Well I don’t use joomla, so it makes no difference to me maintenance mode or not, but avast alerts. It isn’t what you suggested in the first post but a large block of obfuscated javascriprt just before the closing table tag, this is for the most part all on a single line and differes greatly from other formatted script tags. See image, I have broken the long line down to make it easier to see.
So it looks like the site has been hacked. This is the default/home page that comes up when you click any of the links you gave
Please modify your links change http to hXXp and or www to wXw so links aren’t active exposing people to accidental exposure.
not my site but i will let the admin know. the admin is a friend of mine from the ubuntu beginner team. is there a way to see how it was done? permissions error, etc?
The most common issue when using any form of content management software (php, sql, wordpress, etc.) is an old version of the software which is vulnerable to exploit.
I know nothing about joomla but if that is similar you need to ensure you have the latest version and also change your passwords to stronger ones.
As DavidR says, but let him rebuild the site, and change the access data, let him check his cron jobs. Let him update and patch joomla, but the hacker could have abused for instance some old component, like extcalendar component, that he has never been deleted, let him clean out all the malicious scripts and files. An important tool can be apache logs for him. Let him look for any weird POST requests. Look for anyone trying to insert external URLs into your URLs, just some possibilities, ccould have been work of Durzosploit is a javascript exploits generator framework that works through the console. This goal of that project is to quickly and easily generate working exploits for cross-site scripting vulnerabilities in popular web applications or web sites,