Page coming up blank

freethnkr52

Hi all,

I'm completely new to PHP, so forgive my naivety...

I'm attempting to fix a customer's website that appears to have been hacked. There is a statement at the beginning of the index.php file (actually it's at the beginning of each *.php file) that looks like this:

<?php echo '';mail(webmaster@largeprintmedia.org,'hacking alert','your system is under attak: '.print_r(Array,1));error_log('hackers attak alert'); eval(base64_decode("-- base64 encoded code removed by moderator --"));

I've removed what seems to be unnecessary content, but every time I try to load any of the PHP files, it just returns a blank white page. I've enabled error reporting within the php.ini file, but it never returns any errors. I know the Apache and MySQL are running b/c I have another test site I can successfully run. The guy who created this site used Joomla. I can't load the administrator page for Joomla either...

Here's the index.php code

<?php
/**
* @version    $Id: index.php 11407 2009-01-09 17:23:42Z willebil $
* @package    Joomla
* @copyright  Copyright (C) 2005 - 2009 Open Source Matters. All rights reserved.
* @license    GNU/GPL, see LICENSE.php
* Joomla! is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*/

// Set flag that this is a parent file
define( '_JEXEC', 1 );
define( 'DS', DIRECTORY_SEPARATOR );

if (file_exists(dirname(__FILE__) . '/defines.php')) {
  include_once dirname(__FILE__) . '/defines.php';
}

if (!defined('_JDEFINES')) {
  define('JPATH_BASE', dirname(__FILE__));
  require_once JPATH_BASE.'/includes/defines.php';
}

require_once JPATH_BASE.'/includes/framework.php';

// Mark afterLoad in the profiler.
JDEBUG ? $_PROFILER->mark( 'afterLoad' ) : null;

/**
 * CREATE THE APPLICATION
 *
 * NOTE :
 */
$mainframe =& JFactory::getApplication('site');

/**
 * INITIALISE THE APPLICATION
 *
 * NOTE :
 */
// set the language
$mainframe->initialise();

JPluginHelper::importPlugin('system');

// trigger the onAfterInitialise events
JDEBUG ? $_PROFILER->mark('afterInitialise') : null;
$mainframe->triggerEvent('onAfterInitialise');

/**
 * ROUTE THE APPLICATION
 *
 * NOTE :
 */
$mainframe->route();

// authorization
$Itemid = JRequest::getInt( 'Itemid');
$mainframe->authorize($Itemid);

// trigger the onAfterRoute events
JDEBUG ? $_PROFILER->mark('afterRoute') : null;
$mainframe->triggerEvent('onAfterRoute');

/**
 * DISPATCH THE APPLICATION
 *
 * NOTE :
 */
$option = JRequest::getCmd('option');
$mainframe->dispatch($option);

// trigger the onAfterDispatch events
JDEBUG ? $_PROFILER->mark('afterDispatch') : null;
$mainframe->triggerEvent('onAfterDispatch');

/**
 * RENDER  THE APPLICATION
 *
 * NOTE :
 */
$mainframe->render();

// trigger the onAfterRender events
JDEBUG ? $_PROFILER->mark('afterRender') : null;
$mainframe->triggerEvent('onAfterRender');

/**
 * RETURN THE RESPONSE
 */
echo JResponse::toString($mainframe->getCfg('gzip'));

Any help would be greatly appreciated.

Thanks,

Jared

dagon

I wouldn't just remove the obvious, how do you know what else has been compromised, i restore the whole site from a backup.

bradgrafelman

I agree with dagon; best course of action is to completely erase the entire site (or at least all files/folders which could contain executable code, which is just about all of them at this point) and restore from backup.

Also, when posting PHP code, please use the board's [noparse]

..

[/noparse] bbcode tags as they make your code much easier to read and analyze.

dagon

looking at the version number it could use a serious update, not keeping an open source cms (or any open source project) up to date is asking for trouble. While they are nice projects the large number of users makes any open source project a high value target, so you must keep it constantly up to date

johanafm

I'd go a bit further than what the others suggested. My opinion is that there is no other solution than a reformat of all hard drives and thereafter a clean OS install before using a backup to restore the site. And that would of course be a backup not residing no the same server, but somplace safe.