Viruses - Question | JoomShaper

Viruses

I

Ionut

SP Page Builder 2 weeks ago

Hi, Our all websites were virused throught sp page builder. we clean all of them, removed lines from htaccess, removed from cron and more.... 24h it was ok, no it's happen again, and we have the latest version.

And ideea? help?

0
9 Answers
Paul Frankowski
Paul Frankowski
Accepted Answer
Senior Staff 2 weeks ago #226921

Hi,

Follow (many tips, suggestions, codes, tools) >> https://www.joomshaper.com/forum/question/45152

If you updated everything, you need:

  1. Scan whole server. Then scan site using scanner (from github).
  2. Install Firewall component.
  3. Add extra code for .htaccess file
  4. Check server logs, and block those IPs.
0
I
Ionut
Accepted Answer
2 weeks ago #226923

Thaks, i did all.... now it's again ....

0
Mehtaz Afsana Borsha
Mehtaz Afsana Borsha
Accepted Answer
Support Agent 2 weeks ago #226927

Hi,

Thanks for contcating us. You can also check this

https://github.com/zkrana/joomla-security-scanner

-Regards.

0
Paul Frankowski
Paul Frankowski
Accepted Answer
Senior Staff 2 weeks ago #226928

If you would have good firewall component hacker couldn't upload any malware file. It means that:

  • was hidden backdoor on your site files (with neutral extension name) or
  • was hidden it beyond public_html or
  • was hidden it inside database table.
0
I
Ionut
Accepted Answer
2 weeks ago #226929

Thank you, Can be also in databse? because from what i see:

  • in htaccess rule
  • in tempaltes is generating tempaltes with tmp
  • in sp page builder is creating font with php
  • in folder images php files
  • in joomla root php files
0
Paul Frankowski
Paul Frankowski
Accepted Answer
Senior Staff 2 weeks ago #226930

Yes. Two users mentioned about that possibility in topic that I shared.


Maybe recover whole website from backup: 5 or 10 days old before The D-Day.

If you made any big content changes in last 72h, you can keep only SPPB table from it, and whole rest should be taken from "the past".

0
Paul Frankowski
Paul Frankowski
Accepted Answer
Senior Staff 2 weeks ago #226932

This is screenshot from firewall (today) they are still trying but their IP is locked each time. And since 15 June, no infections anymore.

info__331.jpg my settings
info__332.jpg

0
I
Ionut
Accepted Answer
2 weeks ago #226944

It's enought to have this in htaccess?

    ##
    # Emergency block - SP Page Builder uploadCustomIcon exploit
    # Blochează requesturile către:
    # index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon
    ##
    RewriteCond %{QUERY_STRING} (^|&)option=com_sppagebuilder(&|$) [NC]
    RewriteCond %{QUERY_STRING} (^|&)task=(asset\.uploadCustomIcon|asset%2euploadCustomIcon)(&|$) [NC]
    RewriteRule ^ - [F,L]

In databases what i find is new users created, so is creating new users and from here will create new rules...

0
Paul Frankowski
Paul Frankowski
Accepted Answer
Senior Staff 2 weeks ago #226945

That's not quite enough; it's definitely worth adding additional rules in .htaccess to the /images, /media, and /file folders as well—as we mentioned in the thread mentioned earlier — to protect them from unauthorized .php files.

0