Joomla Hacked via SP Page Builder 6.6.1 Zero-Day (English): 

Detection, Cleanup and Prevention (June 2026)

In this article we document the complete detection and cleanup process for this infection on Joomla sites running SP Page Builder 6.6.1 or earlier versions: how to identify webshells, remove persistent backdoors injected into .htaccess and .user.ini, revoke unauthorized SSH access, clear malicious crontabs, and permanently close the vulnerability by updating to SP Page Builder 6.6.2.

  • Initial symptom: HTTP 500 error on Joomla sites when `.htaccess` was active. Removing it made the site load normally.
  • Entry point
    Zero-day in SP Page Builder ≤ 6.6.1 — the `asset.uploadCustomIcon` endpoint had no authentication check, allowing anyone to upload PHP files to the server without any login. Fix: update to 6.6.2 immediately.

What the Attacker Left Behind

  • Webshell with remote command execution via `?cmd=`
  • Full PHP file manager with access to the entire server
  • `auto_prepend_file` injected into `.htaccess` and `.user.ini` pointing to the webshell
  • Fake Super Administrator account in Joomla with `@secure.local` email
  • SSH key installed in `/home/user/authorized_keys` or in `.ssh/authorized_keys`
  • Crontab to restore itself every 5 minutes
  • Hidden copies of the malware in `/images/`, `/media/`, `/tmp/` with random dot-prefixed filenames

Cleanup Process — In This Order:

1. Confirm your site is actually infected
Check all `.htaccess` files for `auto_prepend_file`
Check all `.user.ini` files for `auto_prepend_file`
Open the referenced file — if it contains `shell_exec`, `exec`, `system` it is a webshell

2. Stop persistence first
Check and clear Cron Jobs in cPanel
Find and delete `/home/user/authorized_keys` if it exists, or check `.ssh/authorized_keys`
Search for hidden PHP files in `/images/`, `/media/`, `/tmp/` (we used FileZilla to detect these files)

3. Remove malicious files
Delete all webshells and their folders
Remove the `auto_prepend_file` line from `.htaccess` and `.user.ini`
Check `templates/***/index.php` — remove malicious `@include_once` at the top of the file
Check `configuration.php` — remove malicious `@include_once` at the top of the file

4. Clean Joomla
Delete Super Administrator accounts with `@secure.local` emails
Check installed extensions in the database for unrecognized components
Review recently modified content

5. Revoke compromised access
Change cPanel password
Change all database passwords or database user passwords
Update `configuration.php` with the new database credentials and users
Change Joomla administrator passwords
Enable 2FA on the Joomla administrator panel if possible

6. Close the vulnerability
Update SP Page Builder to 6.6.2
Verify version in database: `SELECT element, JSON_UNQUOTE(JSON_EXTRACT(manifest_cache, '$.version')) as version FROM prefix_extensions WHERE element = 'com_sppagebuilder';`

Signs the Malware Is Still Active

  • The site returns a 500 error again after cleaning `.htaccess`
  • New PHP files with random names appear in asset folders
  • `.user.ini` contains `auto_prepend_file` that you did not add
  • New Super Administrator accounts appear with `@secure.local` emails

Key Takeaway

Update third-party extensions weekly. This attack was possible because of an outdated extension, not the Joomla core. A single vulnerable extension is enough to compromise an entire hosting account and all sites within it.

Need Help Fixing It?

Contact us by calling or messaging on WhatsApp at +57 3332423060 if you need assistance with this vulnerability. We are here to help, we speak english.

Tags
  • Home
  • Servicios
    • Diseño web
    • Tiendas virtuales
    • Automatización con IA
    • Digitaliza tu empresa
    • LMS (Sistemas para aprendizaje)
    • Hosting especializado
  • Marketing digital
  • Proyectos
  • Consultoría digital