Download the log from here:
---------------------------------------

Is this a new exploit?

Hi

i also was hacked last night and in the Log the last action was an Upload in Expose!
Does you know what Files i have to change ?
I think i ask my Provider for do a Restore for the whole Site.

Uwe

[s]Expose uses the amfphp plugin which caused the hole in the security. You need to change these files:
components/com_expose/expose/manager/amfphp/amf-core/app/Actions.php
components/com_expose/expose/manager/amfphp/amf-core/app/Executive.php
components/com_expose/expose/manager/amfphp/amf-core/app/php5Executive.php
components/com_expose/expose/manager/amfphp/amf-core/io/AMFDeserializer.php
components/com_expose/expose/manager/amfphp/amf-core/io/AMFSerializer.php
administrator/components/com_expose/uploadimg.php (by ftp)

Add a line at the beginning of these scripts with:
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );[/s]

Or you could download the updated zip on http://joomlacode.org/gf/project/expose/frs/ and [s]replace these six files with JoomXplorer. (use JoomXplorer to preserve the owner of the files)[/s]

I just had 5 sites hacked with this, thanx for the fix.

And I guess a lot of other users will have the same problem :| so making this topic sticky.

Thank you for the help Tokapi, I'm re-installing the gallery right now.