Hi Guys - I had two sites hacked last night.
I am sharing forensic evidence from a recent compromise on our server to help document the attack patterns related to the recent asset.uploadCustomIcon vulnerability.
Our site was running the latest version of SP Page Builder when automated bots successfully exploited the custom icon endpoint. Our hosting provider suspended the account after a binary file was caught executing under our user account.
Exploit Vector:
Endpoint Targeted: POST /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon
Server Response: 500 Internal Server Error (The archive extraction triggered a server crash or timeout, but successfully wrote files to the root).
Discovered Payloads:
Malicious Font Directory: Located at /media/com_sppagebuilder/assets/iconfont/icouaxlbi/
Persistent Executable Binary: A file named joomla_agent was dropped inside the folder. It is a statically linked, unstripped ELF 64-bit LSB executable for x86-64 Linux. It was found masquerading as a native core process and running constantly in the background.
Obfuscated PHP Backdoor: A conditional shell was planted that intercepts requests and throws a fake 404 Not Found unless authenticated with a specific token string (?t=zjvayjjnzqzjqckl).
We have completely removed the component directories, purged the active system processes, regenerated our database credentials, and upgraded our system environment.
Sharing this primarily so the security team is aware of the joomla_agent binary name being used in the wild for server process masquerading alongside the standard PHP web shells.
Can this please be looked at as a matter of urgency for the next update?