I need help -- server got hacked, php injection

Jan 29, 2012
cPanel Access Level
Root Administrator
I have 290 hosted sites.

For some vulnerability in joomla, (what I'd consider), some people managed to insert malicious files in the tmp folder of some domains, and executed them.

Several shell scripts encrypted (such as c99shell) were injected. Most of the process in my server was being killed every minute.

I also found a script that list the cpanel users of all domains in my server and email bomber scripts.

And what worries me most:

Joomla stores the information related to the database in a file called configuration.php.

90% of the sites that I host are made in Joomla.

I found a perl script in some domains that scans for files configuration.php, config.php, wp-config.php in all domains on my server, and saves a copy in a file .txt

That makes possible to have access to all databases on my server, everything, including WHMCS, Worldpress, Magento, and Drupal databases..

My question is:

I need to change the password for all databases, and also change them in the configuration.php file, but I do not know one way to do this automatically.

Is there is a script that does this change either in the configuration.php file and in mysql?? (mysql user password)

I have no idea how to do this. I'm using "grep" to find the malicious files on the server, since I have to delete them before making any changes to mysql.

Last question: Was it a problem in Joomla (very onder 1.5 version) or was it because my /tmp folder was not in a isolated partition? (I use OpenVZ).

I also have no rules in mod_security running, because they were causing problems in my wordpress sites.

Furthermore, grep is dramatically increasing the server load..

Any help will be highly appreciated.

Edit: I have all the IPs in Apache logs, are from Nigeria .. But I'm sure these IPs will not help much.
Last edited:
Jan 29, 2012
cPanel Access Level
Root Administrator
Hi nospa,

I use suPHP with suEXEC on.

Now I enabled the mod_security, but I'm having several problems with Joomla.

I installed ClamAV and it removed 110 malicious scripts. I also installed Pyxsoft Anti Malware.

But I still have to change all the mysql databases passwords and the configuration.php files.

Here's the code in perl which was shot on my server:

-removed code-
Last edited by a moderator: