Help my Joomla 1.5.26 site has been hacked

Server Config
1

We just went through a whole lockdown and restore process for our Joomla process and I just scanned our code with a google fetch through webmaster tools and here is what I am seeing in the head of my homepage:

HTTP/1.1 200 OK
Date: Thu, 20 Jun 2013 18:00:32 GMT
Server: Apache
X-Powered-By: PHP/5.3.22
Content-Length: 32948
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=“http://www.w3.org/1999/xhtml” xml:lang=“en-gb” lang=“en-gb” >
<head>
<script src=“http://www.massalfa.org/Assets/JS/JQuery/JQuery.js” type=“text/javascript”></script>
<base href=“http://www.massalfa.org/” />
<meta http-equiv=“content-type” content=“text/html; charset=utf-8” />
<meta name=“robots” content=“index, follow” />
<meta name=“keywords” content=“Viagra, Assisted Living, Viagra Massachusetts Assisted Living, MA Assisted Living, Elder Care, Elderly Living Space, Assisted Living Facility” />
<meta name=“googlebot” content=“NOODP”>
<meta name=“robots” content=“NOODP”>
<meta name=“robots” content=“noydir”>

<meta name=“generator” content=“Joomla! 1.5 - Open Source Content Management” />
<title>Buy Viagra (Sildenafil) Online >> Lowest Prices Guaranteed</title>
<meta name=“description” content=“Buy Viagra online from an official certified pharmacy, OVERNIGHT Shipping, Exclusive & competitive discount prices, express shipping & discrete packaging.” />
<link href=“/index.php?format=feed&type=rss” rel=“alternate” type=“application/rss+xml” title=“RSS 2.0” />
<link href=“/index.php?format=feed&type=atom” rel=“alternate” type=“application/atom+xml” title=“Atom 1.0” />

	&lt;script src="/js/OrganizationTabbedPanels.js" type="text/javascript"&gt;&lt;/script&gt;
&lt;link href="/css/HomeTabbedPanels.css" rel="stylesheet" type="text/css" /&gt;
&lt;link href="http://www.massalfa.org/css/MA-Global.css" rel="stylesheet" type="text/css" /&gt;
&lt;link href="http://www.massalfa.org/css/MA-Home.css" rel="stylesheet" type="text/css" /&gt;
&lt;link href="http://www.massalfa.org/Assets/JS/JQuery/ToolTip/ToolTip.css" rel="stylesheet" type="text/css" /&gt;
&lt;script src="http://www.massalfa.org/Assets/JS/JQuery/ToolTip/ToolTip.js" type="text/javascript"&gt;&lt;/script&gt;
&lt;script src="http://www.massalfa.org/Assets/JS/JQuery/Dimensions.js" type="text/javascript"&gt;&lt;/script&gt;
&lt;!--[if !IE]&gt;&lt;!--&gt;
	&lt;link href="http://www.massalfa.org/css/IE.css" rel="stylesheet" type="text/css" /&gt;	
&lt;!--&lt;![endif]--&gt;
&lt;meta name="google-site-verification" content="5WL6fE3YT8bIgX0df-pHuCErWVZCwCT42Rud7DbwWDQ" /&gt;
&lt;meta name="msvalidate.01" content="F44FFAFB7669C57DD48ABA7337805334" /&gt;
&lt;script type="text/javascript"&gt;
	function ClearFields(Item) {
		Parent = $(Item).parent().parent().parent().parent().parent();
		Checkboxes = $(Parent).find('input:checkbox');
		$(Checkboxes).each(function() {
			$(this).removeAttr('checked');
		});
		Text = $(Parent).find('input:text');
		$(Text).each(function() {
			$(this).val('');
		});
		Select = $(Parent).find('select');
		$(Select).each(function() {
			//console.log($(this));
			$(this).val('');
		});
	}
&lt;/script&gt;
&lt;/head&gt;

Has anyone ever dealt with anything like this on their joomla sites and how did you fix it?

2

You may not like the short answer.

Upgrade

From Joomla 1.5.26

3

You’ll have to restore the files and database from a backup to a point before when the hack occurred.

Typically, there’s been some code injected into various PHP files. It’s difficult to check all the PHP files by hand for the code that’s been injected, especially if it’s something you’re unfamiliar with. There’s also the possibility that your database was messed with as well. Hence, my recommendation to restore from a backup.

As for preventing this from happening again…change your control panel password, your user/FTP passwords, your database passwords, make sure your web files are set to 644 permissions, and don’t use Joomla 1.5.x.

4

We did do a complete restore on the web files but not the database can meta data overrides like this be coming from the actual database?

5

I guess it comes from template file with security issue. You should check with your hosting provider about it.