hacked 1.5.26 - Joomla! Forum - community, help and support

problem description :: forum post assistant (v1.2.3) : 9th november 2012 wrote:site hacked , directing malware

last php error(s) reported :: forum post assistant (v1.2.3) : 9th november 2012 wrote:[09-nov-2012 07:42:22] php notice: feed not found @ http://twitter.com/statuses/user_timeli ... bling.atom in /home/timeroc/public_html/libraries/simplepie/simplepie.php on line 1786

actions taken resolve forum post assistant (v1.2.3) 9th november 2012 wrote:cpanel virus scan - no effect

forum post assistant (v1.2.3) : 9th november 2012 wrote:

basic environment :: wrote:joomla! instance :: joomla! 1.5.26-stable (senu takaa ama busani) 27-march-2012
joomla! configured :: yes | writable (644) | owner: timeroc (uid: 1/gid: 1) | group: timeroc (gid: 1) | valid for: 1.5
configuration options :: offline: 0 | sef: 1 | sef suffix: 0 | sef rewrite: 1 | .htaccess/web.config: yes | gzip: 1 | cache: 0 | ftp layer: 0 | ssl: 0 | error reporting: -1 | site debug: 0 | language debug: 0 | database credentials present: yes

host configuration :: os: linux | os version: 2.6.32.27-js-grsec | technology: x86_64 | web server: apache | encoding: gzip,deflate,sdch | doc root: /home/timeroc/public_html | system tmp writable: yes

php configuration :: version: 5.2.15 | php api: cgi-fcgi | session path writable: unknown | display errors: 1 | error reporting: 6135 | log errors to: error_log | last known error: 09th november 2012 07:42:22. | register globals: 0 | magic quotes: 1 | safe mode: 0 | open base: | uploads: 1 | max. upload size: 50m | max. post size: 50m | max. input time: 120 | max. execution time: 60 | memory limit: 128m

mysql configuration :: version: 5.0.96-community-log (client:5.0.96) | host: --protected-- (--protected--) | collation: latin1_general_ci (character set: latin1) | database size: 3.49 mib | #of tables:  64

detailed environment :: wrote:php extensions :: date (5.2.15) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dbase () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | session () | iconv () | standard (5.2.15) | json (1.2.1) | mbstring () | mcrypt () | mhash () | mime_magic (0.1) | mysql (1.0) | simplexml (0.1) | posix () | pspell () | reflection (0.1) | imap () | spl (0.2) | mysqli (0.1) | soap () | sockets () | exif (1.4 $id: exif.c 293036 2010-01-03 09:23:27z sebastian $) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.8.11) | cgi-fcgi () | timezonedb () | eaccelerator (0.9.6.1) | suhosin (0.9.32.1) | pdo (1.0.4dev) | pdo_sqlite (1.0.1) | sqlite (2.0-dev) | pdo_mysql (1.0.2) | ioncube loader () | zend optimizer () | zend engine (2.2.0) |
potential missing extensions ::

switch user environment (experimental) :: php cgi: yes | server su: yes | php su: yes | custom su (litespeed/cloud/grid): yes
potential ownership issues: no

folder permissions :: wrote:core folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

elevated permissions (first 10) ::

extensions discovered :: wrote:components :: site :: mailto (1.5.0) | wrapper (1.5.0) | user (1.5.0) |
components :: admin :: akeeba (3.1.5) | ccnewsletter (1.0. | frontpage (1.5.0) | banners (1.5.0) | jce (1.5.7) | system - obftrss (1.5. | fulltextrss (1.5.8.1) | joomanager (1.0) | contact items (1.0.0) | module manager (1.5.0) | template manager (1.5.0) | jxtcvtubepro (1.4.0) | language manager (1.5.0) | polls (1.5.0) | zoo (2.2.0) | weblinks (1.5.0) | mass mail (1.5.0) | control panel (1.5.0) | configuration manager (1.5.0) | user manager (1.5.0) | search (1.5.0) | trash (1.0.0) | menus manager (1.5.0) | messaging (1.5.0) | installation manager (1.5.0) | cache manager (1.5.0) | plugin manager (1.5.0) | newsfeeds (1.5.0) | media manager (1.5.0) | content page (1.5.0) |

modules :: site :: menu (1.5.0) | joomlaxtc vtube pro playlist v (1.4.0) | s5 media player (2.0.0) | footer (1.5.0) | yoologin (1.5.13) | yooiecheck (1.5.2) | feed display (1.5.0) | custom html (1.5.0) | related items (1.0.0) | read content (1.5.0) | statistics (1.5.0) | joomlaxtc vtube pro single vie (1.4.0) | syndicate (1.5.0) | login (1.5.0) | yooaccordion (1.5.10) | random image (1.5.0) | latest news (1.5.0) | breadcrumbs (1.5.0) | simple scrolling newsflash (1.5.4) | sections (1.5.0) | archived content (1.5.0) | poll (1.5.0) | ccnewsletter (1.0. | wrapper (1.0.0) | zoo item (2.1.1) | yoocarousel (1.5.18) | s5 media player 2 (2.0.0) | search (1.0.0) | zoo category (2.1.0) | newsflash (1.5.0) | joomanager featured (1.1.0) | zoo tag (2.1.0) | yootweet (1.5.5) | zoo comment (2.1.0) | gtranslate (1.5.x.20) | joomlaxtc vtube pro (1.4.0) | banner (1.5.0) | who\'s online (1.0.0) |
modules :: admin :: quick icons (1.0.0) | latest news (1.0.0) | unread items (1.0.0) | footer (1.0.0) | popular items (1.0.0) | feed display (1.5.0) | title (1.0.0) | custom html (1.5.0) | items stats (1.0.0) | login form (1.0.0) | logged in users (1.0.0) | online users (1.0.0) | user status (1.5.0) | toolbar (1.0.0) | admin submenu (1.0.0) | akeeba backup notification mod (3.1.5) | admin menu (1.0.0) |

plugins :: site :: button - pagebreak (1.5) | button - image (1.0.0) | button - readmore (1.5) | editor - xstandard lite jo (1.0) | editor - tinymce 3 (3.2.6) | file browser (1.5.0 stable) | paste (1.5.6) | paste (1.5.0) | joomla! links advanced lin (1.2.1) | advanced link (1.5.1) | advanced code editor (1.5.6) | image manager (1.5.2) | spellchecker (2.0.0) | object support (1.5.1) | editor - jce 1.5.6 (1.5.6) | user - joomla! (1.5) | user - example (1.0) | authentication - joomla (1.5) | authentication - openid (1.5) | authentication - example (1.5) | authentication - ldap (1.5) | authentication - gmail (1.5) | content - pagebreak (1.5) | content - vote (1.5) | content - iframe plugin (1.5) | content - example (1.0) | content - load modules (1.5) | joomlaxtc vtube pro plug-in (1.4.0) | content - page navigation (1.5) | content - email cloaking (1.5) | joomlaxtc vtube pro playlist p (1.4.0) | content - code highlighter (ge (1.5) | joomlaxtc vtube pro single plu (1.4.0) | search - weblinks (1.5) | search - sections (1.5) | search - content (1.5) | search - newsfeeds (1.5) | search - categories (1.5) | search - contacts (1.5) | zoo search (2.1.0) | xml-rpc - blogger api (1.0) | xml-rpc - joomla api (1.0) | system - debug (1.5) | system - cache (1.5) | system - jce mediabox 1.0.5 (1.0.5) | akeeba backup lazy scheduling (3.1.5) | system - mootools upgrade (1.5) | system - legacy (1.5) | system - title manager (1.0.1) | system - obftrss (1.5. | system - joomsimple content pr (1.12) | system - sef (1.5) | system - set generator tag (1.0) | yooeffects (1.5.2) | system - bigshot google analyt (1.5.2) | system - remember me (1.5) | system - log (1.5) | system - modalizer (2.0.0) | system - backlinks (1.5) | system - nonumber! elements (1.7.6) |

templates discovered :: wrote:templates :: site :: yoo_pure (5.5.1) | ja_purity (1.2.0) | rhuk_milkyway (1.0.2) | beez (1.0.0) |
templates :: admin :: khepri (1.0) |

sorry hear issue... best place start go through joomla security checklist. every hack can fixed way. can find checklist here: http://docs.joomla.org/security_checkli ... or_defaced

with redirect hack, there 2 locations hacked... .htaccess file, , index.html file added (there shouldn't 1 normally). check these 2 files out in root see if abnormal.