My own fault, I let several customers go far too long without updating their joomla CMS. Three of them had 1.5.26 installed, which was the last in the 1.5 platform (and ancient by now). Two days ago, one of the sites started sending out tons of the "Your Package was Not Delivered"-type spam emails with a malicious link or zip attachment through Local Relay. They got around 100,000 out before I disabled the user. First thing yesterday I started looking into all three of the sites and found what you never want to find. Two were exploited using a fairly recently discovered vulnerability in ext_explorer, both were hacked on December 21st. I removed that extension and found all the files created between then & now and deleted them.
The third, though, was hacked back in April of last year. It had been hacked through a vulnerability in TinyMCE on 1.5 and oh man, it was it a mess. I found at least a dozen files on the site that variations on eval(gzinflate(base64_decode( and the encoded strings were a page+ long. The one file that scared me the most had "Web Shell by oRb" commented at the top of the file. So pretty sure I can't trust anything on that user anymore. I changed file names on some (so they were no longer php files) and deleted others. Hopefully I cleared most of the problems, I am going to delete their entire site and start fresh, but it's going to take some time to migrate each site to the 2.5 platform.
All this is not to just publicly humiliate myself, I'm hoping someone can tell me know bad the situation on my server is. I am running the latest/last CustomBuild on a Centos6 64bit box with the mod_ruid module for apache. I've checked in /etc/passwd, doesn't seem like any new users have been created. With PHP running as the user, how deeply can they penetrate into the system? Is completely wipe those user accounts and starting over enough? I've also just installed the Linux Malware Detect tool, it's doing it's first scan now.
Anybody with more knowledge on these types of problems have any advice on what steps I should take?
The third, though, was hacked back in April of last year. It had been hacked through a vulnerability in TinyMCE on 1.5 and oh man, it was it a mess. I found at least a dozen files on the site that variations on eval(gzinflate(base64_decode( and the encoded strings were a page+ long. The one file that scared me the most had "Web Shell by oRb" commented at the top of the file. So pretty sure I can't trust anything on that user anymore. I changed file names on some (so they were no longer php files) and deleted others. Hopefully I cleared most of the problems, I am going to delete their entire site and start fresh, but it's going to take some time to migrate each site to the 2.5 platform.
All this is not to just publicly humiliate myself, I'm hoping someone can tell me know bad the situation on my server is. I am running the latest/last CustomBuild on a Centos6 64bit box with the mod_ruid module for apache. I've checked in /etc/passwd, doesn't seem like any new users have been created. With PHP running as the user, how deeply can they penetrate into the system? Is completely wipe those user accounts and starting over enough? I've also just installed the Linux Malware Detect tool, it's doing it's first scan now.
Anybody with more knowledge on these types of problems have any advice on what steps I should take?