The free forums are no longer in use. It remains available as read-only archive.
February 26, 2013
4 of my sites (they were on the same shared hosting account) have been hacked. All php files hat a line of code eval(base64_decode injected. 2 of those sites (Joomla 1.5.26) were restored using XCloner, and it seems that I forgot to remove the xcloner.php and tar.php files in one installation after the restore …
Good thing is that I still have the backup data for the 2 sites that were restored via xcloner, and for the two new sites (which I rebuilt on Joomla 2.5), I had Xcloner installed and ran a backup after they were completed. So I can re-install them from those backups.
Question 1: how likely is it that the infection came because I forgot to delete the two files?
Question 2: to restore, I prefer the method where I upload the tar.php, the xcloner.php and the backup file and the just execute mysite.com/xcloner.php. Can I just use the clean files from the extension download zip file? I can't use the files from the server since they are also infected. The malicious code is in those files, multiple times
Question 3: one of the Joomla 2.5 sites has a multilanguage setup (language categories, language menus etc.). Do I assume correctly that the Xcloner backup and restore will restore the languages as well?
1. not likely, but it could help if somebody found that script, i do advise to delete the script after restore and to attempt the restore from a private folder and not the site root, it might be much safer in case you forget to delete them
2. you can use the XCloner restore script from the original package
3. yes, XCloner will backup everything