Someone keeps hacking your index.php file everyday and your host doesn’t want to help you. It has been happening periodically, but in past week it is being hacked everyday. Someone amends that file and adds in hundreds of web site addresses to that file.
You have a current version of Joomla 1.5.18. It’s only been since an upgrade that your site gets hacked everyday, previously only monthly. Your host said that it may have something to do with an .htaccess file.
Upgrading to a current version of Joomla has made it worse. Make sure you have a .htaccess in your root folder of your Joomla installation. For example /home/username/public_html/.htaccess.
Make sure your .htaccess file is named .htaccess and not something like htaccess or htaccess.bak. Also, make sure permissions on your .htaccess file is set to user: read write execute, group: none, and other: read execute. Another thing you can check is your permissions on your index.php file also in your root folder.
Permissions on your index.php file should be set to user: read write execute, group: read execute, and other: read execute. Only your user account(s) should have write permissions on your index.php file. Please run both a “quick security scan” and a “scan for trojan horses” from “Security Center” in Cpanel.
Ignore this false positive message “Possible Trojan – /usr/bin/cpan”. It might take a few minutes to complete a trojan horse scan. Also, you might want to reboot your server share if possible through your Cpanel login. Another thing you can do is change all your web hosting account passwords.
Verify your permissions of your /public_html/ folder. They should be set as follows, user: read write execute, group: read execute, and other: read execute. This is known as 755 permissions. You can look for any suspicious files or folders.
You may need to enable hidden view with Cpanel file manager utility. Empty out any cache or tmp folders. Also, you can request your web host move your website to a different server and IP address.
Another thing I thought of is if tomorrow your index.php page gets appended again, you can check to see if there are any rogue processes, scripts, cron jobs, etc. on your site. If your site gets changed everyday at a same time then either something or someone might have it automated. You can check for unusual processes, cron jobs, scripts, etc. yourself with cpanel.
Also, you can try going into your logs like “Latest Visitors” log to try to see if some body is accessing your site remotely and appending your index.php file. If you can track down who is a culprit then you can block their IP address using “IP Deny Manager” under a “Security” category. For added security you might want to change your .htaccess permissions to 644.
user: read write
group: read
other: read
Also, I have included contents of a .htaccess from a Joomla site with version 1.5.18 that I had. You can look for any strange items in your .htaccess file. I haven’t had any problems with that site being hacked in quite awhile with just these basic settings.
##
# @version $Id: htaccess.txt 10492 2008-07-02 06:38:28Z ircmaxell $
# @package Joomla
# @copyright Copyright (C) 2005 – 2008 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##
#####################################################
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: ‘Options +FollowSymLinks’ may cause problems
# with some server configurations. It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file. If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url’s. If they work,
# it has been set by your server administrator and you do not need it set here.
#
#####################################################
## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks
#
# mod_rewrite in use
RewriteEngine On