First of all do not panic.

The first thing to do is take your site off line and run the forum post tool and examine the results.Run the forum post assistant in tar version or in zip version and security tool Instructions available here o enable you to make a post in the security forum to help assist working out where your weak poins are

Open your MySQL database management tool and execute the following SQL query:

 

 

 IF you have permissions to access SSH (secure shell) via putty you can chmod the files and directories. If you do not have shell access, you can run the commands from cron by setting up a temporary cron job. Copy and paste the command into a cron job. Run the job about 2 minutes after saving the job. When using the command by putty or a cron job, the use of the full physical path to public_html is recommended for best results.

If the server your are on requires 777 permissions for Joomla to work correctly, then request to be put on another server with php as cgi and suphp and up-to-date serverside software (apache, php etc) on your existing host or find another server host if necessary.

To protect directories that seemed to need 777 permissions to run or as a default in your images/media folder try this code within a .htaccess file within the open folder.

# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

especially in your images folder

  • Make sure that is in a htaccess file in a directory that will not run any scripts or remove the extensions as required

Do check with your hosting provider to see if they have purposely secured the server your site is on; and that they or you perform regular (weekly) security updates to keep the server up to date. Check you have jail shell. A rule of thumb is the less you pay, the less they care

  • save the configuration.php file and your images and personal files one by one, (not the folder as it may contain unwanted files)
  • wipe the entire folder where Joomla! is installed
  • upload a new clean full package latest version of joomla 1.5.x or Joomla 2.5.x (minus the install folder)
  • reupload your configuration file & images.
  • reupload or reinstall the latest versions of your extensions , templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site)

To do this will take your site off line for around 15 minutes. To track down your hacked/defaced html may take hours or even longer.