Im receivning many of these messages:

Website: www.mydomain.com/

Page: /components/com_facileforms/libraries/jquery/uploadify.php

Description: There was an attempt to upload a file with multiple extensions.

Alert level: Medium

Date of event: 22.02.2014 14:04:31

In the past, I had the same issue and a couple days after receiving the messages 1&1 sent me this:

Subject: 1&1 Alert: Your website is distributing a dangerous virus!

This is an urgent notice regarding the websites you host on your 1&1 Server.

At least one of your websites have been attacked by a third party: Malicious
code has been inserted into your files, aiming to infect the every visitors of
your website ("drive-by download").

The following files or folders were reported to us:

- IMPORTANT: Do NOT open the following files or URL in a browser! This could
infect your computer. -

http:\\mydomain.com\images\stories\pageinfo.php

This malicious content was presumably stored onto your 1&1 Server after an
attack. According to our experience these attacks mostly happen through
compromised access data or insecure PHP scripts.

Note: This represents of course a serious danger for the security of your 1&1
Server.

*******************************************************************************
IMPORTANT: For this reason, please reply to this e-mail within 48 hours,
preserving our reference [Ticket AB78142401] in your message.

In case we should not receive any feedback from you in this time, we would have
to disconnect your Server for your own security.
*******************************************************************************

To resolve the problem, please observe the following indications:

1. Disable infected files:
1.1 In order to prevent further harm, please disable all infected files at your
earliest convenience.

1.2 Subsequently rebuild your website replacing the infected files by a clean
and updated version.

2. Find the intrusion point and secure it:
2.1 Check through your FTP log files whether the malicious files mentioned
above were uploaded via FTP. Change your FTP access data immediately if this was
the case.

2.2. The main reason for stolen passwords being viruses, please run an
exhaustive anti-virus scan on your local network and install an updated
antivirus software on all computers that access your 1&1 Server.

2.3 Consider changing your other password as well. Think for example of the
passwords for your
- 1&1 Control Panel
- your e-mail accounts
- your online banking account
- your accounts at eBay, Amazon, PayPal and others

2.4 If no FTP upload occurred, please update all your PHP scripts. This
includes content management software such as Joomla!, Dolphin or phpBB.

2.5 In case you should not be able to find the intrusion point, please
reinitialize your Server. Scan the backup of your content before reloading if
onto your Server.

If you should require further information, please simply reply to this e-mail,
preserving our reference [Ticket AB78142401] in your message.

We appreciate your cooperation and look forward continuing to provide you with
safe and secure hosting.

Kind regards,

Abuse Team


The attacker found the way to upload the php file no matter RSFirewall!

Is there any way to fix this other than restore the entire website?
My RsFirewall is using the default settings.
Joomla 1.5.26 RSFirewall 1.4.0 REV44

I will apreciate any advise.

Thsnks.

The first step in security is to keep your software up-to-date. Having a security extension is not supposed to clear you from this "chore", it's supposed to add that extra layer of security after you're all setup

My guess is that you're using an old, vulnerable version of JCE. Basically it allows attackers to upload .gif files (no apparent harm here) and then RENAME them to .php (this is why the upload isn't stopped). Nothing in the world will protect you from such a vulnerability (detecting if a .gif file is actually a .php script is next to impossible).
You can either update your JCE installation (safest way to go), remove it completely (if you don't use it) or disallow .gif uploads from RSFirewall! (which won't allow any .gifs being uploaded on your website - anywhere, which is not the correct way of solving this).

Why not simply disable renaming?, So that people can only view, upload or delete their files.