This is information on removing the c99madshell hack that can get into some Joomla 1.5 sites. Most of this content is an original article of News Blog. I was only able to find one portion of this myself before finding their article, kudos and thanks go to them.
If you see the following Joomla error appearing on most Joomla pages including admin section
File Not Found The requested URL was not found on this server
If you have a list of spam links
then your installation has likely been compromised. There is a security bug in Joomla 1.5 allowing a hacker to reset your admin password.
You should take the following steps to get rid of the error message and secure your Joomla:
1. Backup your files and SQL database to an external location.
2. Delete three files with c99madshell backdoor script
3. Change /plugins/content/ folder owner to any but apache user and change it’s mask to 555
Note: This next one I need clarification on as response.php has multiple ob_start entries within it and I don’t know which one to comment out and how much of the code following it needs to be commented out along with it. I will edit this post if the original poster gets back to me.
4. Open /libraries/joomla/environment/response.php file on line 197 and comment php code starting with ob_start
5. Change /libraries/joomla/environment/response.php file owner to any but apache user and change it’s mask to 644
6. Delete /libraries/joomla/cache/button.gif file and create an empty one
7. Change /libraries/joomla/cache/button.gif file owner to any but apache user and change it’s mask to 644
8. Check if /topnews/ and /hotnews/ exist. Delete folders unless you installed.
9. Set disable_functions in /etc/php.ini to
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,parse_ini_file,show_source
10. Change in /components/com_user/models/reset.php file on line 116
$db->setQuery(’SELECT id FROM #__users WHERE block = 0 AND activation = ‘.$db->Quote($token));
$db->setQuery(’SELECT id FROM #__users WHERE block = 0 AND activation = \”.$db->Quote($token).’\”);
The error message or spam should be gone, backdoor script removed and the Joomla security hole patched now.
If you have done everything right then you should now also be able to remove the button.gif we mentioned before and it should no longer be regenerated.