Warning: Something's Not Right Here!


Sure you fixed it?:

$ date
Sat Mar 24 21:04:26 PDT 2012
$ wget -O - --header "Referer: http://www.google.com" http://ppmegahelpsite.org | more
--2012-03-24 21:04:28--  http://ppmegahelpsite.org/
Resolving ppmegahelpsite.org...
Connecting to ppmegahelpsite.org||:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://ca-ba.ru/example/status.php [following]
--2012-03-24 21:04:28--  http://ca-ba.ru/example/status.php
Resolving ca-ba.ru...
Connecting to ca-ba.ru||:80... connected.
HTTP request sent, awaiting response... 200 OK

2012-03-24 21:04:29 (6.80 MB/s) - `-' saved [121]

<script type="text/javascript">


It did appear to be fixed, but it seems you’ve been re-exploited. If you’re online now I’ll give you a hand to check for any remote shells on the account. If not, take a look through your logs when you get back on as they will likely give you an idea of who’s doing what, and how.


[quote=“sXi, post:22, topic:57317”]
If you’re online now I’ll give you a hand to check for any remote shells on the account.[/quote]

You, sir, are very kind!


I’m facing the exact same issue / exploit.

I’ve disabled the shell account from the DH panel allowing only ftp access and changed the password.
I then deleted a number of the edited .htacess files, but still new ones are generated.

I’ve gone through the WIKI’s but I can’t seem to find anything changed other than the .htaccess files.

Any good suggestions?
Thanks in advance,


See this post for help. There’s a “quick fix” - but as you can read from the post, it’s not recommended


When something doesn’t actually fix anything, one should probably refrain from using the term :wink:


sXi you’re right - anyway a quick update on the situation.
I removed the tmp/joscore.php file and deleted the .htaccess files in the web root and account root. Then updated joomla to the latest version and the account hasn’t been re-infected.

And surely updated ftp/ssh user and db passwords.

For what it’s worth - that’s my solution so far.


Very good advice to anyone affected :slight_smile:

Another important thing to check is that any themes and modules we use are not listed as vulnerable (Google will help here).