Server hacked, spam being sent, cannot find source

[dreev]

Site hacked, server sending email spam

Updated to latest 1.5 ver, deleted found .php files after hack,

Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Writable (666) | Owner: dreevy (uid: 1/gid: 1) | Group: dreevy (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-028stab107.1 | Technology: i686 | Web Server: Apache/2.2.8 (Fedora) | Encoding: gzip, deflate | Doc Root: /home/dreevy/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.6 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: | Error Reporting: 6143 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 32M

MySQL Configuration :: Version: 5.0.45 (Client:5.0.45) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 46.20 MiB | #of Tables: 146

PHP Extensions :: libxml () | xml () | wddx () | tokenizer (0.1) | sysvshm () | sysvsem () | sysvmsg () | session () | pcre () | SimpleXML (0.1) | sockets () | SPL (0.2) | shmop () | standard (5.2.6) | Reflection (0.1) | pspell () | posix () | iconv () | hash (1.0) | gmp () | gettext () | ftp () | filter (0.11.0) | exif (1.4 $Id: exif.c,v 1.173.2.5.2.25 2008/03/12 17:33:14 iliaa Exp $) | date (5.2.6) | curl () | ctype () | calendar () | bz2 () | zlib (1.1) | openssl () | apache2handler () | bcmath () | dba () | dbase () | dom (20031129) | gd () | imap () | json (1.2.1) | ldap () | mbstring () | mysql (1.0) | mysqli (0.1) | ncurses () | odbc (1.0) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | PDO_ODBC (1.0.1) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | snmp () | soap () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (2.0.0) | Zend Engine (2.2.0) |
Potential Missing Extensions :: mcrypt | suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Apache Modules :: core | prefork | http_core | mod_so | mod_auth_basic | mod_auth_digest | mod_authn_file | mod_authn_alias | mod_authn_anon | mod_authn_dbm | mod_authn_default | mod_authz_host | mod_authz_user | mod_authz_owner | mod_authz_groupfile | mod_authz_dbm | mod_authz_default | util_ldap | mod_authnz_ldap | mod_include | mod_log_config | mod_logio | mod_env | mod_ext_filter | mod_mime_magic | mod_expires | mod_deflate | mod_headers | mod_usertrack | mod_setenvif | mod_mime | mod_dav | mod_status | mod_autoindex | mod_info | mod_dav_fs | mod_vhost_alias | mod_negotiation | mod_dir | mod_actions | mod_speling | mod_userdir | mod_alias | mod_rewrite | mod_proxy | mod_proxy_balancer | mod_proxy_ftp | mod_proxy_http | mod_proxy_connect | mod_cache | mod_suexec | mod_disk_cache | mod_file_cache | mod_mem_cache | mod_cgi | mod_jk | mod_perl | mod_php5 | mod_proxy_ajp | mod_python | mod_ssl | Apache/2.2.8 (Fedora) |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (777) | tmp/ (777) | administrator/components/ (777) | administrator/modules/ (777) | administrator/language/ (777) | administrator/templates/ (777) |

Elevated Permissions (First 10) :: hwdvideos/backups/ (777) | hwdvideos/plugin/ (777) | hwdvideos/plugin/language/ (777) | hwdvideos/plugin/templates/ (777) | hwdvideos/plugin/thirdparty/ (777) | hwdvideos/plugin/videoplayer/ (777) | hwdvideos/uploads/ (777) | hwdvideos/uploads/originals/ (777) | images/adverts/ (777) | images/banners/ (777) |

Components :: SITE :: User (1.5.0) | MailTo (1.5.0) | Wrapper (1.5.0) |
Components :: ADMIN :: Messaging (1.5.0) | Menus Manager (1.5.0) | User Manager (1.5.0) | Cache Manager (1.5.0) | Plugin Manager (1.5.0) | Frontpage (1.5.0) | jxtcalbumplayer (1.6) | Polls (1.5.0) | Contact Items (1.0.0) | Installation Manager (1.5.0) | Trash (1.0.0) | RSSeo! (1.0.0) | Gallery2 Bridge Plugin (1.0.2) | DOCman Plugin (1.5.0) | JDownloads Plugin (1.5.1) | SOBI2 Plugin (1.5.1) | RSGallery2 Extension (1.0.0) | Glossary Plugin (1.5.1) | Web Links Plugin (1.5.1) | MyBlog Plugin (1.5.1) | Rapid Recipe Plugin (1.0.0) | Kunena Plugin (1.0.1) | JoomDOC Extension (1.0.0) | SectionEx Plugin (1.0.2) | Content Plugin (1.5.1) | lknAnswers Plugin (1.5.0) | Hot Property Plugin (1.0.1) | JoomSuite Resources Plugin (1.0.0) | JoomGallery Plugin (1.5.1) | Jomres Plugin (1.0) | RD-Autos Plugin (1.5.0) | KnowledgeBase Plugin (1.0.0) | Rokdownloads Plugin (1.0.4) | Contacts Plugin (1.0.1) | JCALPro Plugin (1.0.0) | JMovies Plugin (1.5.0) | Mosets Tree Plugin (1.0.1) | Agora Plugin (1.0.0) | Yoflash XMap Plugin (0.0.1) | Virtuemart Plugin (1.1.4) | JEvents Plugin (1.0.3) | CMS Shop Builder Plugin (1.5.0) | Eventlist Plugin (1.0.0) | AcyMailing Plugin (1.0.0) | Remository Plugin (1.0.3) | Xmap (1.2.11) | Media Manager (1.5.0) | Control Panel (1.5.0) | fpss (2.0.0) | AcyMailing Tag : insert Virtue (1.2.1) | AcyMailing Tag : online links (1.2.2) | AcyMailing Tag : Manage the Su (1.2.2) | User - AcyMailing (1.2.2) | AcyMailing : VirtueMart checko (1.2.2) | AcyMailing Tag : JomSocial Use (1.2.2) | AcyMailing Tag : content inser (1.2.2) | AcyMailing Tag : Subscriber in (1.2.2) | AcyMailing : Statistics Plugin (1.2.2) | AcyMailing Tag : Date / Time (1.2.2) | AcyMailing onPrepareContent tr (1.2.2) | AcyMailing Tag : CB User infor (1.2.2) | AcyMailing Tag : Insert a Modu (1.2.2) | AcyMailing Template Class Repl (1.2.2) | AcyMailing : Handle Click trac (1.2.2) | AcyMailing Tag : Joomla User I (1.2.2) | AcyMailing Tag : VirtueMart pe (1.2.2) | AcyMailing (1.2.2) | AcyMailing Module (1.2.2) | hwdVideoShare ([ Wainuiomata) | Newsfeeds (1.5.0) | Module Manager (1.5.0) | Banners (1.5.0) | JComments (2.2.0.2) | hwdRevenueManager ([ Musky ]) | Configuration Manager (1.5.0) | Language Manager (1.5.0) | Weblinks (1.5.0) | eXtplorer (2.1.0RC3) | Search (1.5.0) | RSMembership! (1.0.0) | Content Page (1.5.0) | Mass Mail (1.5.0) | Template Manager (1.5.0) |

Modules :: SITE :: Login (1.5.0) | Footer (1.5.0) | Latest News (1.5.0) | Sections (1.5.0) | Random Image (1.5.0) | Syndicate (1.5.0) | Who\'s Online (1.0.0) | Frontpage SlideShow (2.0.0) | AcyMailing Module (1.2.2) | Videos ([ Wainuiomata) | Feed Display (1.5.0) | Menu (1.5.0) | Iyosis Facebook Module (1.2) | Poll (1.5.0) | Newsflash (1.5.0) | Archived Content (1.5.0) | Breadcrumbs (1.5.0) | Custom HTML (1.5.0) | JA Tabs (1.5.0) | jPop (1.0.0) | Wrapper (1.0.0) | Related Items (1.0.0) | Banner (1.5.0) | J - Google AdSense (2.0.0) | JW Player Module Advanced (2.0.1) | Most Read Content (1.5.0) | News Pro GK4 (GK4 2.3.1) | Search (1.0.0) | JoomlaXTC Artist Showcase (1.6) | Statistics (1.5.0) |
Modules :: ADMIN :: Login Form (1.0.0) | Footer (1.0.0) | Latest News (1.0.0) | Logged in Users (1.0.0) | Popular Items (1.0.0) | Admin Submenu (1.0.0) | Feed Display (1.5.0) | Unread Items (1.0.0) | Quick Icons (1.0.0) | User Status (1.5.0) | Custom HTML (1.5.0) | Toolbar (1.0.0) | Online Users (1.0.0) | Admin Menu (1.0.0) | Items Stats (1.0.0) | Title (1.0.0) |

Plugins :: SITE :: User - JComments (1.0) | User - Double login (1.1) | User - Example (1.0) | User - Joomla! (1.5) | User - AcyMailing (1.2.2) | JomSocial Template ([ Granity ]) | Moxie Girls Template ([ Granity ]) | Summer is Coming Template ([ Granity ]) | Dark Template ([ Granity ]) | Joomla Template ([ Granity ]) | Editor - XStandard Lite for Jo (1.0) | Editor - TinyMCE 3 (3.2.6) | Button - Readmore (1.5) | Button - Pagebreak (1.5) | Editor Button - JComments ON (1.0) | Editor Button - JComments OFF (1.0) | Button - Image (1.0.0) | Remote Video ([ Wainuiomata) | Google ([ Wainuiomata) | [youtube] ([ Wainuiomata) | English Language ([ Silverdale ) | AcyMailing Tag : online links (1.2.2) | AcyMailing Tag : Joomla User I (1.2.2) | AcyMailing Tag : CB User infor (1.2.2) | AcyMailing Tag : JomSocial Use (1.2.2) | AcyMailing : Handle Click trac (1.2.2) | AcyMailing Tag : VirtueMart pe (1.2.2) | AcyMailing Tag : content inser (1.2.2) | AcyMailing Tag : Insert a Modu (1.2.2) | AcyMailing Tag : insert Virtue (1.2.1) | AcyMailing Tag : Date / Time (1.2.2) | AcyMailing Template Class Repl (1.2.2) | AcyMailing onPrepareContent tr (1.2.2) | AcyMailing Tag : Subscriber in (1.2.2) | AcyMailing Tag : Manage the Su (1.2.2) | AcyMailing : Statistics Plugin (1.2.2) | Anything Tabs (1.3) | AcyMailing : VirtueMart checko (1.2.2) | System - BIGSHOT Google Analyt (1.5.3) | System - RSSeo (1.0.4) | System - JComments (1.0) | System - SEF (1.5) | System - RSMembership! - Wire (1.0.0) | System - Title Manager (1.0.1) | System - Cache (1.5) | System - Mootools Upgrade (1.5) | System - RSMembership! - PayPa (1.0.0) | System - Backlinks (1.5) | System - Remember Me (1.5) | System - Debug (1.5) | System - Legacy (1.5) | System - RSMembership! (1.0.0) | System - Log (1.5) | XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) | Content - Email Cloaking (1.5) | Content - JComments (1.0) | Content - Example (1.0) | Content - Page Navigation (1.5) | Content - Code Highlighter (Ge (1.5) | Content - Pagebreak (1.5) | Content - Load Modules (1.5) | VagrantWeb Social Buttons (1.0.2) | Content - Vote (1.5) | Content - J - Google AdSense (2.0.0) | Authentication - Example (1.5) | Authentication - Joomla (1.5) | Authentication - LDAP (1.5) | Authentication - GMail (1.5) | Authentication - OpenID (1.5) | JW FLV (Version 5) Player ([ Silverdale ) | JW FLV (HTML5) Player ([ Silverdale ) | JW FLV (Version 4) Player ([ Wainuiomata) | Flow Player ([ Wainuiomata) | Search - Newsfeeds (1.5) | Search - Contacts (1.5) | Search - JComments (1.0) | Search - Categories (1.5) | Search - Content (1.5) | Search - Sections (1.5) | Search - Weblinks (1.5) |

Templates :: SITE :: JA_Purity (1.2.0) | rhuk_milkyway (1.0.2) | beez (1.0.0) | gk_icki_sports (2.0.0) |
Templates :: ADMIN :: Khepri (1.0) |

[foobla]

The hacker probably uploaded a rootshell (kinda backdoor) to your server.
If you can access your server over SSH, run this command:
find /path/to/public_html/ -mmin -60
to find changed/new files within 60 minutes, you can increase 60 to a higher value depends on the time your site got hacked.

It will show you the list of changed files and you can determine where the rootshell stored.

[dpacadmin]

Check your site's permissions and ownership, you have many folders set to 777, not secure. Files should be 644 and folders 755.

[setzerdeleon]

I don't see any extension that could protect your site. You must watch the files but if you don't stop the hacking method this will repeat over and over. Check some security extension and if you need more help you could tell us. I can help you.