Dear JoomShaper Security Team,
We recently completed a forensic investigation following the compromise of one of our production Joomla servers.
Although the SP Page Builder vulnerability has already been addressed, our investigation recovered what appears to be the complete toolkit used by the attackers to automate exploitation of vulnerable installations.
The recovered package includes:
- Multiple Python exploit variants (including different revisions)
- Payload generators
- ZIP payloads
- A compiled Linux scanning binary
- Target lists used by the toolkit
- Supporting files associated with the exploitation workflow
During the incident, the attackers successfully uploaded PHP webshells into the following directory:
/media/com_sppagebuilder/assets/iconfont/icofont/fonts/
The recovered toolkit specifically targets the custom icon upload functionality and contains automation for scanning, exploitation, payload deployment, and verification.
We believe these samples may help your security team:
- Better understand how the exploit has been weaponized in the wild.
- Improve future detection capabilities.
- Identify additional Indicators of Compromise (IOCs).
- Enhance protection for SP Page Builder users.
If preferred, we can also provide:
- SHA-256 hashes
- IOC lists
- Timeline of the attack
- Webshell samples recovered from compromised websites
- Additional forensic findings from our investigation
We hope this information will be useful to your security team and contribute to improving the security of the Joomla ecosystem.
Kind regards,
Majdi Al Haj Hussin
MazajNet Security Team
https://www.mazajnet.com