joomla injection

[findtim]

yes I know its OLD joomla 1.5 but an interesting thing happened, not sure if its over yet?
http://screencast.com/t/FF9fQ0U14wm

my homepage got injected with this Viagra link and 2 days ago and now its gone away?

I've checked the files and database and Viagra doesn't presently exist.

has anyone else had this issue?

NOTE: the site is currently in a total redo to move to wordpress so I'm not concerned and don't want to upgrade, I just thought it would be interesting to know WHY ?

tim

 

[nt81]

Gone away all on it's own? Doubtful.

Joomla is one of the most insecure CMS's out there. Every time we're having hardcore issues with a site getting repeatedly hacked/broken into / defaced, it is Joomla.

I'm not sure if they have any addons equivalent to Wordfence for Wordpress, but if they do, I would be installing it.

As for why/how? - Sometimes they come in via an insecure contact form and use that as a way of dropping in scripts that they can escalate to the correct privileges to run their own scripts. You'll see a lot of base64 decode type stuff in scripts.

Other times, they will be SQL injection scripts. other times, they will re-write the .htaccess file