Joomla vulnerability?

Scripting vulnerability in Joomla?

One of our former clients let us know that a viewer to their website had been alerted to a virus.

As I still have access to the site, I had a quick look to see what was on the remote server, and noticed a file called “spongy47.html” in the document root.

This file appears to run a script from a so-called “adult” domain (interestingly it doesn’t appear to have been bought yet – and no, I’m not interested in buying it!). And don’t get me started on the meaning of “adult” here!

The content of the file is simply (domain deleted):

<html><head><script>location = ‘[some dodgy domain]’;</script></head></html>

Naturally, I’ve removed it, and asked everyone to change/upgrade their passwords.

Perhaps this is just getting ready for an exploit, as that domain isn’t registered yet. I couldn’t find any references on the web to either the filename or the dodgy website.

Comments welcome!
Alistair