[NSRCA-discussion] website back up

Martin X. Moleski, SJ moleski at canisius.edu
Fri Dec 3 07:54:56 AKST 2010


On 12/3/2010 11:41 AM, Gordon Anderson wrote:

> it just came back! seem to work now....

The exploit involved the insertion of:

1) .htaccess files in several folders

2) index.html files that redirected to the malicious website

I don't know why Derek and I didn't see those files when we
were talking last night.

The problem with pages not working was due to having Joomla
configured to use .htaccess as part of its SEF/SEO rewrite
scheme.

I tried different things with the htaccess.txt to see whether
I could get it to work without having to think about it.

After trying this and that, I just turned off the option
under Site to "Use Apache rewrite" via the .htaccess file.

Things ***SEEM*** to be OK to me this minute.  I have
class at noon for an hour.

Our /web and /web/components directory had 777 permissions
("world-writable").  Jason set those to 775 recursively
at my request.

This could cause problems with some folders and/or components.

Whether it will prevent the same exploit from being run remains
to be seen.

I'm not sure which component let the invasive files be uploaded.
Coppermine?  Docman?  Community Builder? Do we have any other
uploaders on the site that could have been compromised?

I'm not going to be able to think about these questions much
today.  I've got some commitments at a local radio station
this afternoon and (theoretically, at least) a club Christmas
party in the evening.

				Marty


More information about the NSRCA-discussion mailing list