Website hacked: how to fix

I released a new Yii-based web application a few days ago. It was put on a shared server where an existing Joomla installation has been running for years - and continues to run.

Today the Ajax calls stopped working. I had updated two or three php files, but the Ajax calls were in unrelated files. I debugged the calls using Firebug and found that they were returning into the error section with a JSON parse error. The errorThrown is:

Invalid JSON: {"found":true,"ContactId":"733","Title":"","FirstName":"John","Surname":"Smith","Company":"Private","Designation":"Manager","Mobile":"","IsMember":false}<script src=""></script>

Note the script tagged on to the end. This all points to a malicious site.

I have no idea how to even begin solving this problem. The hosts (Bluehost) say I should wipe the site and then rebuild - but I don’t know if I will be simply restoring the malicious code when I restore.

One more bit of information: a few months ago, when I clicked on a link to the site (Joomla) AVG reported it was a link to a malicious site. Then the problem went away.

Any insights and suggestions will be greatly appreciated.

Did you check if the malicious script was being appended to other non-ajax pages, or was it just the one ajax action?

I did check and, yup, it was also being attached to other pages.

However I found a fix for it at They supply a clean-up text.

Basically, all PHP files in the site get modified with a long string of base64 encoded text.

I still don’t know how to prevent it though.

This is usually from older scripts on your server being attacked. For example, while the Yii framework build that you have may be fine and up to date, possible your Joomla site is not or a script that you were using somewhere within the site was not. This can even happen with custom scripts you make that you don’t maintain. What essentially happens is attacks find ways to use those breaches and exploits to gain access to your server in order to run their own scripts. In this case, their script runs a code that appends scripts to all your pages, be it php or html or any other language.

The only true way to prevent this is to ensure your sites are up to date and your scripts are secure. The malicious script in itself on your site is not something you can prevent because it wasn’t applied through your site, it was applied directly on it once attackers gain access.

This was a big problem about a year ago, lots of sites got hit for that. Common free based code frameworks were hit hard, like PHPBB (forums), and I believe Joomla was on the list as well.

To completely clean it you may have to have a service rep from your hosting do a scan from their end on your directories. Hope that helps.

I see this on a bitrix cms based site too a while ago… only way is check the server logs to see how they got in… which can be very big ;)

It also regenerated the encoded text in php files on every request >:(

I actually want to remove Joomla completely and replace it with a Yii-based CMS. I’m not sure if there is one that is mature enough yet though. Any recommendations?

Not sure, there is that a user posted here in the forums somewhere that they built off of yii. And it’s free for personal use so it depends on what you’re using it for.

In all honesty, building the CMS wouldn’t be that hard, all the major work for CRUD statements are done when you compose models and apply that logic. You just have to customize things like user authentication and then build exactly what you want your CMS to do.

If you want something that will be fun, easy for you to understand and progressive to exactly what you need, then I’d recommend making a whack at making one yourself :)

If not check the Yii extensions area or try that flexica.

Really nice site…

Found a couple of small errors that kept me from sending them a message online via the webpage .

I found a typo on the home page, so I tried to send a message via :

Write a comment

Full Name: Bill Hernandez



typo alert - Intergrate should be Integrate

also got this error message :

Please fix the following errors:

Email[From] is not valid

Main contact page would not accept the hyphen in my email address ? Hyphen is a valid email address character ?

Could not send this message.

Also the phone number should not be mandatory, or a lot of people won’t send messages.

Then I tried to send a message via :

I filled out the form, (the fields were not mandatory on this form) clicked on Send, and got another error message, see below :

Fatal error: Access to undeclared static property: CommentService::$result in /home/giahan/public_html/protected/modules/Support/services/CommentService.php on line 47

Tried to find an email address to send the feedback and could not find one. Maybe somebody here can forward this to them…

Best Regards,

Bill Hernandez

Plano, Texas

Will do, thanks Bill :)

Thank Whoopass and Bill, we’ll fix the problem and update the site asap.


When I was trying to send you the feedback about the problems I ran into, I found "" somewhere on your website, and so I tried standard email to send you the message, and that came back as undeliverable also. So you might want to search for that in your app.

Otherwise, it is a beautiful website…


Bill Hernandez

Plano, Texas

Seriously making a fullblown CMS like Joomla is a HUGEEEEE effort. I tried several times for personal project since I was never satisfied with the current CMS :P And given up all the time because lack of time.