I have a Joomla site, which was compromised and some sitemap.xml were added to the site. I cleaned everything. Now when checking logs I am seeing 404 for most of the urls. URL pattern are like below: Code: 207.46.13.27 - - [22/Oct/2018:01:44:17 +0530] "GET /zq7G85678Hqj4519Y7m HTTP/1.1" 404 1387 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 157.55.39.156 - - [22/Oct/2018:01:44:27 +0530] "GET /t50280zgY7204j7hd HTTP/1.1" 404 1383 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 157.55.39.156 - - [22/Oct/2018:01:44:29 +0530] "GET /C4136kab4rB29716gb4 HTTP/1.1" 404 1387 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 157.55.39.156 - - [22/Oct/2018:01:44:30 +0530] "GET /t4780ziY6648jyvk HTTP/1.1" 404 1383 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 40.77.167.59 - - [22/Oct/2018:01:44:33 +0530] "GET /1K58772G_4659ebq89 HTTP/1.1" 200 5947 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 40.77.167.59 - - [22/Oct/2018:01:44:35 +0530] "GET /ejY5Mjc5Tkw3MTc5UWwzdzdp HTTP/1.1" 404 1387 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 207.46.13.27 - - [22/Oct/2018:01:44:36 +0530] "GET /cy29364lv8F160J8 HTTP/1.1" 404 1383 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" but for a specific string 200 response is shown. when I visit the site it indeed opens a page showing module variations but the string nowhere exist in my database/filesystem. So how come it is not showing 404 and showing 200 response. How I can resolve this.
most likely the hacker encoded the string somewhere in the code of the site in a way that you can not find it with grep or a similar text search tool. Did you try to scan the site for remnant malware e.g. with ispprotect?
