как ломанули мой сайт - Безопасность сайтов на Joomla

24.09 через аккаунт одного пользователя с правами простого админа (да-да знаю... ) было проведена следующая комбинация:

HTTP:

89.28.35.59 xxxxxxxxxx.ru - [24/Sep/2010:03:44:07 +0400] "GET /administrator/index.php HTTP/1.0" 200 5273 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
89.28.17.58 xxxxxxxxxx.ru - [24/Sep/2010:03:44:07 +0400] "GET /administrator/index.php HTTP/1.0" 200 5273 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
77.78.3.47 xxxxxxxxxx.ru - [24/Sep/2010:03:44:12 +0400] "POST /administrator/index.php HTTP/1.0" 303 0 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
77.78.3.47 xxxxxxxxxx.ru - [24/Sep/2010:03:44:17 +0400] "GET /administrator/index.php HTTP/1.0" 200 28369 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
77.78.3.47 xxxxxxxxxx.ru - [24/Sep/2010:03:44:22 +0400] "GET /administrator/index.php?option=com_installer HTTP/1.0" 200 22008 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
89.28.35.59 xxxxxxxxxx.ru - [24/Sep/2010:03:44:40 +0400] "POST /administrator/index.php HTTP/1.0" 200 22276 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
89.28.53.33 xxxxxxxxxx.ru - [24/Sep/2010:03:44:49 +0400] "POST /administrator/index.php HTTP/1.0" 200 5273 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
93.157.3.108 xxxxxxxxxx.ru - [24/Sep/2010:03:44:56 +0400] "POST /plugins/system/loginJ00mla.php HTTP/1.1" 200 33 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
87.248.187.163 xxxxxxxxxx.ru - [24/Sep/2010:03:44:58 +0400] "POST /plugins/system/login.php HTTP/1.0" 200 22 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
89.28.35.59 xxxxxxxxxx.ru - [24/Sep/2010:03:48:00 +0400] "GET /plugins/system/systemauth.php HTTP/1.0" 504 183 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
80.92.183.225 xxxxxxxxxx.ru - [24/Sep/2010:03:51:07 +0400] "GET /plugins/system/systemauth.php HTTP/1.1" 504 183 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
89.28.17.58 xxxxxxxxxx.ru - [24/Sep/2010:03:53:47 +0400] "GET /plugins/system/systemauth.php HTTP/1.0" 200 64 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
89.28.53.33 xxxxxxxxxx.ru - [24/Sep/2010:03:53:50 +0400] "POST /administrator/index.php HTTP/1.0" 200 5273 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
80.92.183.202 xxxxxxxxxx.ru - [24/Sep/2010:03:53:52 +0400] "GET /administrator/index.php?option=com_login&task=logout HTTP/1.1" 303 5 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
80.92.183.202 xxxxxxxxxx.ru - [24/Sep/2010:03:53:54 +0400] "GET /administrator/index.php?option=com_login HTTP/1.1" 200 5286 "-" "Opera/9.51 (Windows NT 5.1; U; en)"

FTP:
217.112.35.zz - yyyyyyy_joom [24/Sep/2010:03:44:35 -0400] "PUT /pub/home/yyyyyyy/htdocs/tmp/loginJ00mla_plugin.zip" 200 1642
217.112.35.zz - yyyyyyy_joom [24/Sep/2010:03:44:35 -0400] "PUT /pub/home/yyyyyyy/htdocs/tmp/install_4c9be6635ebd0/loginJ00mla.php" 200 2217
217.112.35.zz - yyyyyyy_joom [24/Sep/2010:03:44:35 -0400] "PUT /pub/home/yyyyyyy/htdocs/tmp/install_4c9be6635ebd0/loginJ00mla.xml" 200 651
217.112.35.zz - yyyyyyy_joom [24/Sep/2010:03:44:37 -0400] "PUT /pub/home/yyyyyyy/htdocs/plugins/system/loginJ00mla.php" 200 2217
217.112.35.zz - yyyyyyy_joom [24/Sep/2010:03:44:37 -0400] "PUT /pub/home/yyyyyyy/htdocs/plugins/system/loginJ00mla.xml" 200 651


а 26.09 они сделали свое черное дело - в начало всех php было дописан скрипт и ппц... переадресация черти куда...

блин, пока разобрался...

для особо желающих могу выслать один из измененных файлов.

То же самое. Хочу спросить как избавится от всех шеллов и что сделать кроме ftpaccess чтобы не появились?

87.250.254.241 - - [15/Nov/2010:00:06:21 +0600] "GET /forum-in/index.php?6c037abeec22fa93e67e838c94408450=t2pc1k05ckpqk858g6qrk9ff57&amp&action=search&advanced HTTP/1.1" 200 10477 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"
194.8.251.64 - - [15/Nov/2010:00:07:13 +0600] "GET / HTTP/1.1" 200 12410 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
194.8.251.64 - - [15/Nov/2010:00:07:15 +0600] "GET /administrator/index.php HTTP/1.1" 200 2479 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
194.8.251.64 - - [15/Nov/2010:00:07:15 +0600] "POST /administrator/index.php HTTP/1.1" 303 475 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
194.8.251.64 - - [15/Nov/2010:00:07:16 +0600] "GET /administrator/index.php HTTP/1.1" 200 6294 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
194.8.251.64 - - [15/Nov/2010:00:07:17 +0600] "GET /administrator/index.php?option=com_installer HTTP/1.1" 200 5056 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
194.8.251.64 - - [15/Nov/2010:00:07:18 +0600] "POST /administrator/index.php HTTP/1.1" 200 5158 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
194.8.251.64 - - [15/Nov/2010:00:07:19 +0600] "POST /administrator/index.php HTTP/1.1" 200 6023 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
194.8.251.64 - - [15/Nov/2010:00:07:20 +0600] "POST /plugins/system/loginJ00mla.php HTTP/1.1" 200 285 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
194.8.251.64 - - [15/Nov/2010:00:07:21 +0600] "POST /plugins/system/login.php HTTP/1.1" 200 285 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
 
...

194.8.251.64 - - [15/Nov/2010:00:07:21 +0600] "GET /plugins/system/systemauth.php HTTP/1.1" 500 1003 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
194.8.251.64 - - [15/Nov/2010:00:07:40 +0600] "GET /plugins/system/systemauth.php HTTP/1.1" 404 2434 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
194.8.251.64 - - [15/Nov/2010:00:07:41 +0600] "POST /administrator/index.php HTTP/1.1" 200 5427 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
194.8.251.64 - - [15/Nov/2010:00:07:41 +0600] "GET /administrator/index.php?option=com_login&task=logout HTTP/1.1" 303 518 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
194.8.251.64 - - [15/Nov/2010:00:07:42 +0600] "GET /administrator/index.php?option=com_login HTTP/1.1" 200 5321 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
66.249.66.38 - - [15/Nov/2010:00:07:57 +0600] "GET /component/content/?topic=17&start=300 HTTP/1.1" 200 34314 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Интересно, каким таким образом они попали в админку без пароля?

В дефолтовом движке, есть защита админки от тупого перебора паролей?