Urgent Help Needed – SP Page Builder Malware Reinfection On Multiple Joomla Websites - Question | JoomShaper

Urgent Help Needed – SP Page Builder Malware Reinfection On Multiple Joomla Websites

G

Graficherò

SP Page Builder 1 week ago

Urgent Help Needed – SP Page Builder Malware Reinfection on Multiple Joomla Websites

I am dealing with a very serious security issue related to the recent SP Page Builder vulnerability, and I urgently need help.

I followed the official instructions and ran the security-scanner.php script. The scanner successfully detected and removed a large number of malicious files. However, within a few minutes, all the malicious files reappeared, and the websites became reinfected.

Unfortunately, this is not happening on a single website: I have multiple Joomla websites showing exactly the same behavior.

At this point, I suspect that either:

there is still an active persistence mechanism on the server, some compromised administrator accounts or extensions remain, or the attacker still has access through another entry point.

I honestly don't know how to proceed safely from here. I would be extremely grateful if someone could:

explain the correct recovery procedure step by step, or provide professional assistance to clean and secure the websites.

Any advice or direct help would be greatly appreciated, because I am currently unable to stop the reinfections.

Thank you very much.

0
2 Answers
PH
Pascal - HTProtect.org
Accepted Answer
1 week ago #227759

Unfortunately, this is not happening on a single website: I have multiple Joomla websites showing exactly the same behavior.

Are the websites hosted on the same webspace? It's always best to isolate each site (separate account/server user), as a malware infection can spread across the entire webspace.

If there are persistent background processes, you could ask your hosting provider to terminate all running processes.

Alternatively, create a new document root. For example:

Before: /html/site1/ After: /html/site1/cleaned/

Then point your domain to the new location. Any background process targeting the old directory won't write into the new one.

As for the malicious files, it's always best to restore a clean backup (if one is available), because malware scanners rarely detect every malicious file.

That's also one of the reasons why .htaccess hardening is a good idea. It can prevent PHP execution in directories where it's not needed, adding another layer of protection.

See https://www.joomshaper.com/forum/question/45532#qa-answer-227754 for more information.

0
Ziaul Kabir
Ziaul Kabir
Accepted Answer
Support Agent 1 week ago #227795

Hello,

Thanks for reaching out to us. Could you please share temporary administrator access to your Joomla backend? You can provide the credentials securely in the hidden content section. Also, please take a full backup of your site before we make any changes.

Once I have access, I’ll investigate further and see what’s causing the issue. Let me know once you’ve shared the details!

Best regards,

0