To All.
This is not news that anyone wants to hear but I'm going to say it anyway. To my knowledge, there is currently no way to block this hack that will be effective. Entry at this time to a domain is unknown. While this hack seems to be affecting any php driven site, it can and does also affect plain html sites as has been reported within this thread as well as elsewhere. It is also seems to be affecting up to date and apparently secure sites.
It is just my opinion, but I suspect the entry is by a vulnerable extension, other vulnerable php software installed on a domain, or a site with bad permissions allowing entry. It could also be some type of server hack.
Once the vulnerability is exploited, access is gained to the entire server allowing easy access with full permissions to other domains contained on the server without the need for any password or username. Most affected seem to be sites that are on a shared server or a VPS. These environments are hard to control and secure and generally have lots of sites of varying security quality on them. Shared servers are also the most common type of environment in use. Your site can be fully up to date with all kinds of security measures in place and taken and you can still be hacked.
If you fail to keep your domains installed software updated (Joomla, forum, using bad permissions,or whatever), then you are contributing to the problem as your giving the hackers an entry point into not only your domain, but into everyone's domain within the server your on.
If you have a reseller account, or just have multiple domains under one master account, and one of those domains becomes hacked, then it is very likely that all the domains controlled by that master account will become hacked as well as the master account. This is generally called cross contamination and is very similar to cross site scripting. Because these reseller/multiple domain accounts are generally in a shared environment, the cross contamination within one account can spread to all the other accounts within that server.
What you can do to help possibly limit the damage to your website.
Keep a close eye on all of your domains files. I would suggest you use the following one line script to keep an eye on things. Be aware that on large sites with lots of activity it will generate a large email as it looks at the entire public_html for changes and the cache directory makes lots of changes. Using this script run once every hour or so can help pinpoint when the files get changed and what files are changed. Couple this info with the site logs and you may be able to pinpoint what is happening.
To check for recent file changes within the last day on your system use these commands from putty (SSH - secure shell) or via a cron job. If you run the command from a cron job you can schedule it to check for changed files several times each day. Results will be sent to the domain account owner and show the time/date stamp for any changed files. When using the command by putty or a cron job, the use of the full physical path to public_html is recommended for best results.
find /home/xxxxxx/domains/xxxxxxx.com/public_html -type f -ctime -1 -exec ls -ls {} \;
Please note your sites files may be located in public_html, httpdocs, www, or a similar place, and your physical path may also be different than in the examples. Adjust the physical path accordingly.
Make sure you have followed all the steps below if you have been hacked. If you have not been hacked yet then make sure you follow most of the advice below (obviously leaving out the replacing of all files) as it still applies to keeping your site in the best shape security wise as possible.
It would help us to help you if before you post your security/been hacked topic
Tell us if you have done the following, try copy and paste to use as a posting guide if needed
[ ] Did you use the forum
http://forum.joomla.org/search.php search box for a similar error?
[ ] Run the
Forum Post Assistant / FPA Instructions
available here and are also included in the download package.
[ ] Ensure you have the
latest version of Joomla.
Delete all files in your Joomla installation, saving a copy of the configuration.php file. Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory), and fresh copies of extensions and templates used. Upload the copy of your configuration file.
Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories More detail can be found in the security Checklist 7 link below.
[ ] Review
Vulnerable Extensions List
[ ] Review and action
Security Checklist 7 to make sure you've gone through all of the steps.
[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.
[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.
[ ] Use proper permissions on files and directories. They should
never be 777, but ideal is 644 and 755
[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).
[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.
[ ] Ensure you do not have anonymous ftp enabled
Note: The forum post tool will work with 1.0.x, J1.6.x, J1.7.x, 2.5.x versions of Joomla.