Edit: The hacker did upload a php script with a JPG extension, but that is not the complete story of how he did the hack. For security reasons, I am not going to post more about the actual exploit.
It appears that the hacker was then able to upload a separate PHP script that he used to send out spam.
I was running Joombah 1.3.3 and, admittedly, Joomla 2.5.4 (which I have since updated to 2.5.8). I have PM'd the Admin of the Joombah forums (approx 15 hours ago) and posted on their forums but still have not received a response.
Problem Description :: Forum Post Assistant (v1.2.3) : 14th November 2012 wrote:Site hacked by uploading PHP script disguised as JPG or possibly DOC/DOCX file
Actions Taken To Resolve by Forum Post Assistant (v1.2.3) 14th November 2012 wrote:Site taken offiline.
Upgraded Joomla from 2.5.4 to 2.5.8
Contacted (and still awaiting response) Joombah RE the hack
Forum Post Assistant (v1.2.3) : 14th November 2012 wrote:Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.8-Stable (Ember) 8-November-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: WEBSITE (uid: 1/gid: 1) | Group: WEBSITE (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes
Host Configuration :: OS: Linux | OS Version: 2.6.32.49-grsec | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/WEBSITE/www/www | System TMP Writable: Yes
PHP Configuration :: Version: 5.3.17 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: -1 | Max. Execution Time: 120 | Memory Limit: 80M
MySQL Configuration :: Version: 5.5.27-percona-sure1-log (Client:5.5.27-percona-sure1) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 17.36 MiB | #of Tables: 180Detailed Environment :: wrote:PHP Extensions :: Core (5.3.17) | date (5.3.17) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | pcntl () | standard (5.3.17) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | pspell () | Reflection ($Id: 593a0506b01337cfaf9f63ebc12cd60523fc2c41 $) | imap () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | sureacct (0.1) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |
Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: NoFolder Permissions :: wrote:Core Folders :: --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) |
Elevated Permissions (First 10) :: --protected-- (775) | --protected-- (775) | --protected-- (775) | --protected-- (775) | --protected-- (775) |Extensions Discovered :: wrote:Strict Information Privacy was selected. Nothing to display.Templates Discovered :: wrote:_FPA_STRICT Information Privacy Nothing to display.
Additional log information below (with hacker's IP and my domain obfuscated)
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:21:58:50 -0400] "POST /jobs/index.php?option=com_jbjobs&task=checkuser HTTP/1.1" 200 14 "http://www.website.org/jobs/index.php?option=com_jbjobs&view=jobseeker&layout=regjobseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:21:59:34 -0400] "POST /jobs/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/index.php?option=com_jbjobs&view=jobseeker&layout=regjobseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:04:47 -0400] "POST /jobs/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/index.php?option=com_jbjobs&view=jobseeker&layout=regjobseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:04:56 -0400] "POST /jobs/component/jbjobs/jobseeker/index.php?option=com_jbjobs&task=checkuser HTTP/1.1" 200 69 "http://www.website.org/jobs/component/jbjobs/jobseeker/regjobseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:05:29 -0400] "POST /jobs/component/users/?task=user.login HTTP/1.1" 303 5 "http://www.website.org/jobs/component/users/?view=login" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:05:59 -0400] "POST /jobs/open-jobs/employer-logindashboard/jobseeker/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/open-jobs/employer-logindashboard/jobseeker/regjobseeker" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:06:28 -0400] "POST /jobs/open-jobs/employer-logindashboard/jobseeker/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/open-jobs/employer-logindashboard/jobseeker/editresume" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:06:43 -0400] "POST /jobs/open-jobs/employer-logindashboard/jobseeker/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/open-jobs/employer-logindashboard/jobseeker/editresume" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:34:28 -0400] "POST /jobs/images/jbjobs/pf/p_259_1351908403.php HTTP/1.1" 200 358 "http://www.website.org/jobs/images/jbjobs/pf/p_259_1351908403.php" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
MODS: I have a copy of the fake JPG file/PHP Script. If you would like I can PM the contents of it to you.
Any help/advice on where to go next to button this issue down would be greatly appreciated.