Well it looks like actually the include has been added to the top of EVERY root file of my joomla and joomla/administrator directories, as well as most root files of the core and 3rd party joomla components I have installed. None of these files are even writable - how could this happen. It's going to take me forever to remove these references.
Hi joshuap,
Commiserations. Nothing here that I've seen before or that ChronoForms does in any normal process.
I've just checked and the file doesn't exist in a ChronoForms installation (that folder just contains gif files). So it does look as though your site has been hacked :-(
Bob
I don't understand though, if it is, it must be a ChronoForms-specific Hack. It is integrated in the actual code somehow, it was throwing no errors on my old server, and I have no idea what emotions.php actually does. But all these different joomla files were including it.
Hi joshuap,
Pretty unlikely that it a ChronoForms specific hack - could be TinyMCE related though, that's a lot more common.
There were a flurry of hacks a bit like this a few months ago, in the case I saw they attacked images folders putting a spurious file in there; the security breach seemed to be related to broken FTP sign-ons.
As I said emotions.php is not a ChronoForms file - I suggest that you remove it asap and check for any other recently changed files on your site.
Bob
Well I think I fixed most of the damage, this is just so strange. Someone actually got into the site and modified the files, I think it was to display unwanted advertising to certain user agents. The FTP account must have been compromised, I can't think of any other way so many files could have been modified. Permissions were all straight 644 for files, 755 folders.
Hi joshuap,
Commiserations again. it's never nice, whatever the cause. I'd suggest that you change all the FTP and site admin passwords if you haven't already done so.
Bob