Hello, I think I've been hacked, I got this message when i was trying to configure acymailing:

Esta página web tiene un bucle de redireccionamiento
La página web asesgerenciales.com/home/asesgere/public...bylys.ru/count28.php ha producido demasiados redireccionamientos.

In the public_html i found this stranges files:

bvl5k.php

byui2g.php

cee.html

gb51sg.html

I will delete this files, but, what else do i have to do to avoid the attack?

the web is: www.asesgerenciales.com
I'm using J 2.5.4

Hi Héctor,

Yes, it does appear that you have. Please take our security class:
www.ostraining.com/courses/class/joomla-25/security/view/

However, for right now skip to the "Fixing Your Hacked Site" lesson:
www.ostraining.com/courses/session/jooml...ng-your-hacked-site/

Hope this helps! Let us know if you have questions along the way or if you'd like a quote for me to fix it for you.

Kind regards,
Nick

Thank you Nick, in this moment i cant buy the anti-virus, i`m asking to the hosting provider if they have the anti-virus for this, if they cant help me, i will appreciate any help.

H.

Hi Héctor,

Sound good. Let us know how it goes.

Kind regards,
Nick

Hello, the hosting provider told me that he will run an antivirus, but i dont know if he did it, i cant wait more time, i need to solve this.

Checking the web, i found a infected code in each index.php of the templates that i have installed.

I deleted all strange files that i mentioned before, and i will delete all infected code on all index.php infected. After this i will change all passwords of cpanel, joomla administrator, database; do i have to do something else to solve this problem?

Thank you for any help

H.

Hi Héctor,

I would make a backup of your current site which you can later use to scan and run tests on. Then I would use admin tools to completely reinstall the core on your live site:
www.ostraining.com/blog/joomla/how-to-up...min-tools-extension/

That will reset all your core files in case others were affected too. Then I would make sure all your extensions are up to date and also use Admin Tools to fix your folder and file permissions:
www.ostraining.com/blog/joomla/admin-too...nd-file-permissions/

The above would really help, however it depends on where the hacker placed hacked files as to whether it would be enough. It's hard to tell without doing a full analysis.

Hope this helps!

Kind regards,
Nick

Thank you Nick, i will do your suggestions.

You're welcome, Héctor! :)

Kind regards,
Nick

Hector,

I have had this problem and Hostgator did a good job of cleaning it up for me. Some hosts will run the scan, but it doesn't always clear the infected file. I was satisfied that Hostgator did a good job, though.

Hope you get this worked out. I is a major irritation. I just reviewed a company called Incapsula, that lets you use a proxy server that intercepts these kinds of attacks. They don't fix them, they just keep them from getting to the server. You might consider incapsula.com if you have persistent problems.

Good Luck,
Ed

Thank you Ed, yes, its a problem, specially because I'll have a meeting with the owner of the site tuesday in the morning...

Hi Héctor,

We're here if you need us. Let us know if we can be of further help.

Kind regards,
Nick