After recovering several compromised Joomla websites, I wanted to share the steps we took to successfully clean the systems. Hopefully this may help others facing a similar incident.
>>> Assume the attacker had full administrative access
Do not assume that removing a single malicious file is sufficient.
Perform a complete review of:
Joomla administrator accounts User groups and permissions Access control entries Installed extensions Database integrity 2. Remove all unauthorized administrator accounts
In our case, several unauthorized Super Users had been created.
Verify:
all administrator accounts user groups creation dates last login information
Remove every account you cannot positively identify.
Inspect the database
Besides users, also inspect permission-related tables.
Look for:
orphaned permission records suspicious assets unexpected ACL entries
Attackers may leave persistence mechanisms inside the database.
Restore Joomla core files
Do not rely on individual file cleaning.
Replace Joomla core files with fresh copies from the official Joomla release matching your installed version.
This ensures no modified core files remain.
Inspect uploaded files
Search your web space for:
unexpected PHP files alternative PHP extensions executable scripts in upload locations suspicious configuration files
Do not only search by filename—inspect file contents where necessary.
Remove malicious uploads completely
If an extension-specific upload directory was abused, remove all suspicious content.
If possible, rebuild that directory from a clean installation instead of trying to identify every malicious file individually.
Prevent code execution in upload directories
Where appropriate, configure your web server so uploaded files cannot be executed as PHP.
This significantly limits the impact of future upload vulnerabilities.
Rotate secrets and credentials
After any compromise:
change Joomla secrets change administrator passwords change hosting passwords rotate database credentials if appropriate review SSH keys and API tokens
Assume all credentials may have been exposed.
Review web server logs
Analyze access logs for:
exploitation attempts suspicious POST requests newly created users administrator logins unusual client IPs
This often reveals how the compromise occurred.
Verify the vulnerability has been patched
Cleaning a hacked site without fixing the original vulnerability only leads to reinfection.
Update:
Joomla all extensions all templates
Remove extensions you no longer use.
Create a clean backup only after verification
Do not restore from an unknown backup.
Only create a new backup after:
all malicious files are removed database has been verified administrator accounts have been checked logs no longer show successful exploitation 12. Continue monitoring
Even after cleanup:
monitor web server logs monitor new administrator accounts monitor file changes monitor extension updates
Most internet-facing Joomla sites continue to receive automated scans every day.
Final assessment
In our case, the original compromise was successfully removed.
Subsequent log analysis showed only:
automated vulnerability scanners bot traffic spam account registrations search engine crawlers AI crawlers
There was no evidence of a second successful compromise after the cleanup.
Search scripts used to track this mess can be requested via PN