Hello Gianluca,

Thank you for your detailed message, and please accept our apologies for the inconvenience caused.

Could you kindly confirm which version of SP Page Builder was installed at the time the incident occurred?

We would like to highlight that a security vulnerability was identified in earlier versions of SP Page Builder and has since been fixed. We strongly recommend ensuring that version 6.2.2 is installed, as older versions may have been exposed to this issue before the patch was applied.

To ensure your site is fully secure, we recommend taking the following steps:

Remove any infected or modified files and replace them with clean copies from the official installation package Perform a full malware and security scan of your website and hosting environment Check your server for any backdoors or malicious scripts that could allow reinfection Update all credentials, including Joomla administrator, hosting panel, FTP/SFTP, and database passwords

If you need any assistance during this process, please let us know—we’re here to help.

Best regards,

Dear JoomShaper Team,

thank you for your follow-up.

After checking, I can confirm that SP Page Builder 6.2.2 was already installed at the time of the attack, which occurred yesterday morning. The update had been applied as soon as it was released.

This means the site was running the latest patched version and was still compromised. I would therefore kindly ask:

1. Does the vulnerability fix in 6.2.2 only protect against future attacks, or could a site already have been exploited before the update was applied and left with a persistent backdoor?
2. Is it possible that the attacker exploited the vulnerability in a previous version, planted a backdoor, and the reinfection we observed was triggered by that backdoor even after the update?
3. Are there any specific files or database entries we should check to ensure no backdoor remains from a prior exploitation of the SP Page Builder vulnerability?

Any additional guidance would be greatly appreciated, as we want to make sure the site is fully clean and protected going forward.

Thank you for your continued support.

Best regards,

Hello,

It appears that the site may have been compromised prior to the update.

First, please ensure that all backdoor or malicious files are completely removed from your website.

We also recommend reviewing all newly created user accounts and deleting any that are not recognized or authorized.

For additional guidance and related information, please refer to this discussion: https://www.joomshaper.com/forum/question/45152

Please carry out these checks and let us know once completed, along with any updates.

Thank you.

Best regards,

Short answers 1-2-3:

1. You cannot back the time (unless you can somehow), so new update fixed for the future.
2. No. The backdoor is something else. In our case it was just a security hole. More info in link below
3. There is no simple way like delete file(s) with name "infected.php" it doesn't work this way like in the past. So please read whole forum topic (link you have) and focus my topic about steps, it starts with phrase "To scan website use:"

But a week ago, few days, or just one day ago somebody could upload a single file, and wait for ocasion to run it and infect your site even more, like virus spead. Your hosting firewall should detect that sooner, but it's not always easy to find suspicus pattern.

If AdminTools detected modification in file(s), you have to reinstall that extension or template to be sure that it's not hidden anywhere deep inside. But this is one of many steps.

Remember that Akeeba Backup Pro (or any other firewall extension) is the last line of defense; a firewall should also be running at the hosting level. It’s just like in the Middle Ages—you need multiple walls and active archers (but instead of arrows > using IP block).