP Script. If you would like I can PM the contents of it to you.www-02.log.gz:12.345.678.90 - - [02/Nov/2012:21:58:50 -0400] "POST /jobs/index.php?option=com_jbjobs&task=checkuser HTTP/1.1" 200 14 "http://www.website.org/jobs/index.php?o ... bseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:21:59:34 -0400] "POST /jobs/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/index.php?o ... bseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:04:47 -0400] "POST /jobs/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/index.php?o ... bseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:04:56 -0400] "POST /jobs/component/jbjobs/jobseeker/index.php?option=com_jbjobs&task=checkuser HTTP/1.1" 200 69 "http://www.website.org/jobs/component/j ... bseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:05:29 -0400] "POST /jobs/component/users/?task=user.login HTTP/1.1" 303 5 "http://www.website.org/jobs/component/users/?view=login" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:05:59 -0400] "POST /jobs/open-jobs/employer-logindashboard/jobseeker/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/open-jobs/e ... gjobseeker" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:06:28 -0400] "POST /jobs/open-jobs/employer-logindashboard/jobseeker/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/open-jobs/e ... editresume" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:06:43 -0400] "POST /jobs/open-jobs/employer-logindashboard/jobseeker/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/open-jobs/e ... editresume" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:34:28 -0400] "POST /jobs/images/jbjobs/pf/p_259_1351908403.php HTTP/1.1" 200 358 "http://www.website.org/jobs/images/jbjo ... 908403.php" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
Any help/advice on where to go next to button this issue down would be greatly appreciated.