Are Times

Arbitrary File Upload Vulnerability:
From my latest visitor log:
Host: 200.63.47.57
/administrator/components/com_maianmedia/utilities/charts/php-ofc-library/ofc_upload_image.php?name=.598
Http Code: 200 Date: Jun 16 08:50:41 Http Version: HTTP/1.1 Size in Bytes: 31307
Referer: -
Agent: -
/administrator/components/com_maianmedia/utilities/charts/php-ofc-library/ofc_upload_image.php?name=.599
Http Code: 200 Date: Jun 16 09:44:33 Http Version: HTTP/1.1 Size in Bytes: 31307
Referer: -
Agent: -
/favicon.ico
Http Code: 200 Date: Jun 16 12:45:41 Http Version: HTTP/1.1 Size in Bytes: 356
Referer: -
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14
/administrator/components/com_maianmedia/utilities/charts/tmp-upload-images/.599.php
Http Code: 200 Date: Jun 16 12:58:43 Http Version: HTTP/1.1 Size in Bytes: 31538
Referer: www.mysite.com/administrator/components/...ia/utilities/charts/
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14

Sure enough tmp-upload-images/ contained 598.php &599.php
This is scary:
I have no idea how to decipher these files, nor what their purpose is, nor how to stop except by blocking by IP
Can any one help?
Rgds
EMMDEE

this is being dealt with;

for now pls remove this:

administrator\components\com_maianmedia\utilities\charts\php-ofc-library\ofc_upload_image.php 

also remove those files 598 & 599 and run a complete scan of your site using Version Verification Tool (if you are on 1.5);

I would suggest that you restore your entire site and database just to be safe, from the most recent backup clean backup.


if you can't restore from backup, you should login to your FTP and search for these files and delete all of them (if they exist):

/includes/index.php
/plugins/editors-xtd/mosimage.php
/plugins/system/legacy/gnulicense.php
/plugins/editors/tinymce/jscripts/tiny_mce/plugins/example/langs/langs/langs/langs.php
/plugins/editors/tinymce/jscripts/tiny_mce/plugins/save/editor_plugin_src.php
/components/com_user/login.php
/components/com_banners/banners.html.php
/templates/index.php
/libraries/openid/Auth/OpenIDOpenID.php
/libraries/phpxmlrpc/compat/is_export.php
/administrator/components/com_admin/index.php

these are not part of the core joomla files, and are used by the hackers;

you should also change your admin password (recommended after a site had been hacked..)

-marc

>> this is being dealt with;
for now pls remove this:
administrator\components\com_maianmedia\utilities\charts\php-ofc-library\ofc_upload_image.php <<
*****************
thanks
It seems that this advice should be given to everyone using maian media.

p.s. Mysite is on Joom 2.5.4 MM 1.5.8
rgds
emmdee

a fix has been posted and the newest version of MM no longer contains the vulnerability.

We advise all users to upgrade ASAP!

-marc