Am 07.07.2014 22:44, schrieb Ben Johnson: > On 7/7/2014 2:47 PM, Ben Johnson wrote: >> Thanks, Leonardo and Noel! I really appreciate the prompt replies. >> >> Leonardo, I see no indication that whomever is sending this mail has >> authenticated. And given that local connections are permitted to send >> mail without authenticating on this server, I will pursue Noel's >> suggested course of action next. >> >> I'll let you know if I can't find the source... >> >> Thanks again, >> >> -Ben > > You were right! > > It was a compromised Joomla site. I was able to spot it almost > immediately due to excessive CPU usage. > > What's disconcerting is that the Joomla site is completely up-to-date, > including all extensions, so the vulnerability is either zero-day or > with another stack component. But that's here nor there
more likely it is using one of the tons of crap plugins written by a monkey i faced Joomla plugins with code nobody right in his brain ever writes like "file_put_contents($random_request_var, $random_request_var); in some gallery plugin years ago most plugins are written by clueless people for their own needs which think they do someboddy a favor by make them public and no longer care for updates as never cared for security by missing knowledge rule 1: don't install Joomla if you care for security at all rule 2: if you think you need it anyways don't install random plugins the most important rule: *never ever* allow endusers to install any plugin
