Well, my friends, I think that having much extensions installed in Joomla environment is not a clever thing. Since one of my J 1.5 sites has been hacked by some Islam guys and all I had to do was to record this (and recover the database, of course), the J! security extensions are in front of my installed components. I’ve installed Marco’s interceptor, JHackGuard and RS Firewall to prevent hacking / spamming actions. And I was monitoring all the logs files daily. This was not enough…
After an email from Benoit, I've found some strange links in forums, but, after a deep scam, I've noticed many places where those links appear.
Here is an example:
„For some technical reason unknown to me,
some of the links in blue need to <a href="http://habitatuw.org/genuine-viagra-without-prescription/" id="efcc6713e9">genuine viagra without prescription be right clicked to
"open in new tab" or "open in new window".
After checking logs, detailed logs, hackguard logs, RS firewall logs, and deep google research without any success, I Used RS Frirewall System check to perform a check of the website. The result was that I have some files changed. After I've compared with original files saved on my server, I've found two files resided in /includes folder with creation date 1/1/1970. The files were: aplication.php and joomla_rss.php. On the original saved file there wasn't any Joomla_rss.php file. I've found that the only difference from original application.php file and the one from server was that the last calling tje joomla_rss.php file. After I've examined the joomla_rss file, I've noticed a lot of encoding_64 codes, and this means inserting some text in the code. After remove the file and restore the original application.php, the problem was solved.
I’ve googled this issue and I’ve found only one situation like mine, and I cannot see what the hole was that permitted that one file to be altered and other to be inserted in a secure environment. But I have to dig more. Until then, I have to admit thar RS Firewall was the only extension that put me in the right direction.
If you had same issue, please tell me in this forum.
Have a nice Joomla day!