Hack Virus - DoorWayIsWork

[wakeupscreaming]

This is an update on my hacked Joomla site.

The "virus" appears to be called: DoorWayIsWork
There isn't much on it -- looks like it effected WordPress before.

It injected some code into my configuration.php file.
Initally, there was some randomly named .php file in the public_html directory. Perhaps the programmer thought it would be a great decoy, thinking that if you deleted that php file, you got rid of the problem, which is not the case -- there is code all over the bottom of the configuration file.

It creates articles and content that get published on your site. Even if you delete them, they'll appear a couple hours later. It effects google rankings, when you have non-sensical offensive content on your website.
Not sure what kind of assholes have absolutely nothing better to do then write code like this. And then targeting me -- I might get 2 visitors a month on my personal portfolio site??

I might just do a clean install -- as I had no back up. I didn't realize Joomla sites were so easy to hack. I've had normal html/css/javascript websites for more than a decade and had never had a problem with them being hacked.
i've already tried picking through the code, deleting some of the obvious virus lines, and my site became completely pooched. Must have deleted some wrong code intermixed in with the hacker virus code.

I guess I'm the lucky one that gets to document this first?

I will not be installing Forum Post Assistant. I think I have enough problems right now.
If you'd like to see my configuration file with the beauty of the virus code -- albeit with my database, email information, etc stripped out of it, I can make that available, just ask for it.
The Joomla version of the site I was using: Joomla! 3.4.1 Stable.

BM.

[mandville]

are you sure its a hack and not just someone registering and inserting articles via k2 for example?
run and post the forum post assistant link at top of page

[connektiva]

Are you using a clean template? distributed templates from x sites may contain embedded hacks.

[wakeupscreaming]

Yes, I had my template and Joomla site installed last October or November or even earlier. I was alerted by google about 5 days ago that it had been hacked and my rankings would go down. I'd say it was hacked about a week and a half ago.
The template is JoomlaMan Consilium.

I've attached a screencap of some of the code.

[mandville]

please run and post http://forum.joomla.org/viewtopic.php?f=621&t=582860
follow the forum stickie http://forum.joomla.org/viewtopic.php?f=714&t=757645you were probably hacked from an old version of joomla

[Webdongle]

Here is a summary of http://forum.joomla.org/viewtopic.php?f=714&t=757645
(Before you ask the same question everyone asks. NO there is no short cut ... you need to delete ALL the files from the server)

1. Run the fpa and post the results on here
2. Uninstall any untrusted 3rd party extensions and Templates https://vel.joomla.org/live-vel
3. Delete all the files from the server
4. Scan your computer and all computers that have server or Joomla admin access
5. Change Passwords
6. Install Joomla (of the same version) to a new database. Install up to date 3rd party extensions (that are not on the VEL) then edit the configuration.php to connect to the original database. Update Joomla if you have and old version
7. Change your Joomla SU/Admin Passwords and check the users/groups/access levels are correct and not been tampered with. Update your Joomla And run the fpa again

Step #f is simply installing Joomla and 3rd party extensions to an empty database so you get fresh files. Then connect the files to the database that has your data. That gives you your site back. The rest cleans the site and helps keep it secure.

You should have original images on your computer. Thumbnails generated by gallery extensions can be re-generated by the Component once you have rebuilt the site files.

Addendum

The "virus" appears to be called: DoorWayIsWork
There isn't much on it -- looks like it effected WordPress before.

Looks like the hack is all over your server