I've a classic joomla installation that was compromised. All I understand for the time being only index.php was transformed plus they screwed with my user accounts. I downloaded index.php in the current version but at some point it calls $app->dispatch(); which takes a component title parameter during my version. Does anybody understand what parameter this ought to be? I attempted: null, 'home', 'application',...

Also I am thinking about upgrading towards the latest version later, however can't appear to locate my current version number. I discovered somewhere that it's displayed within the admin pages however i can't access them yet. Can One think it is within the code files somewhere?

EDIT: The index.php from version 1.5.22 labored. Apparently the right version was 1.5.3. Does anybody understand what else I ought to make sure that may have been compromised/screwed with?

Why don't you obtain a copy from the version you used?

http://forum.joomla.org/viewtopic.php?p=2221953

You can turn to the joomla project on joomlacode.org, then choose the search tab. After that you key in "1..10" and choose Releases to look in. You should acquire some results. Click the one you are looking for, the files are available around the files tab, this time the tab is on the blue bar (more to the foot of the screen).

Although I'd recommend improving completely, to prevent being re-compromised again.

====== Response to second question

How large may be the site? Usually whether it's only a link bombarding attack a fast once over will suffice.

The following problem is you need to patch the opening that triggered the issue, within this situation improving towards the latest Joomla (1.6 - In my opinion) may be the first the avenue for call.

Perhaps you have modifed the Joomla system in a way the hack might have been opened up up on your part?

My advice, totally reset the admin passwords and upgrade Joomla.

Tough to say other things without seeing exactly what the "hack" was.

Fortunately Joomla has truly nice documentation regarding how to get over a hack. http://docs.joomla.org/Security_Checklist_7. As Pino pointed out, it is important that you're always around the latest version to reduce your contact with security exploits.

I needed to cleanse a compromised Joomla install lately. My tip would be to grep all of the files base64_decode: some hacks contain decoding an enormous string that produces php.

find ./ xargs grep base64_decode

The hack appeared as if this: error_confirming()eval(base64_decode('JGxMOXdGMWFZNHpY.....

This specific bit of code detected googlebot along with other spiders, after which released a listing of junk e-mail links heavy on the blue pill. If your normal user agent string was adopted it demonstrated an ordinary site. I needed to make use of a opera extension that changes the consumer agent to debug this.

The next phase could be eliminating the exploit after which either patching Joomla and waiting for the following exploit or switching to some thing secure, like static html or perhaps a well-maintained Content management systems.