Joomla hack redirects article saves to malware

I have a 2 y/o Joomla site.  Using Joomla 1.5.2.  Has worked fine until today.  Attempted to edit the article home page.  Made the change and clicked on Save. Was immediately redirected to a site declaring i was infected ...  great fireworks showing phony scans indicating many infections. X'd out of all and end processed the offending tab ..   went to site to see if my change had taken.  It hadn't.  Went back to admin and it appears that once in an article if I attempt to save or close or apply I am immediately redirected to an unbranded Search site with Facebook themed hits.  This happens on any computer.  Verio is my host and it happened to my tech support rep.
There has been no impact on the site itself ...  it's just admin so far that is affected/infected.   THere is only an htaccess.txt file in the site root.  The files licenses.php, license.php, install.php,index.php credits.php, configuration.php and changelog.php all have dates of 2/23/2011 ..  I made no changes on that day.
Welcome suggestions ..
Who is Participating?
bbornerConnect With a Mentor Author Commented:
Thank you all for your comments ...  
I found the obscure code in each of the files; licenses.php, changelog.php, configuration.php, copyright.php, credits.php, index.php immediately after the first <?php...

All is well .. thanks again
Hi bborner. Are you asking for how this may have happened or how to fix the problem?
Are you using any forms on the website? If so perhaps a possible SQL Injection.
Or do you use unsecured FTP to transfer files or install extensions?

bbornerAuthor Commented:
attached are the last 200 lines of my logfile ... says morpheus strikes again
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

have you every backed up the system? if I would restore the source files (not the database - leave that)
if no backup then I would back up the site first (use
then I would reupload your original Joomla source files (except for the installation directory)
if that doesn't fix it  re-install any extensions you have iinstalled.
Mmmm... Take a deep breath and don't rush into anything, in order to avoid making things worse.

Then follow the path that others have found safest and most useful - see the one on the Joomla doc site at .

From what you have said I would think that a complete new install - either via Akeeba's Kickstart script if you have an Akeeba backup from before the hack or using a Joomla 1.5.22 install will be required. Probably your database is okay.

Remember to review your backup and security arrangements while you are motivated to put them in place!
bbornerAuthor Commented:
Found the incriminating code causing the problem
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.