controller.php.suspected

Hello

please note that using the OLD db, besides cleaning admin accounts,
may still be (potentially) a security problem

e.g. with malicious JS inside content, that can steal your password during frontend login
...

in FLEXIcontent fields:
- textaread, description, text
there are parameters to strip output or encode it (HTML / JS will be come visible)

I just have in my apache logs
POST /plugins/flexicontent_fields/core/menu64.php

I wonder if I could empty this file change owner and put readonly
even if I have to clean every web site, I cannot let them offline for many days.

Hello

is it a shared host ?
what is the folder permissions ?
it should be:
rwx r-x r-x
owner, group, all

temporariy, make the 'plugins' folder have permissions:
r-x r-x r-x

yes it's a share host.
I still can see some POST request to change php file but as these file is useless for the website it is not changed now because of the rights

Hope it will give me some time

I will probably setup a full local computer with distrib and sofrware to restore my backups and scan the files and DB

Have a nice sunday and thanks for being so helpfull

I put a htacess/htpasswd to administrator path and most of hacks are gone.

but I can see in apache logs many POST as
POST /templates/atomic/html/mod_menu/alias.php HTTP....

And they create new PHP files. I can't explain how can they POST files and upload (or change) them.
For the moment each time a hacked file is created I empty it chmod and chown to avoid been created again.

IT will give me some times to downlaod backup clean locally as you explain.

But I wonder how POST apache requests can be done

Hello

once hacked by any way
- they would have installed php files in various joomla folders

the reason that site was hacked is unknown (e.g. you did not update to J3.4.5 fast enough)
arstechnica.com/security/2015/10/joomla-...mote-takeover-hacks/

and it does not seem to be related to FLEXIcontent