I've realized that a malicious js script was introduced on my website, here is the source code (it is encoded on my website):
Code: Select all
<!-- rk_czxV1dv1UTfErdQy27 --><script type="text/javascript">document.write(unescape('<script language="JavaScript">
function dnnViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','888791819281878942577939317'),l=x.length;
while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();
</script>'));</script>
<div class="dnn" id="615267">
<p><a href="http://bad-web-site">chantix online</a>
</p>
</div>
<!-- /rk_czxV1dv1UTfErdQy27 -->
Now I'v tryed to disactivate every module one by one, but none seems to remove this backlink from my homepage. Now from yesterday, I can't access my Admin page anymore, It's been block by htaccess password for a while so I don't think it's part of the hack, maybe simply that I did something wrong with my database. When I loggin, it doesn't tell me that anything was wrong, but it doesn't redirect me to the adminpannel.. I stay on the login page.
Finally, here is FPA analyzis:
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.3) : 25th April 2013 wrote:[20-Feb-2012 14:10:48] PHP Fatal error: require_once() [<a href=\'function.require\'>function.require</a>]: Failed opening required \'/home/gitesru/public_html/templates/404.php\' (include_path=\'.:/usr/lib/php:/usr/local/lib/php\') in /home/gitesru/public_html/plugins/system/backlink.php on line 508
Many thanks for your helpForum Post Assistant (v1.2.3) : 25th April 2013 wrote:Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Writable (644) | Owner: gitesru (uid: 1/gid: 1) | Group: gitesru (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes
Host Configuration :: OS: Linux | OS Version: 2.6.18-348.3.1.el5 | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/gitesru/public_html | System TMP Writable: Yes
PHP Configuration :: Version: 5.2.17 | PHP API: cgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: 20th February 2012 14:10:48. | Register Globals: 0 | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M
MySQL Configuration :: Version: 5.1.68-cll (Client:5.1.68) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 3.68 MiB | #of Tables: 100Detailed Environment :: wrote:PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | session () | iconv () | standard (5.2.17) | json (1.2.1) | mbstring () | mcrypt () | mhash () | mime_magic (0.1) | mysql (1.0) | SimpleXML (0.1) | posix () | Reflection (0.1) | imap () | SPL (0.2) | mysqli (0.1) | soap () | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.8.11) | cgi () | timezonedb () | suhosin (0.9.32.1) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | Zend Engine (2.2.0) |
Potential Missing Extensions ::
Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: NoFolder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Elevated Permissions (First 10) ::Extensions Discovered :: wrote:Components :: SITE :: MailTo (1.5.0) | Wrapper (1.5.0) | User (1.5.0) |
Components :: ADMIN :: Frontpage (1.5.0) | Messaging (1.5.0) | Template Manager (1.5.0) | Banners (1.5.0) | Plugin Manager (1.5.0) | Language Manager (1.5.0) | sh404sef (1.0.19_Beta) | Polls (1.5.0) | Content Plugin (1.0.1) | XMap Plugin (1.0) | Xmap (1.0.1) | Xmap (1.1) | Installation Manager (1.5.0) | JCE (1.5.0 RC4) | JCE Admin Control Panel (1.0.0) | English(United Kingdom) (1.5.0) | Joom!Fish (2.0.2) | JCE (1.5.2) | Control Panel (1.5.0) | Media Manager (1.5.0) | Search (1.5.0) | Mass Mail (1.5.0) | Contact Items (1.0.0) | Newsfeeds (1.5.0) | User Manager (1.5.0) | Configuration Manager (1.5.0) | Content Page (1.5.0) | Menus Manager (1.5.0) | Trash (1.0.0) | Cache Manager (1.5.0) | Module Manager (1.5.0) | Weblinks (1.5.0) | JM Sitemap (2.0 BETA) |
Modules :: SITE :: Feed Display (1.5.0) | Random Image (1.5.0) | Login (1.5.0) | JoomFish-Language Selection (2.0.1) | QuickNav (1.7) | Archived Content (1.5.0) | Related Items (1.0.0) | Sections (1.5.0) | Who\'s Online (1.0.0) | Wrapper (1.0.0) | Custom HTML (1.5.0) | Menu (1.5.0) | Breadcrumbs (1.5.0) | Search (1.0.0) | Poll (1.5.0) | Banner (1.5.0) | Statistics (1.5.0) | Latest News (1.5.0) | Most Read Content (1.5.0) | Footer (1.5.0) | Syndicate (1.5.0) | Newsflash (1.5.0) |
Modules :: ADMIN :: Feed Display (1.5.0) | Admin Submenu (1.0.0) | Login Form (1.0.0) | Logged in Users (1.0.0) | Online Users (1.0.0) | Popular Items (1.0.0) | User Status (1.5.0) | Direct Translation (2.0.1) | Quick Icons (1.0.0) | Title (1.0.0) | Custom HTML (1.5.0) | Admin Menu (1.0.0) | Toolbar (1.0.0) | JCE Admin Control Panel (1.0.0) | Unread Items (1.0.0) | Items Stats (1.0.0) | Footer (1.0.0) | Latest News (1.0.0) |
Plugins :: SITE :: Joomfish - Missing Translation (2.0.1) | User - Joomla! (1.5) | User - Example (1.0) | Editor - JCE 1.5.2 (1.5.2) | Editor - XStandard Lite for Jo (1.0) | Editor - TinyMCE 3 (3.2.6) | File Browser (1.5.0 Stable) | Paste (1.5.1) | Paste (1.5.0) | Advanced Code Editor (1.5.0) | Joomla! Links for Advanced Lin (1.2.0) | Advanced Link (1.5.1) | Object Support (1.5.1) | Image Manager (1.5.2) | SpellChecker (2.0.0) | System - Log (1.5) | System - Remember Me (1.5) | System - Mootools Upgrade (1.5) | System - Cache (1.5) | System - Debug (1.5) | System - Legacy (1.5) | Joomfish - Basic Router (2.0.1) | Joomfish - Abstraction Layer (2.0.1) | sh404SEF - system - plugin (Version_1.0.B) | System - SEF (1.5) | System - Backlinks (1.5) | Authentication - Joomla (1.5) | Authentication - LDAP (1.5) | Authentication - Example (1.5) | Authentication - GMail (1.5) | Authentication - OpenID (1.5) | Search - Joomfish Content (2.0.1) | Search - Contacts (1.5) | Search - Content (1.5) | Search - Joomfish Weblinks (2.0.1) | Search - Joomfish Contacts (2.0.1) | Search - Joomfish Sections (2.0.1) | Search - Weblinks (1.5) | Search - Newsfeeds (1.5) | Search - Sections (1.5) | Search - Categories (1.5) | Search - Joomfish Newsfeeds (2.0.1) | Search - Joomfish Categories (2.0.1) | XML-RPC - Joomla API (1.0) | XML-RPC - Blogger API (1.0) | Content - akJoomGallery (1.1.0) | Content - Code Highlighter (Ge (1.5) | Content - Joomla Extra News Pl (2.0.5) | Easy eXtended Gallery (1.5.0.3) | Content - Vote (1.5) | Google Maps (2.11a) | Content - Pagebreak (1.5) | Content - Page Navigation (1.5) | Content - Example (1.0) | Joomfish Alternative Language (2.0.1) | Content - Load Modules (1.5) | Content - Email Cloaking (1.5) | Button - Readmore (1.5) | Button - Pagebreak (1.5) | Button - Image (1.0.0) |Templates Discovered :: wrote:Templates :: SITE :: JA_Purity (1.2.0) | rhuk_milkyway (1.0.2) | siteground (1.0.14) | beez (1.0.0) | siteground-j15-23 (1.0.0) |
Templates :: ADMIN :: Khepri (1.0) |