hacked - redirecting all google traffic to spam

[portablemarko]

Well, a bunch of my sites were hacked a while back and I thought I'd managed to clear them up by replacing htaccess files and deleting obvious scripts, but I've obviously missed something.
I suspect Ninjaexplorer was the source of the hack, which is now uninstalled - but I'm still left with all traffic from google being redirected.

I'm no expert, but the htaccess file doesn't look compromised, and I don't really know what else I should be looking for in the index.php or configuration files. (I can't differentiate between malicious javascript and stuff that's supposed to be in there!

Would really appreciate any help with attempting to uncover the root cause of the redirection.

Forum post assistant follows:

google traffic being redirected to spam sites

Joomla! Instance :: Joomla! 1.5.25-Stable (senu takaa ama mamni) 14-November-2011
Joomla! Configured :: Yes | Read-Only (444) | Owner: qzjtkmvq (uid: 642/gid: 644) | Group: qzjtkmvq (gid: 644) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-274.17.1.el5 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/qzjtkmvq/public_html/nebula | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.10 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: 20th April 2012 14:33:04. | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 64M | Max. POST Size: 64M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

MySQL Configuration :: Version: 5.1.62-cll (Client:5.1.62) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 1.00 MiB | #of _FPA_TABLE: 63

PHP Extensions :: Core (5.3.10) | date (5.3.10) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | posix () | pspell () | Reflection ($Revision: 321634 $) | standard (5.3.10) | imap () | SimpleXML (0.1) | exif (1.4 $Id: exif.c 321634 2012-01-01 13:15:04Z felipe $) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.9.1) | cgi-fcgi () | timezonedb () | suhosin (0.9.33) | OAuth (1.0-dev) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | imagick (3.0.1) | pdo_mysql (1.0.2) | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: None administrator/components/com_sobi2/plugins/sobisef/ (775) | components/com_sobi2/plugins/sobisef/ (775) | components/com_sobi2/templates/standard_advanced/css/ (775) | components/com_sobi2/templates/standard_advanced/images/ (775) | components/com_sobi2/templates/standard_advanced2/css/ (775) | components/com_sobi2/templates/standard_advanced2/images/ (775) |

Components :: SITE :: User (1.5.0) | Wrapper (1.5.0) | MailTo (1.5.0) | WF_NONBREAKING_TITLE (2.0.21) | WF_AUTOSAVE_TITLE (2.0.21) | WF_TABLE_TITLE (2.0.21) | WF_MEDIA_TITLE (2.0.21) | WF_BROWSER_TITLE (2.0.21) | WF_PASTE_TITLE (2.0.21) | WF_LINK_TITLE (2.0.21) | WF_CONTEXTMENU_TITLE (2.0.21) | WF_PREVIEW_TITLE (2.0.21) | WF_XHTMLXTRAS_TITLE (2.0.21) | WF_SPELLCHECKER_TITLE (2.0.21) | WF_SOURCE_TITLE (2.0.21) | WF_CLEANUP_TITLE (2.0.21) | WF_SEARCHREPLACE_TITLE (2.0.21) | WF_TEXTCASE_TITLE (2.0.21) | WF_VISUALCHARS_TITLE (2.0.21) | WF_INLINEPOPUPS_TITLE (2.0.21) | WF_LAYER_TITLE (2.0.21) | WF_FULLSCREEN_TITLE (2.0.21) | WF_ARTICLE_TITLE (2.0.21) | WF_STYLE_TITLE (2.0.21) | WF_DIRECTIONALITY_TITLE (2.0.21) | WF_PRINT_TITLE (2.0.21) | WF_IMGMANAGER_TITLE (2.0.21) | WF_FILESYSTEM_JOOMLA_TITLE (2.0.21) | WF_LINKS_JOOMLALINKS_TITLE (2.0.21) | WF_POPUPS_JCEMEDIABOX_TITLE (2.0.21) | WF_POPUPS_WINDOW_TITLE (2.0.21) | WF_AGGREGATOR_VIMEO_TITLE (2.0.21) | WF_AGGREGATOR_[youtube]_TITLE (2.0.21) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.0.21) |
Components :: ADMIN :: Polls (1.5.0) | Mass Mail (1.5.0) | Module Manager (1.5.0) | Template Manager (1.5.0) | Language Manager (1.5.0) | Content Page (1.5.0) | Plugin Manager (1.5.0) | Configuration Manager (1.5.0) | Frontpage (1.5.0) | Akeeba (3.4.3) | Banners (1.5.0) | Media Manager (1.5.0) | RokNavMenu Bundle (3.4) | Messaging (1.5.0) | Newsfeeds (1.5.0) | Menus Manager (1.5.0) | Cache Manager (1.5.0) | Contact Items (1.0.0) | Sobi2 (2.9.4.1) | Sobi2 Search Module (2.2) | Search (1.5.0) | Installation Manager (1.5.0) | CK Forms (1.3.5) | Xmap (1.2.14) | Remository Plugin (1.0.3) | Content Plugin (1.5.1) | Hot Property Plugin (1.0.1) | Rapid Recipe Plugin (1.0.0) | JEvents Plugin (1.0.3) | Virtuemart Plugin (1.1.4) | Agora Plugin (1.0.0) | JoomDOC Extension (1.0.0) | Contacts Plugin (1.0.1) | Mosets Tree Plugin (1.0.1) | Eventlist Plugin (1.0.0) | JoomSuite Resources Plugin (1.0.0) | Rokdownloads Plugin (1.0.4) | JCALPro Plugin (1.0.0) | JoomGallery Plugin (1.5.1) | DOCman Plugin (1.5.0) | SOBI2 Plugin (1.5.1) | Yoflash XMap Plugin (0.0.1) | Kunena Plugin (1.0.2) | RD-Autos Plugin (1.5.0) | RSGallery2 Extension (1.0.0) | Jomres Plugin (1.0) | CMS Shop Builder Plugin (1.5.0) | Zoo Plugin (1.0.4) | JMovies Plugin (1.5.0) | Gallery2 Bridge Plugin (1.0.2) | lknAnswers Plugin (1.5.0) | JDownloads Plugin (1.5.1) | Glossary Plugin (1.5.2) | AcyMailing Plugin (1.0.0) | Web Links Plugin (1.5.1) | KnowledgeBase Plugin (1.0.0) | MyBlog Plugin (1.5.1) | SectionEx Plugin (1.0.2) | Trash (1.0.0) | User Manager (1.5.0) | Gantry (3.1.18) | Weblinks (1.5.0) | Unknown (-) | JCE (2.0.21) | Editor - JCE (2.0.21) | Control Panel (1.5.0) |

Modules :: SITE :: Related Items (1.0.0) | Wrapper (1.0.0) | Custom HTML (1.5.0) | Banner (1.5.0) | RokTabs (1.20) | Latest News (1.5.0) | SOBI2 Drop down Menu Module (1.1) | Footer (1.5.0) | RokStories (2.2) | Statistics (1.5.0) | Login (1.5.0) | Sections (1.5.0) | Feed Display (1.5.0) | Breadcrumbs (1.5.0) | Poll (1.5.0) | RokTwittie (2.7) | RokSlideshow (4.2) | Most Read Content (1.5.0) | Archived Content (1.5.0) | Menu (1.5.0) | Newsflash (1.5.0) | Search (1.0.0) | RokNavMenu (3.4) | Who\'s Online (1.0.0) | Sobi2 Search Module (2.2) | Syndicate (1.5.0) | sobi2 Simple Featured Listings (v2.0.6) | SOBI2 Latest Module (1. | Random Image (1.5.0) |
Modules :: ADMIN :: Online Users (1.0.0) | User Status (1.5.0) | Custom HTML (1.5.0) | Footer (1.0.0) | Logged in Users (1.0.0) | Items Stats (1.0.0) | Login Form (1.0.0) | Latest News (1.0.0) | Feed Display (1.5.0) | Akeeba Backup Notification Mod (3.4.3) | Admin Menu (1.0.0) | Quick Icons (1.0.0) | Title (1.0.0) | Toolbar (1.0.0) | Admin Submenu (1.0.0) | Popular Items (1.0.0) | Unread Items (1.0.0) |

Plugins :: SITE :: Authentication - LDAP (1.5) | Authentication - OpenID (1.5) | Authentication - GMail (1.5) | Authentication - Example (1.5) | Authentication - Joomla (1.5) | Editor - JCE (2.0.21) | Editor - RokPad (1. | Editor - TinyMCE 3 (3.2.6) | Editor - XStandard Lite for Jo (1.0) | RokNavMenu - Boost (3.4) | RokNavMenu - Extended Link (3.4) | Content - Load Modules (1.5) | Content - Page Navigation (1.5) | Content - Vote (1.5) | Content - Email Cloaking (1.5) | Content - Code Highlighter (Ge (1.5) | Content - Example (1.0) | Content - Pagebreak (1.5) | Content - CKforms Form Display (1.3.4) | Search - Sections (1.5) | Search - Content (1.5) | Search - Newsfeeds (1.5) | Search - Contacts (1.5) | Search - Weblinks (1.5) | Search - Categories (1.5) | User - Example (1.0) | User - Joomla! (1.5) | XML-RPC - Joomla API (1.0) | XML-RPC - Blogger API (1.0) | System - Title Manager (2.0) | System - SEF (1.5) | Akeeba Backup Lazy Scheduling (3.3) | System - Remember Me (1.5) | System - Backlinks (1.5) | System - Legacy (1.5) | System - OpenPotion Asynchrono (1.1) | System - Mootools Upgrade (1.5) | System - Log (1.5) | System - Debug (1.5) | System - Cache (1.5) | System - Gantry (3.1.18) | Button - Readmore (1.5) | Button - Pagebreak (1.5) | Button - Image (1.0.0) |

Templates :: SITE :: rt_gantry_j15 (3.1.18) |
Templates :: ADMIN :: Khepri (1.0) |

[mandville]

check this topic http://forum.joomla.org/viewtopic.php?f=432&t=705216

investigate
Elevated Permissions (First 10) :: None administrator/components/com_sobi2/plugins/sobisef/ (775) | components/com_sobi2/plugins/sobisef/ (775) | components/com_sobi2/templates/standard_advanced/css/ (775) | components/com_sobi2/templates/standard_advanced/images/ (775) | components/com_sobi2/templates/standard_advanced2/css/ (775) | components/com_sobi2/templates/standard_advanced2/images/ (775) |

[portablemarko]

thanks mandville - I read most of that thread the first time round too!
Is there something you can point me to that will guide me on downloading only my content to backup before I wipe and reinstall Joomla - I'm worried I may miss something (articles or sobi2 data)?