Switch off JScript on this site! (Blackhat hoster)
Many attacks are driven from the ip range 18.104.22.168-20 trying to infect servers. The broken systems are used by criminals for rogue online pharmacies and several other spam attacks (Canadian Health&Care, Online Casinos, msnbcnews6.com fakes and many others). Fraud out of UK, NL, TR, RU. They belong together with:
22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168
Hosts mostly resolve only to their reverse address.
If you find visitors on your joomla server from this range scan your joomla server for com_user/views/reset/tmpl/index.php, component/user/reset.html at any location mod.php, ll.php, pp.php, p.php, ttt.php, dkml.php, pp1.php, muakero.php, mua.php, 0day.gif, add.gif, ddxdx.gif, dxx.gif, hrd.gif,susu*.gif, movie.gif, ttt.gif, mua.gif, llp.gif (the gif's can have a php extention instead gif and will be mostly in images/stories/) and php-files containing the words: "vpsp_version" (vpsadmin.idealhosting.net.tr look for similar vpsadmin's), "isko", "iskorpitix" (http://mavi1.org ~ receiver for encoded php scripts to receive all security relevant information from the site (passwd etc.), "case 'execute'", "Shell Gonderilmeye Musait", "'Execute command on server'", additionally scan your images for carrying php code. Unless they belong to your joomla installation, they might be fraudulent.
History: In your log files you may find the initial abuse about 1/2 year earlier something like pp.php (any of the above mentioned files) might occur. After that they have a client (similar to an ftp client) with full access to the web space and all underlaying directories which the server allowes. This means they have the configuration.php and all your passwords within to the ftp/sql server and ...
2-3 months later they "extend" their access with several php files in several directories (testing where they can call it from a browser - watch your search history) from 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11 (TR bridge to RU, see next),18.104.22.168 (ADTECHNOLOGY-LV-NET), 22.214.171.124 (ezooms.bot @ gmail.com), 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168
Finally takes control on Mar, 19th 13 ff: 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206 (both from Ukraine), 220.127.116.11, 18.104.22.168 (fxplm.com, LU-ROOT-20081021 reg at Moniker), 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124
126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124. It ends up with the hosts on top, they are still active at the time of writing. The actions from these scripts are not within your logs, sometimes you may find entries in the error_log if things do not work as they expect. The adtech hacker makes less errors than the turkish one. The "productive" cycle starts with (vpsp!). They have now the ability to introduce new users/change existing users in the sql base and start to infect your articles with their "content" where your content is mostly used as forwarder. They will havrest your and your users email addresses. This is the latest point to get your content off the web, i.e. disabling the webspace, cause from now on your website will be spamvertised. You may find more spam on your spamtrap addresses if you have built in some fake email addresses for this purpose.
After taking the site down and if you are the only administrator watch your logs for com_login within /administrator/ to identify the abusers.
You will have to change all your passwords for the webserver (sql/ftp and user) before you start redoing your webspace.
read on https://www.blocklist.de/de/search.html?as=43260 and
About this site
İngiltere, Almanya ve Türkiye lokasyonda managed kiralık sunucu (dedicated server), sanal sunucu (vps/vds server), web hosting ve sunucu bakım, yönetim ve kontrol hizmetleri.