1. Anyone agrees with this?
how did you sort the hack last time?
2. How can I narrow down to whats causing the problem?
see the checklist below
3. Can anyone use a vonurability in Joomla/Extention and manage to write to php files?
4. Can I make a contra script that delete a php code from all index and default.php
yes,BUT you dont know what else they used/installed
[ ] Run the Forum Post Assistant / FPA
Instructions available here
and are also included in the download package.
[ ] Ensure you have the latest version of Joomla
. Delete all files in your Joomla installation.
Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories
[ ] Review Vulnerable Extensions List
another issue is you said you have ther cms etc installed, were they altered?
[ ] Review and action Security Checklist checklist 7
to make sure you've gone through all of the steps.
[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.
[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.
[ ] Use proper permissions on files and directories. They should never be 777
, but ideal is 644 and 755
[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).
[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.
[ ] Ensure you do not have anonymous ftp enabled