controller.php.suspected

MY web site seems to be hacked but I cannot find how?
Probably it's not the right forum to ask some help, but I try
I can see a new file named "file.php" at web site root and in com_flexicontent controller.php is renamed controller.php.suspected, but I can't see any differences with original controller.php

website is www.le-yeti.com

Hello

this question is not specific to FLEXIcontent

- usually the renaming with such an extension is done by antivirus software running on the server,
that scans PHP files, also if the file is not different than the original, then is false positive

- even if file was modified, it may as well be by any other script than run on the server

ask your host provider for more information and post back here

Now i cannot see any malicious JS inside your website,
usually a hacked website will load malicious JS / flash / Java code

Did you have any report that something was found

Also please update Joomla, FLEXIcontent and other 3rd party extensions

Hello

also controller.php contains our files downloads code,
that sets HTTP download headers and reads files from disk (after access checking)

that could trigger a false positive or "suspected" in the antivirus software, and it may be submited to antivirus company for further analysis

about "file.php" , it may be hack not related to the file:
controller.php.suspected

one is suspected and the other can be a real hacker file

Also please update Joomla, FLEXIcontent and other 3rd party extensions

and scan your site with more than 1 antivirus software, and/or ask your host provider

Hello
I upgrade everything and found some SQL injections in redir_links table and disabled plugin system redir.

But my website still send spams though mail is disabled in config.
Log file says
[29-Nov-2015 03:37:14 UTC] mail() on [/home/xxxxxxx/public_html/plugins/flexicontent_fields/core/menu64.php(1963) : eval()'d code:775]: To: austinhammes@gmail.com -- Headers: Date: Sun, 29 Nov 2015 03:37:14 +0000 From: Sandy Harvey Message-ID: X-
There are hundreds of lines
And my controller is renamed .suspected again

Hello

file:
public_html/plugins/flexicontent_fields/core/menu64.php
is not a flexicontent file

and once a website has been hacked, it is difficult to be certain that your do:

1. remove all malicious changes to existing files
eg hacks inside Joomla index.php, etc

2. remove all new malicious files added

3. Correct the original security issue, that allowed website to be hacked
- is it installed Joomla extension ?
- is it server software e.g. PHP ?
e.g. flexicontent.org > 1 year was once in a dedicated server with security whole in old PHP version, and we had to move the website ASAP
if you are in shared or semi-managed VPS server then your provider is doing this for you

4. need to change all admin passwords too, while and after doing the above

The hack will keep coming back until you do all the above

If you/we can find a specific issue with FC we can fix
- also did you access to backend ? or was unwanted access to backend UI ?

also which FC version / Joomla you were using /b]
- at the time that site was hacked
e.g. Joomla prior to 3.4.5 had an important security issue patched by 3.4.5