Possible Helix3 Com_ajax Security Issue - Deface Files Created On Multiple Joomla Sites - Question | JoomShaper

Possible Helix3 Com_ajax Security Issue - Deface Files Created On Multiple Joomla Sites

MC

Manolis Chatzigeorgiadis

Helix Framework 1 week ago

Hello JoomShaper team,

We detected a security incident on multiple Joomla websites using Helix3.

Affected Helix3 versions:

  • alexinsure.gr: System - Helix3 Framework 2.5.8, shaper_helix3 template 2.5.8
  • artion-ee.gr: System - Helix3 Framework 3.0.3, shaper_helix3 template 3.0.3
  • agro-center.gr: Helix3 Framework 1.0 / shaper_helix3 template 2.5.8 in an additional installation

On 2026-07-06, the same remote IP address 191.101.208.74 sent POST requests to:

/index.php?option=com_ajax&plugin=helix3&format=json

Immediately after these POST requests, deface files named cox.json were created in paths such as:

/httpdocs/cox.json /httpdocs/images/cox.json /httpdocs/media/cox.json /httpdocs/templates/cox.json

Malicious file content: "hacked by trenggalek6etar"

Imunify360 detection: SMW-BLKH-SA-CLOUDAV-txt.deface-22802-3

Examples:

  • agro-center.gr: POST at 20:05:41, cox.json created at 20:05:41
  • alexinsure.gr: POST at 20:06:23, cox.json created at 20:06:23
  • artion-ee.gr: POST at 20:08:43, cox.json created at 20:08:43

We temporarily blocked public access to the Helix3 com_ajax endpoint at Apache level and removed the malicious files.

We noticed Helix3 3.1.1 was released as a security update. Can you please confirm if this incident matches the recent Helix3 vulnerability and advise the safest upgrade path from 2.5.8 / 3.0.3 / 1.0 to the latest fixed version?

0
1 Answers
Ziaul Kabir
Ziaul Kabir
Accepted Answer
Support Agent 1 week ago #227839

Hello,

We sincerely apologize for the inconvenience.

Please follow the steps below to resolve the issue:

Go to Site Template Styles → Your Template → Template Options → Custom Code → Custom JavaScript. Check for any suspicious or unknown JavaScript code and remove it. This should remove the injected message if it was added through the template's Custom JavaScript field. After that, please update both the System - Helix3 Framework plugin and the Helix3 - Ajax plugin to the latest version (v3.1.2). If you do not see an update notification in your Joomla dashboard, you can download the latest Helix3 package from the following page and install it via Extensions → Install:

https://www.joomshaper.com/joomla-templates/helix3

Please follow the cleanup guide here: https://www.joomshaper.com/forum/question/45152 You can also use the following security scanner to help identify malicious files and delete them: https://github.com/zkrana/joomla-security-scanner

Please make sure to read the README.md file in the repository for instructions on how to run the tool. After completing the cleanup and upgrading to v6.6.2, please let us know the outcome or if you need any further assistance.

We'll be happy to help.

Thank you.

0