URGENT: Multiple Websites Hacked By AntonKill - Question | JoomShaper

URGENT: Multiple Websites Hacked By AntonKill

M

Moni

Helix Framework 9 hours ago

Hi!

We urgently need your guidance regarding a serious security incident.

At this point, four different websites have been compromised. These websites are hosted on different servers, so this does not appear to be related to a single hosting environment.

All affected websites are running the latest version of SP Page Builder. However, they are also using Helix3.

While investigating, we found the recent discussions in your forum regarding the Helix3 security vulnerability. We also noticed several recent reports from other users describing similar incidents, including the thread titled "Hacked By AntonKill", which suggests this may be part of a broader wave of attacks rather than isolated cases.

At the same time, we found multiple reports indicating that updating Helix3 has caused some websites to break or become inaccessible.

This leaves us in a very difficult situation:

We are concerned about keeping the current Helix3 version installed. We are also concerned that updating Helix3 may cause our production websites to fail, based on the reports in your forum.

For the moment, we have temporarily redirected the affected domains to working copies hosted on another server while we investigate the incident.

Could you please advise us on the safest recovery procedure?

Specifically:

  • Do you recommend restoring clean backups first and then updating Helix3?
  • Is there a recommended update procedure to avoid breaking existing websites?
  • Are there any additional cleanup steps that should be performed before applying the Helix3 security update?
  • Are you aware of any compatibility issues with the current Helix3 update that administrators should consider before deploying it?

This issue is affecting multiple production websites, and we would greatly appreciate your official recommendation on the safest way to proceed.

Thank you very much for your assistance.

Best regards

0
2 Answers
PH
Pascal - HTProtect.org
Accepted Answer
8 hours ago #227572

Hi Moni,

In all the Helix3-only hack cases I've seen yesterday, it was sufficient to restore the template options from a database backup after upgrading Helix3, as described here.

What kind of problems are you experiencing after upgrading Helix3?

If you need immediate protection without upgrading, you could try this: https://www.joomshaper.com/forum/question/45478#qa-answer-227511

But normally, there shouldn't be any major issues with the latest Helix3 version apart from the corrupted template options, which need to be restored manually or from a database backup.

Kind regards,

Pascal

0
Atick Eashrak Shuvo
Atick Eashrak Shuvo
Accepted Answer
Support Agent 4 hours ago #227574

Hi,

Thank you for reaching out and for providing detailed information about the incident. We understand the urgency of the situation and apologize for the inconvenience this has caused.

If you have a clean and verified backup from before the compromise, we recommend restoring that backup first. After confirming the website is clean, update both the System - Helix3 Framework and Helix3 - Ajax plugins to the latest version (v3.1.2). This is the safest and most reliable recovery approach.

If you do not have a clean backup available, please follow these steps:

  1. Go to Site Template Styles → Your Template → Template Options → Custom Code → Custom JavaScript.
  2. Check the Custom JavaScript field for any suspicious or unknown JavaScript code. If you find any injected code, remove it and save the changes. This should remove the malicious message if it was injected through the template settings.
  3. Update both the System - Helix3 Framework plugin and the Helix3 - Ajax plugin to the latest version (v3.1.2).

If the update is not available through your Joomla Update Manager, you can download the latest Helix3 package from the following page and install it manually via Extensions → Install:

https://www.joomshaper.com/joomla-templates/helix3

Please note that when updating Helix3, some template settings—such as the logo, Custom CSS, and other template configuration options—may need to be reconfigured manually afterward. We recommend taking screenshots or exporting your current template settings, if possible, before performing the update.

If the website has been compromised beyond the injected JavaScript, we also recommend performing a full security audit of the Joomla installation, including checking core files, third-party extensions, administrator accounts, and the hosting environment to ensure no additional malicious files or backdoors remain.

Best regards

0