HACKED BY ANTONKILL - Question | JoomShaper

HACKED BY ANTONKILL

associazione

associazione

General 1 week ago

Hi, I noticed my site was hacked and followed your email instructions to update Helix 3.1.12, the framework plugin. I performed all the urgent updates requested, but the site is still not visible. How can I proceed? Thanks for your help.

0
17 Answers
Atick Eashrak Shuvo
Atick Eashrak Shuvo
Accepted Answer
Support Agent 5 days ago #228201
0
Atick Eashrak Shuvo
Atick Eashrak Shuvo
Accepted Answer
Support Agent 1 week ago #227606

Hi,

Thank you for reaching out and for providing detailed information about the incident. We understand the urgency of the situation and apologize for the inconvenience this has caused.

If you have a clean and verified backup from before the compromise, we recommend restoring that backup first. After confirming the website is clean, update both the System - Helix3 Framework and Helix3 - Ajax plugins to the latest version (v3.1.2). This is the safest and most reliable recovery approach.

If you do not have a clean backup available, please follow these steps:

  1. Go to Site Template Styles → Your Template → Template Options → Custom Code → Custom JavaScript.
  2. Check the Custom JavaScript field for any suspicious or unknown JavaScript code. If you find any injected code, remove it and save the changes. This should remove the malicious message if it was injected through the template settings.
  3. Update both the System - Helix3 Framework plugin and the Helix3 - Ajax plugin to the latest version (v3.1.2).

If the update is not available through your Joomla Update Manager, you can download the latest Helix3 package from the following page and install it manually via Extensions → Install:

https://www.joomshaper.com/joomla-templates/helix3

Please note that when updating Helix3, some template settings—such as the logo, Custom CSS, and other template configuration options—may need to be reconfigured manually afterward. We recommend taking screenshots or exporting your current template settings, if possible, before performing the update.

If the website has been compromised beyond the injected JavaScript, we also recommend performing a full security audit of the Joomla installation, including checking core files, third-party extensions, administrator accounts, and the hosting environment to ensure no additional malicious files or backdoors remain.

Best regards

0
associazione
associazione
Accepted Answer
1 week ago #227627

Thanks for your reply. I've performed the requested updates, but the site is still unavailable. I noticed some strange CSS strings, but I don't have the knowledge to maintain the correct ones and delete the hacked ones. What can I do?

0
Atick Eashrak Shuvo
Atick Eashrak Shuvo
Accepted Answer
Support Agent 1 week ago #227637

Hi there!

Thank you for bringing this to our attention, and I sincerely apologize for the inconvenience caused.

To assist you more effectively, may I kindly request temporary administrative access to your site? This will allow me to thoroughly investigate and resolve the issue for you.

Before sharing the credentials, I strongly recommend taking a complete backup of your site to ensure all data remains secure.

Looking forward to your response.

Best regards

0
associazione
associazione
Accepted Answer
1 week ago #227896

.

0
Atick Eashrak Shuvo
Atick Eashrak Shuvo
Accepted Answer
Support Agent 6 days ago #227990

Hi,

Thank you for reaching out and for providing detailed information about the incident. We understand the urgency of the situation and apologize for the inconvenience this has caused.

If you have a clean and verified backup from before the compromise, we recommend restoring that backup first. After confirming the website is clean, update both the System - Helix3 Framework and Helix3 - Ajax plugins to the latest version (v3.1.2). This is the safest and most reliable recovery approach.

If you do not have a clean backup available, please follow these steps:

  1. Go to Site Template Styles → Your Template → Template Options → Custom Code → Custom JavaScript.
  2. Check the Custom JavaScript field for any suspicious or unknown JavaScript code. If you find any injected code, remove it and save the changes. This should remove the malicious message if it was injected through the template settings.
  3. Update both the System - Helix3 Framework plugin and the Helix3 - Ajax plugin to the latest version (v3.1.2).

If the update is not available through your Joomla Update Manager, you can download the latest Helix3 package from the following page and install it manually via Extensions → Install:

https://www.joomshaper.com/joomla-templates/helix3

Please note that when updating Helix3, some template settings—such as the logo, Custom CSS, and other template configuration options—may need to be reconfigured manually afterward. We recommend taking screenshots or exporting your current template settings, if possible, before performing the update.

If the website has been compromised beyond the injected JavaScript, we also recommend performing a full security audit of the Joomla installation, including checking core files, third-party extensions, administrator accounts, and the hosting environment to ensure no additional malicious files or backdoors remain.

Best regards

0
M
massimo
Accepted Answer
1 week ago #227624

Hi, I can confirm that I am experiencing exactly the same issue on multiple Joomla 3 websites. I currently manage several Joomla websites, and during the last few days three different Joomla 3.10.12 websites have been compromised in exactly the same way.

In every case I found malicious code injected into Template Style → Template Options → Custom Code.

For two websites, the attacker injected code into:

  • Before </head>
  • Custom CSS
  • Custom JavaScript

For another website, the malicious code was injected only into Custom JavaScript.

One of my hosting providers analyzed the server logs and informed me that the suspected attack vector may be related to the recently disclosed vulnerabilities CVE-2026-48907 and CVE-2026-48908.

All affected websites are running:

  • Joomla 3.10.12
  • SP Page Builder 3.8.10
  • Helix 3

I understand that Joomla 3 is End of Life, and whenever possible I migrate my clients to newer Joomla versions. However, not every client is willing or able to migrate immediately, so many websites must temporarily remain on Joomla 3 while still needing the highest possible level of security.

Could you please clarify:

  • Is SP Page Builder 3.8.10 affected by these vulnerabilities?
  • Is updating only Helix sufficient, or should SP Page Builder also be updated?
  • Is there an official security advisory or recommended mitigation for websites that must temporarily remain on Joomla 3?

Thank you very much for your support.

0
Atick Eashrak Shuvo
Atick Eashrak Shuvo
Accepted Answer
Support Agent 1 week ago #227625

Hi,

Thank you for providing the detailed information about your investigation.

Please note that the recent security updates for SP Page Builder apply only to SP Page Builder 4, 5, and 6. SP Page Builder 3 is not affected by CVE-2026-48907 and CVE-2026-48908, as those vulnerabilities do not exist in the SP Page Builder 3 codebase.

Based on the information you've shared, the issue you are experiencing is consistent with the recently identified Helix3 security vulnerability, rather than SP Page Builder 3.

To secure your Joomla 3 websites, please update both of the following Helix3 extensions to the latest available version (v3.1.2):

  • System - Helix3 Framework
  • Helix3 - Ajax

You can download the latest Helix3 package from here:

Helix3 Download Page

After downloading the package, install or update both plugins to v3.1.2. This version is fully compatible with Joomla 3 and includes the necessary security fixes. We also recommend thoroughly inspecting your websites for any remaining malicious code, unauthorized administrator accounts, and other indicators of compromise to ensure the websites have been completely cleaned.

If you continue to experience any issues after applying the updates, please let us know and we'll be happy to assist you further.

0
M
massimo
Accepted Answer
1 week ago #227626

Hi, Thank you very much for your prompt and detailed clarification. That makes perfect sense. You are absolutely right: the reference to CVE-2026-48907 and CVE-2026-48908 came from my hosting provider's investigation, but it was related to a different website running Joomla 5 with a newer version of SP Page Builder. The three Joomla 3 websites I mentioned are a separate case, and your explanation regarding the recently identified Helix3 security vulnerability helps clarify the situation. I really appreciate your support and the technical explanation. I will update both the System - Helix3 Framework and Helix3 - Ajax plugins to version 3.1.2 and continue checking the affected websites for any remaining malicious code or indicators of compromise.

Thank you again for your assistance and for the excellent support. Best regards

0
Paul Frankowski
Paul Frankowski
Accepted Answer
Senior Staff 1 week ago #227629

About cleaning, please use our script > https://github.com/zkrana/joomla-security-scanner

It also clean malware from Template db

0
associazione
associazione
Accepted Answer
1 week ago #227827

Thanks for your advice but unfortunately when I connected to the link indicated a virus was installed... trojan w.32!

0
M
massimo
Accepted Answer
1 week ago #227633

Thank you. I really appreciate your help and all the information you and your team have provided. I will definitely use the scanner along with the Helix3 updates during the cleanup process. Thank you again for your excellent support.

0
associazione
associazione
Accepted Answer
1 week ago #227824

reply in hidden content

0
Atick Eashrak Shuvo
Atick Eashrak Shuvo
Accepted Answer
Support Agent 6 days ago #227986

Please recheck the credentials you have provided

0
associazione
associazione
Accepted Answer
6 days ago #227993

Did it! in hidden

0
Atick Eashrak Shuvo
Atick Eashrak Shuvo
Accepted Answer
Support Agent 6 days ago #228083

I apologize for the inconvenience caused. Could you please check now and let me know if the issue is resolved on your end?

Looking forward to your response.

Best regards

0
associazione
associazione
Accepted Answer
6 days ago #228092

hidden

0