Site Hacked - Question | JoomShaper

Site Hacked

JK

Jan Korshavn

Template 15 hours ago

Hi, After numerous attacks on all my sites the last couple of weeks, 6 got hacked due to the security issue in SPPB, I found that yet another site is hacked today.

Template is Shaper-Travelia, not Helix3, and SPPB was updated to the latest version for more than a week ago.

Site is https://flr.no and now shows "Hacked ny Antonkill"..

Do you have any information about security issues in this template, or any other problem concerning SPPB? Or could it be the Helix3 plugin that causes this?

Rgds, Jan Korshavn

0
7 Answers
Atick Eashrak Shuvo
Atick Eashrak Shuvo
Accepted Answer
Support Agent 14 hours ago #227534

Hi,

Thank you for reaching out, and I'm sorry to hear that you've been affected by these attacks.

To clarify, the security issue is not with the Helix3 template itself, but rather with the Helix3 plugins. The template you're using (Shaper Travelia) is a Helix3-based template, which relies on the Helix3 plugins. So the security issue in this case is related to the Helix3 plugins rather than the template.

If your site has already been compromised, the best approach is to restore it from a clean backup (if you have one) and then update the Helix3 plugins to the latest version.

If you don't have a clean backup available, please follow these steps:

  1. Go to Site → Template Styles → Your Template → Template Options → Custom Code → Custom JavaScript.

  2. Check for any suspicious or unfamiliar JavaScript code and remove it. If the defacement message was injected through the template's Custom JavaScript field, this should remove it.

  3. Update both of the following plugins to the latest version (v3.1.2):

    • System - Helix3 Framework
    • Helix3 - Ajax

If you don't see an update notification in your Joomla dashboard, you can download the latest Helix3 package from the following page and install it via Extensions → Install:

https://www.joomshaper.com/joomla-templates/helix3

Please note that updating the plugins will prevent the known vulnerability from being exploited again, but it will not automatically remove any malicious files or code that may already have been injected into the site. If the attacker has modified files beyond the Custom JavaScript field, you'll need to clean those manually or restore from a known clean backup.

Also, if your site has been compromised, after cleaning it up or restoring a backup, you may need to reconfigure some of your template settings, such as the site logo, Custom CSS, or other template options, as these settings may have been removed or altered during the cleanup process.

0
JK
Jan Korshavn
Accepted Answer
14 hours ago #227537

Does all your templates relie on this plugin? If so I should install the latest plugin immideately on all my sites using your templates..

0
Atick Eashrak Shuvo
Atick Eashrak Shuvo
Accepted Answer
Support Agent 14 hours ago #227539

We currently have two template frameworks:

  • Helix 3 – This is our older framework and is no longer recommended for new projects.
  • Helix Ultimate – This is our latest and actively maintained framework, designed to support the latest Joomla versions and receive ongoing updates.

If you're using one of our newer templates, it is built on Helix Ultimate. If you're using an older template, it is likely based on Helix 3.

0
Rafael Cavalcante Teixeira
Rafael Cavalcante Teixeira
Accepted Answer
15 hours ago #227529

My site was hacked too. How can I fix it? Apparently, code was injected due to a vulnerability in SP Page Builder that created files and code within Helix, breaking the layout and triggering a security warning.

0
Rafael Cavalcante Teixeira
Rafael Cavalcante Teixeira
Accepted Answer
13 hours ago #227546

After restoring a clean backup, I applied some additional hardening measures to all my Joomla websites.

Enable Joomla's .htaccess Rename Joomla's default file: htaccess.txt to: .htaccess Then, after the RewriteEngine On line, add the following rule to block known malicious requests targeting SP Page Builder: Block known SP Page Builder exploit attempts RewriteCond %{QUERY_STRING} (^|&)option=com_sppagebuilder(&|$) [NC] RewriteCond %{QUERY_STRING} (^|&)task=(asset.uploadCustomIcon|asset%2euploadCustomIcon)(&|$) [NC] RewriteRule ^ - [F,L]

Prevent PHP execution in upload directories Create a .htaccess file with the following content inside each of these directories: /tmp /cache /images /media /logs <FilesMatch ".(php|php3|php4|php5|php7|php8|phtml|phar)$"> Require all denied </FilesMatch> Benefits Prevents execution of uploaded PHP backdoors. Reduces the impact of file upload vulnerabilities. Makes reinfection more difficult after cleaning a compromised site. Adds an extra layer of protection without affecting normal Joomla operation. Complements regular updates of Joomla, templates, and extensions. These measures are not a replacement for keeping Joomla and all extensions updated, but they provide an effective additional layer of defense for any Joomla installation.

Can one of the JoomShaper developers comment on whether I am correct and if this actually helps?

0
LR
Laurent Robin
Accepted Answer
11 hours ago #227552

One of my client has been hacked the same way. Unfortunatly checking for extensions updates is not a daily nor a weekly process. At least the Joomshaper Team have the emails from all their customers and nothing has been done to inform them. This is just unprofessional!! At least you must email all your customers when a security breach has been detected or a new patch is available. Please do that next time. It will help us much more than belated apologizes and manual fixes. Thank you.

0
PH
Pascal - HTProtect.org
Accepted Answer
10 hours ago #227558

I have built a free, vendor-independent solution for automatic Joomla security updates, including a live WAF feed and automatic extension updates. Email notifications alone are not enough - people go on vacation, emails get buried, or they are simply ignored.

0