Hi! on March 28 about 5AM (GMT -3) a Joomla site of a client of mine was compromised. Have to say that the site is hosted on an ISP without ISPConfig. The hacking was about a lot of .htaccess files (about 4500+ copies) that enabled the execution of some PHP files spread through the site directory skeleton. In my review I've found some PHP shells, some tinyfilemanager copies, some joomla files infected with b64 code and so on. I have manually removed all the infected files, restored the hacked ones and removed all the .htaccess files but I want to know if you guys recommend some service, web AV or something similar to double check everything is ok with the site. Thanks! PS: Yes, Joomla is at the latest version and so all 3rd party addons
Restore a backup and make sure you fix the security flaw. Removing infected files always leaves a risk of stuff left behind.
Thanks a lot for your interest! I've finally solved it by installing Imunify AV on my ISPC box, here the details https://forum.howtoforge.com/threads/imunifyav-on-ispconfig.90028/ Then I downloaded a smapshot of the infected site and tested it with IAV.
Here you have the instructions to get it working https://forum.howtoforge.com/threads/imunifyav-on-ispconfig.90028/