Hacked By AntonKill - Question | JoomShaper

Hacked By AntonKill

PhoenixGB

PhoenixGB

General 23 hours ago

Clients site got hacked - https://hotelgalera.es , I found the offending code but JS won't let me display it, so if u get the same shit just dm me I will send u what to look for. Don't get the point of these cyber vandals, oo look how clever I am, i spray painted ur site!

Now it's disappeared, one Super User was renamed to Rand Dom (Random) - deleted her and it seems the script went with her but its still hacked. Checking with the host the code was injected into the DB.

Anyone else come across this, it's the usual case, clients don't want to pay for updates so holes appear and get used. Then it's MY fault and they expect it to be fixed for free. It's a PB 6.00 site so I am assuming the hacker, cyber wanker, look how clever I am has used the recent security hole that was found. Fully expect to get more of these of the next few weeks. But why shouold i patch their site if they aren't prepared to pay for the updates, my comparison to clients is if u don't service ur car for years it breaks down and costs u more to fix!

QUESTION: If a clients site gets hacked and they haven't/won't pay for updates how do you handle it?

0
13 Answers
Atick Eashrak Shuvo
Atick Eashrak Shuvo
Accepted Answer
Support Agent 22 hours ago #227436

Hi,

We sincerely apologize for the inconvenience.

Could you please share the malicious code you found, along with the file or database location where it was injected? We'll be happy to review it and see if it is related to any known issue.

Regarding users who do not have an active license or choose not to renew, we have provided a manual security patch in this forum post: https://www.joomshaper.com/forum/question/45258

This patch is available for users who cannot update to the latest version.

Additionally, if the affected site is using a Helix3 template, please note that we have also released a security fix for Helix3. Since Helix3 is a free framework, the patch is available to everyone and does not require an active subscription or license.

We look forward to reviewing the code you found.

0
O
Oliver Janßen
Accepted Answer
22 hours ago #227437

Website compromised despite SP Page Builder 6.6.2 – Template settings modified

Hello JoomShaper team,

I would like to report an incident that happened on many of our Joomla websites running the latest SP Page Builder version 6.6.2.

The website was compromised even though SP Page Builder had already been updated to version 6.6.2, which should include the recent security fix.

The attacker did not simply upload malicious files. Instead, we found that the template settings had been modified automatically:

  • The template settings was reset.
  • The Custom JavaScript field was replaced with JavaScript that injected a full-screen defacement page ("Hacked by trenggalek6etar / Hacked by Antonkill").
  • The Custom CSS field was also modified.
  • As a result, all previous template customizations (CSS, JS, logo settings, etc.) were lost.

We restored the site from a clean backup and removed the malicious code. We also confirmed that the injected JavaScript was stored inside the template configuration in the Joomla database.

At this point, I cannot say whether this is:

  • a new vulnerability in SP Page Builder,
  • another vulnerability elsewhere in Joomla or a third-party extension,
  • or the result of a backdoor that was installed before updating to 6.6.2.

However, I wanted to report this because the behaviour is very unusual and may help identify additional attack vectors.

Has anyone else experienced similar behaviour after updating to 6.6.2?

0
PhoenixGB
PhoenixGB
Accepted Answer
22 hours ago #227443

Exactly the same - including the shtml files and txt files, I tried to share the code but it wont allow me to put it here. Cant say that any custom css was hacked, fouind the code, restored the site and DB and it was gone. Will try again. The attached file shows some of the infected files from ImunifyAV and the code at the bottom. There's more script buit it wont show, reply and i will try and send it to u JS

**<xscript>**document.addEventListener("DOMContentLoaded",function(){document.title="Hacked by Antonkill";document.body.style.cssText="overflow:hidden;margin:0;padding:0;background:#0a0a1a;";document.body.innerHTML='<div style="position:fixed;top:0;left:0;width:100%;height:100%;background:linear-gradient(135deg,#0a0a2e 0%,#1a0a3e 30%,#0a1a2e 60%,#0a0a1a 100%);display:flex;flex-direction:column;align-items:center;justify-content:center;font-family:monospace;z-index:2147483647;overflow:hidden"><div style="position:absolute;top:0;left:0;width:100%;height:100%;background:repeating-linear-gradient(0deg,transparent,transparent 2px,rgba(0,255,255,0.03) 2px,rgba(0,255,255,0.03) 4px);pointer-events:none;z-index:1"></div><div style="position:absolute;top:-100%;left:0;width:100%;height:100%;background:linear-gradient(transparent 0%,rgba(0,255,255,0.05) 50%,transparent 100%);animation:scanline 3s linear infinite;pointer-events:none;z-index:2"></div><div style="font-size:80px;animation:pulse 2s ease-in-out infinite;margin-bottom:10px;filter:drop-shadow(0 0 20px rgba(255,0,255,0.5))">&#9760;</div><div style="width:200px;height:2px;background:linear-gradient(90deg,transparent,#ff00ff,#00ffff,#ff00ff,transparent);margin:15px 0"></div><div style="font-size:42px;font-weight:bold;color:#fff;text-transform:uppercase;letter-spacing:6px;animation:glitch 0.3s infinite;text-align:center;margin:10px 0">Hacked by Antonkill</div><div style="width:200px;height:2px;background:linear-gradient(90deg,transparent,#00ffff,#ff00ff,#00ffff,transparent);margin:15px 0"></div><div style="position:absolute;top:20px;left:20px;width:60px;height:60px;border:2px solid #ff00ff;border-radius:50%;animation:border-anim 2s linear infinite,pulse 2s ease infinite;opacity:0.3"></div><div style="position:absolute;bottom:40px;right:30px;width:40px;height:40px;border:2px solid #00ffff;animation:border-anim 2s linear infinite reverse,pulse 3s ease infinite;opacity:0.3"></div></div>';});**</xscript>**
**  <xscript>**
var sp_preloader = '';
**</xscript>**

x's added to script so the forum would show the code

0
M
Mario
Accepted Answer
21 hours ago #227462

Exactly the same here! Everything was up to date. How could that happen?

0
ZAHNER
ZAHNER
Accepted Answer
21 hours ago #227464

Hi, I’ve had 3 websites attacked and hacked, too.

0
Atick Eashrak Shuvo
Atick Eashrak Shuvo
Accepted Answer
Support Agent 21 hours ago #227465

Hi,

We sincerely apologize for the inconvenience.

Please follow the steps below to resolve the issue:

  1. Go to Site Template Styles → Your Template → Template Options → Custom Code → Custom JavaScript.
  2. Check for any suspicious or unknown JavaScript code and remove it. This should remove the injected message if it was added through the template's Custom JavaScript field.
  3. After that, please update both the System - Helix3 Framework plugin and the Helix3 - Ajax plugin to the latest version (v3.1.2).

If you do not see an update notification in your Joomla dashboard, you can download the latest Helix3 package from the following page and install it via Extensions → Install:

https://www.joomshaper.com/joomla-templates/helix3

0
PhoenixGB
PhoenixGB
Accepted Answer
21 hours ago #227466

Yeah its a worry, once they find u they look for sites built by u, clients dont pay for maintenance and then suddenly u have screaming clients and shit load of work to do and usually for nothing in return.

0
ZAHNER
ZAHNER
Accepted Answer
21 hours ago #227469

Yes, I just ran the updates for Helix3; I'll see if the hacker tries again, since they had managed to get in just an hour ago. Many thanks.

0
PhoenixGB
PhoenixGB
Accepted Answer
21 hours ago #227472

Interesting, the malicious code WAS still in the Custom Javascript as well as in the Before Head section, so geting a fix is good BUT we ALL want to know - HOW WAS THIS DONE?

Another side note, might be an idea to make it show the version of these plugins visible, also would using RSFirewall have prevented this?

If so spending €102 fr the year to cover all sites its worth it, as it saves on all the grief and screamers.

Let me know please.

0
P
Paul
Accepted Answer
13 hours ago #227542

Hi, my websites are attacked and hacked, too. The same shitty person (Hacked by Antonkill)

0
Atick Eashrak Shuvo
Atick Eashrak Shuvo
Accepted Answer
Support Agent 13 hours ago #227543

Hi,

We sincerely apologize for the inconvenience.

Please follow the steps below to resolve the issue:

  1. Go to Site Template Styles → Your Template → Template Options → Custom Code → Custom JavaScript.
  2. Check for any suspicious or unknown JavaScript code and remove it. This should remove the injected message if it was added through the template's Custom JavaScript field.
  3. After that, please update both the System - Helix3 Framework plugin and the Helix3 - Ajax plugin to the latest version (v3.1.2).

If you do not see an update notification in your Joomla dashboard, you can download the latest Helix3 package from the following page and install it via Extensions → Install:

https://www.joomshaper.com/joomla-templates/helix3

0
Rafael Cavalcante Teixeira
Rafael Cavalcante Teixeira
Accepted Answer
13 hours ago #227545

After restoring a clean backup, I applied some additional hardening measures to all my Joomla websites.

  1. Enable Joomla's .htaccess Rename Joomla's default file: htaccess.txt to: .htaccess Then, after the RewriteEngine On line, add the following rule to block known malicious requests targeting SP Page Builder:

Block known SP Page Builder exploit attempts RewriteCond %{QUERY_STRING} (^|&)option=com_sppagebuilder(&|$) [NC] RewriteCond %{QUERY_STRING} (^|&)task=(asset.uploadCustomIcon|asset%2euploadCustomIcon)(&|$) [NC] RewriteRule ^ - [F,L]

  1. Prevent PHP execution in upload directories Create a .htaccess file with the following content inside each of these directories: /tmp /cache /images /media /logs <FilesMatch ".(php|php3|php4|php5|php7|php8|phtml|phar)$"> Require all denied </FilesMatch> Benefits Prevents execution of uploaded PHP backdoors. Reduces the impact of file upload vulnerabilities. Makes reinfection more difficult after cleaning a compromised site. Adds an extra layer of protection without affecting normal Joomla operation. Complements regular updates of Joomla, templates, and extensions.

These measures are not a replacement for keeping Joomla and all extensions updated, but they provide an effective additional layer of defense for any Joomla installation.

Can one of the JoomShaper developers comment on whether I am correct and if this actually helps?

0
Paul Frankowski
Paul Frankowski
Accepted Answer
Senior Staff 11 hours ago #227554

If a clients site gets hacked and they haven't/won't pay for updates how do you handle it?

This is one of the most stressful situations you can face as a host and webmaster. When a hacked site is on your own hosting server, it's no longer just their problem—it’s a massive security threat to your server's IP reputation, your other clients, and your infrastructure.

If your the only service for them is HOSTING. Your deal doesn't include cleaning or securiting site. The same would be with the car garrage if wandals would destroy car inside instead of solid doors.

We all know this is not easy topic, probably you have to claim talk with the client about his WEB REPUTATION, hacked website(s) (besides is WP or Joomla) doesn't look good.

You can write to client this kind of message:

"Hi [Client ABC], during a routine security scan of our server, we detected malicious code and unauthorized access on your website. To protect the server and our other network users, we have temporarily suspended your site's public access. As noted in our hosting agreement, keeping core software and plugins updated is required to maintain server security. Because the site was left un-updated, it became vulnerable. To restore your site, it must be completely cleaned and updated. We can handle this for a one-time emergency recovery fee of $40, or you can hire an external security professional to clean it before we can reactivate the account. Please let us know how you would like to proceed. "

BTW

And sometimes you have to work for free for the whole day to safe few solid customers.

0