Website sending spam emails

[yaz2411]

Hello,
My hosting provider (OVH) has been blocking a email address from my website (www.mapapas.com), suspecting it has been hacked.

I can confirm the hack because the mailbox receives undeliverable emails notices with the recipient being '[email protected]'.

Steps taken so far:

• I updated J! to 3.9.23

• Changed db and FTP passwords

• Changed admin password

• Install RSFirewall

• Installed Siteguarding antivirus

I don't have a contact form on the site.
I found a strange contact with email address '[email protected]' that I deleted.

Despite all that, the spam emails keep being sent.
This is an e-shop so I obviously can't deactivate the sending of email.

Here is the FPA without the plugins (too big)

Joomla! Instance :: Joomla! 3.9.23-Stable (Amani) 24-November-2020
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) |
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: true | .htaccess/web.config: Yes | GZip: true | Cache: true | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: none | Shared sessions: false | SSL: 0 | Error Reporting: none | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.9.23: Yes | Database Supports J! 3.9.23: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 4.14.154-ovh-vps-grsec-zfs-classid | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | System TMP Writable: Yes | Free Disk Space : 7732.98 GiB |

PHP Configuration :: Version: 7.4.8 | PHP API: fpm-fcgi | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 32759 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: 1 | Open Base: | Uploads: 1 | Max. Upload Size: 128M | Max. POST Size: 130M | Max. Input Time: -1 | Max. Execution Time: 165 | Memory Limit: 512M

Database Configuration :: Version: 5.6.50-log (Client:mysqlnd 7.4.8) | Database Size: 24.39 MiB | #of Tables with config prefix:  249 | #of other Tables:  0 | User Privileges : GRANT ALL

PHP Extensions :: Core (7.4.8) | date (7.4.8) | libxml (7.4.8) | openssl (7.4.8) | pcre (7.4.8) | sqlite3 (7.4.8) | zlib (7.4.8) | bcmath (7.4.8) | bz2 (7.4.8) | calendar (7.4.8) | ctype (7.4.8) | curl (7.4.8) | dba (7.4.8) | dom (20031129) | hash (7.4.8) | FFI (7.4.8) | fileinfo (7.4.8) | filter (7.4.8) | ftp (7.4.8) | gd (7.4.8) | gettext (7.4.8) | gmp (7.4.8) | SPL (7.4.8) | iconv (7.4.8) | imagick (3.4.3RC1) | session (7.4.8) | intl (7.4.8) | json (7.4.8) | mbstring (7.4.8) | memcached (3.1.0-dev) | standard (7.4.8) | mysqlnd (mysqlnd 7.4.8) | PDO (7.4.8) | pdo_mysql (7.4.8) | pdo_pgsql (7.4.8) | pdo_sqlite (7.4.8) | pgsql (7.4.8) | Phar (7.4.8) | posix (7.4.8) | pspell (7.4.8) | redis (3.1.2) | Reflection (7.4.8) | imap (7.4.8) | SimpleXML (7.4.8) | soap (7.4.8) | sockets (7.4.8) | sodium (7.4.8) | mongodb (1.5.0-dev) | exif (7.4.8) | sysvmsg (7.4.8) | sysvsem (7.4.8) | sysvshm (7.4.8) | tokenizer (7.4.8) | xml (7.4.8) | xmlreader (7.4.8) | xmlrpc (7.4.8) | xmlwriter (7.4.8) | xsl (7.4.8) | zip (1.15.6) | mysqli (7.4.8) | cgi-fcgi (7.4.8) | ionCube Loader (10.4.1) | Zend OPcache (7.4.8) | Zend Engine (3.4.0) |
Potential Missing Extensions ::
Disabled Functions :: _dyuweyrj4 | _dyuweyrj4r | dl |

Switch User Environment :: PHP CGI: No | Server SU: No | PHP SU: No | Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (705) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (755) |

Elevated Permissions (First 10) ::

Database statistics :: Uptime: 1509383 | Threads: 5 | Questions: 203953647 | Slow queries: 0 | Opens: 16721091 | Flush tables: 1 | Open tables: 64 | Queries per second avg: 135.123 |

Components :: Site ::
Core :: com_mailto (3.0.0) 1 | com_wrapper (3.0.0) 1 |
3rd Party::

Components :: Admin ::
Core :: com_search (3.0.0) 1 | com_login (3.0.0) 1 | com_media (3.0.0) 1 | com_plugins (3.0.0) 1 | com_cpanel (3.0.0) 1 | com_banners (3.0.0) 1 | com_privacy (3.9.0) 1 | com_categories (3.0.0) 1 | com_checkin (3.0.0) 1 | com_newsfeeds (3.0.0) 0 | com_fields (3.7.0) 1 | com_joomlaupdate (3.6.2) 1 | com_contenthistory (3.2.0) 1 | com_templates (3.0.0) 1 | com_admin (3.0.0) 1 | com_ajax (3.2.0) 1 | com_config (3.0.0) 1 | com_menus (3.0.0) 1 | com_finder (3.0.0) 1 | com_tags (3.1.0) 1 | com_weblinks (3.7.0) 1 | com_users (3.0.0) 1 | com_content (3.0.0) 1 | com_messages (3.0.0) 1 | com_installer (3.0.0) 1 | com_associations (3.7.0) 1 | com_modules (3.0.0) 1 | com_languages (3.0.0) 1 | com_actionlogs (3.9.0) 1 | com_postinstall (3.2.0) 1 | com_cache (3.0.0) 1 | com_redirect (3.0.0) 1 |
3rd Party:: HikaShop (3.5.1) 1 | Hikashop PayJunction Payment Plugin (4.4.0) ? | Hikashop adyen Payment Plugin (3.2.1) ? | HikaShop Shipping Manual - Price pe (4.4.0) ? | Hikashop Common Joomla Payment API (4.4.0) ? | Hikashop Group Plugin (4.4.0) ? | HikaShop Dashboard (4.4.0) 1 | Hikashop CardSave Payment Plugin (4.4.0) ? | Hikashop Monetico Payment Plugin (4.4.0) ? | Hikashop PayPlug v2 payment plugin (4.4.0) ? | HikaShop Payment Notification plugi (4.4.0) ? | User - HikaShop (4.4.0) ? | Hikashop Alipay Payment Plugin (4.4.0) ? | Hikashop Wishlist Module (4.4.0) ? | Hikashop Borgun payment plugin (4.4.0) ? | Hikashop Currency Switcher Module (4.4.0) ? | Ogone Payment Plugin (4.4.0) ? | Hikashop TaxCloud Plugin (4.4.0) 0 | Hikashop - VirtueMart Fallback Redi (4.4.0) ? | Hikashop Bank Transfer Payment Plug (4.4.0) ? | Hikashop westpacapi Payment Plugin (1.0) ? | Hikashop Beanstream Payment Plugin (4.4.0) ? | Hikashop Massaction User Plugin (4.4.0) 1 | Hikashop Paypal Payment Plugin (4.4.0) ? | Hikashop eWAY Payment Plugin (4.4.0) ? | Hikashop eSelect Payment Plugin (4.4.0) ? | Hikashop MasterCard Internet Gatewa (4.4.0) ? | Hikashop iVeri Payment Plugin (4.4.0) ? | Hikashop Payza Payment Plugin (4.4.0) ? | Hikashop USPS Shipping Plugin (4.4.0) ? | Hikashop ATOS SIPS 2.0 Payment Plug (4.4.0) ? | Hikashop no SSL outside checkout Pl (4.4.0) ? | Hikashop Purchase Order Payment Plu (4.4.0) ? | Hikashop - Redshop Fallback Redirec (4.4.0) ? | Hikashop Google Products Plugin (4.4.0) 1 | HikaShop Quick Icon (4.4.0) ? | Hikashop iPayDNA Payment Plugin (4.4.0) ? | Hikashop Registration Redirect Plug (4.4.0) ? | Hikashop PayU India Payment Plugin (4.4.0) ? | Hikashop Servired Payment Plugin (4.4.0) ? | System - Hikashop Social Plugin (4.4.0) ? | Hikashop Payment Express Payment Pl (4.4.0) ? | Hikashop Paygate Payment Plugin (4.4.0) ? | HikaShop Google Dynamic Remarketing (4.4.0) ? | Hikashop Moneybookers Payment Plugi (4.4.0) ? | Hikashop CyberMuth CIC Payment Plug (4.4.0) ? | Hikashop Western Union Payment Plug (4.4.0) ? | Hikashop Be2Bill Payment Plugin (4.4.0) ? | Hikashop CANADA POST Shipping Plugi (4.2.1) ? | Hikashop Content Parser - Markdown (4.4.0) ? | HikaShop: Date Picker Custom Field (4.4.0) ? | Hikashop Authorize.net Payment Plug (4.4.0) ? | HikaShopCustom Price plugin (4.4.0) ? | Hikashop PayPlug payment plugin (4.4.0) ? | Hikashop SIPS ATOS Payment Plugin (4.4.0) ? | Hikashop - Mijoshop Fallback Redire (4.4.0) ? | Hikashop Google Checkout Payment Pl (4.4.0) ? | Hikashop out of order notification (4.4.0) ? | Hikashop Geolocation Plugin (4.4.0) ? | Hikashop WorldNetTPS Payment Plugin (4.4.0) ? | Hikashop ePay Payment Plugin (4.4.0) ? | Hikashop Bluepaid Payment Plugin (4.4.0) ? | Search - Hikashop Categories/Manufa (4.4.0) ? | AcyMailing Tag : HikaShop content (4.4.0) ? | Hikashop googlewallet Payment Plugi (1.0) ? | Hikashop Validate free order Plugin (4.4.0) ? | Hikashop Shop Close Hours Plugin (4.4.0) ? | Hikashop payfast Payment Plugin (4.4.0) ? | Hikashop Massaction Order Plugin (4.4.0) 1 | Hikashop Massaction Address Plugin (4.4.0) 1 | Hikashop Massaction Category Plugin (4.4.0) 1 | Hikashop AcyMailing Plugin (4.4.0) ? | Hikashop Orders Automatic Cancel Pl (4.4.0) ? | Hikashop FedEx Shipping Plugin (4.4.0) ? | Hikashop Filtering Module (4.4.0) ? | Hikashop Postfinance Payment Plugin (4.4.0) ? | HikaShop Product TAG translation (4.4.0) ? | System - HikaShop Affiliate (4.4.0) ? | Hikashop Australia Post eDeliver Sh (4.2.1) ? | Smart Search - HikaShop Products (4.4.0) 1 | Hikashop - Kashflow invoice synchro (4.4.0) ? | Hikashop UserPoints Plugin (4.4.0) ? | Hikashop UPS Shipping Plugin (4.4.0) ? | Hikashop User account Plugin (4.4.0) ? | Hikashop Email History Plugin (4.4.0) 1 | Hikashop Product Tag (4.4.0) ? | Hikashop HSBC Payment Plugin (4.4.0) ? | Hikashop Check Payment Plugin (4.4.0) ? | Hikashop Credit Card Payment Plugin (4.4.0) ? | Hikashop FirstData Payment Plugin (4.4.0) ? | Hikashop CANPAR Shipping Plugin (1.0.0) ? | Hikashop Paypal Advanced payment pl (4.4.0) ? | Hikashop Collect On Delivery Paymen (4.4.0) ? | Hikashop Massaction Product Plugin (4.4.0) 1 | HikaShop Product TAG insertion (4.4.0) ? | Hikashop Paypal Website Payments Pr (4.4.0) ? | Hikashop Cart Module (4.4.0) ? | Hikashop Paypal Express Checkout Pa (4.4.0) ? | Hikashop Paypal Pro Payment Plugin (4.4.0) ? | Hikashop Add to Cart notification P (4.4.0) ? | Hikashop Paybox Plugin (4.4.0) ? | Search - Hikashop Products (4.4.0) ? | System - HikaShop Mass Action (4.4.0) ? | Hikashop WaitList notification Plug (4.4.0) ? | Hikashop - Product Cron Update (4.4.0) ? | Hikashop Currency Rates Plugin (4.4.0) ? | HikaShop tax calculations override (4.0.1) ? | Hikashop History Plugin (4.4.0) ? | Hikashop Nets NETAXEPT Payment Plug (4.4.0) ? | Hikashop Australia Post eDeliver Sh (4.4.0) ? | Hikashop PaymentExpress (PxPay) Plu (4.4.0) ? | Hikashop UserPoints Payment Plugin (4.4.0) ? | Hikashop Module (4.4.0) ? | Hikashop Google Analytics Plugin (4.4.0) ? | Hikashop Manual Shipping Plugin (4.4.0) ? | Hikashop Virtual Merchant (Elavon) (4.4.0) ? | HikaShop (4.4.0) 1 | com_vertexupdate (1.0.1) 1 | RSFirewall! (3.0.2) 1 | AcyMailing (5.10.18) 1 | AcyMailing (5.10.4) 1 | AcyMailing Editor (5.10.18) 1 | AcyMailing Tag : Date / Time (5.10.18) 1 | AcyMailing table of contents genera (1.0.0) ? | AcyMailing Tag : Manage the Subscri (5.10.18) ? | AcyMailing Manage text (1.0.0) 1 | AcyMailing : (auto)Subscribe during (5.10.18) ? | AcyMailing Tag : Website links (3.7.0) 1 | AcyMailing Tag and filter : Communi (3.7.2) ? | AcyMailing Tag and filter : Communi (3.7.2) ? | AcyMailing Template Class Replacer (5.10.18) 1 | AcyMailing : share on social networ (1.0.0) ? | AcyMailing Tag : Joomla User Inform (5.10.18) ? | AcyMailing 5 module (3.7.0) ? | AcyMailing Tag : content insertion (3.7.0) 1 | AcyMailing : Statistics Plugin (3.7.0) 1 | AcyMailing Tag : Subscriber informa (5.10.18) ? | AcyMailing JCE integration (5.10.18) 1 | AcyMailing : trigger Joomla Content (3.7.0) ? | COM_JANTIVIRUS (5.3) 1 | com_phocacommander (3.0.5) 1 | com_widgetkit (2.9.26) 1 | bdthemes_shortcodes (2.3.1) 1 | com_profiles (1.5.0) 0 |

Modules :: Site ::
Core :: mod_menu (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_weblinks (3.7.0) 1 | mod_articles_categories (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_search (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_articles_category (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_syndicate (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_login (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_languages (3.5.0) 1 |
3rd Party:: AcyMailing Module (3.7.0) 1 | S5 Box (5.0.0) 1 | Hikashop Cart Module (4.4.0) ? | Hikashop Currency Switcher Module (4.4.0) ? | Hikashop Wishlist Module (4.4.0) ? | S5 Accordion Menu (2.1.0) 1 | S5 Vertical Accordion (3.0.0) 1 | Hikashop Module (4.4.0) ? | S5 Image Slide (4.0.0) 1 | Hikashop Filtering Module (4.4.0) ? | S5 Image and Content Fader v3 (3.2.0) 1 | S5 Tab Show (2.0.0) 1 | S5 Quick Contact (4.3.3) 0 | AddToAny Buttons (1.0.1) 1 | Widgetkit (2.9.26) 1 | S5 Register (4.0.2) 1 |

Modules :: Admin ::
Core :: mod_privacy_dashboard (3.9.0) 1 | mod_login (3.0.0) 1 | mod_title (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_version (3.0.0) 1 | mod_latestactions (3.9.0) 1 | mod_menu (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_status (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_toolbar (3.0.0) 1 |
3rd Party:: mod_jantivirus (2.5.0) 1 | RSFirewall! Control Panel Module (1.4.0) 1 | HikaShop Dashboard (4.4.0) 1 |

Libraries ::
Core ::
3rd Party:: Free Mono (-) ? | Helvetica (-) ? | Regular Labs Library (20.9.11663) 1 |

Templates :: Site :: beez_20 (2.5.0) 1 | beez5 (2.5.0) 1 | atomic (2.5.0) 1 | beez3 (3.1.0) 1 | no1_shopping (1.0) 1 | protostar (1.0) 1 |
Templates :: Admin :: isis (1.0) 1 | bluestork (2.5.0) 1 | hathor (3.0.0) 1 |

Here is the FPA with only the plugins:

Joomla! Instance :: Joomla! 3.9.23-Stable (Amani) 24-November-2020
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) |
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: true | .htaccess/web.config: Yes | GZip: true | Cache: true | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: none | Shared sessions: false | SSL: 0 | Error Reporting: none | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.9.23: Yes | Database Supports J! 3.9.23: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 4.14.154-ovh-vps-grsec-zfs-classid | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | System TMP Writable: Yes | Free Disk Space : 7731.87 GiB |

PHP Configuration :: Version: 7.4.8 | PHP API: fpm-fcgi | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 32759 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: 1 | Open Base: | Uploads: 1 | Max. Upload Size: 128M | Max. POST Size: 130M | Max. Input Time: -1 | Max. Execution Time: 165 | Memory Limit: 512M

Database Configuration :: Version: 5.6.50-log (Client:mysqlnd 7.4.8) | Database Size: 24.39 MiB | #of Tables with config prefix:  249 | #of other Tables:  0 | User Privileges : GRANT ALL

PHP Extensions :: Core (7.4.8) | date (7.4.8) | libxml (7.4.8) | openssl (7.4.8) | pcre (7.4.8) | sqlite3 (7.4.8) | zlib (7.4.8) | bcmath (7.4.8) | bz2 (7.4.8) | calendar (7.4.8) | ctype (7.4.8) | curl (7.4.8) | dba (7.4.8) | dom (20031129) | hash (7.4.8) | FFI (7.4.8) | fileinfo (7.4.8) | filter (7.4.8) | ftp (7.4.8) | gd (7.4.8) | gettext (7.4.8) | gmp (7.4.8) | SPL (7.4.8) | iconv (7.4.8) | imagick (3.4.3RC1) | session (7.4.8) | intl (7.4.8) | json (7.4.8) | mbstring (7.4.8) | memcached (3.1.0-dev) | standard (7.4.8) | mysqlnd (mysqlnd 7.4.8) | PDO (7.4.8) | pdo_mysql (7.4.8) | pdo_pgsql (7.4.8) | pdo_sqlite (7.4.8) | pgsql (7.4.8) | Phar (7.4.8) | posix (7.4.8) | pspell (7.4.8) | redis (3.1.2) | Reflection (7.4.8) | imap (7.4.8) | SimpleXML (7.4.8) | soap (7.4.8) | sockets (7.4.8) | sodium (7.4.8) | mongodb (1.5.0-dev) | exif (7.4.8) | sysvmsg (7.4.8) | sysvsem (7.4.8) | sysvshm (7.4.8) | tokenizer (7.4.8) | xml (7.4.8) | xmlreader (7.4.8) | xmlrpc (7.4.8) | xmlwriter (7.4.8) | xsl (7.4.8) | zip (1.15.6) | mysqli (7.4.8) | cgi-fcgi (7.4.8) | ionCube Loader (10.4.1) | Zend OPcache (7.4.8) | Zend Engine (3.4.0) |
Potential Missing Extensions ::
Disabled Functions :: _dyuweyrj4 | _dyuweyrj4r | dl |

Switch User Environment :: PHP CGI: No | Server SU: No | PHP SU: No | Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (705) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (755) |

Plugins ::
3rd Party:: HikaShop Quick Icon (4.4.0) ? | AcyMailing Editor (5.10.4) 1 | plg_editors_tinymce (4.5.12) 1 | plg_editors_codemirror (5.56.0) 1 | HikaShop Product TAG insertion (4.4.0) ? | plg_editors-xtd_modulesanywhere (7.11.2) 1 | Button - Shortcodes Ultimate (2.0.1) 1 | Editors-XTD - Widgetkit (2.9.26) 1 | Hikashop Group Plugin (4.4.0) ? | Hikashop Massaction Address Plugin (4.4.0) 1 | Hikashop Orders Automatic Cancel Pl (4.4.0) ? | Hikashop History Plugin (4.4.0) ? | Hikashop Shop Close Hours Plugin (4.4.0) ? | Hikashop Massaction User Plugin (4.4.0) 1 | Hikashop - Kashflow invoice synchro (4.4.0) ? | HikaShop Shipping Manual - Price pe (4.4.0) ? | Hikashop Content Parser - Markdown (4.4.0) ? | Hikashop Email History Plugin (4.4.0) 1 | Hikashop Massaction Product Plugin (4.4.0) 1 | Hikashop Google Products Plugin (4.4.0) 1 | Hikashop out of order notification (4.4.0) ? | HikaShop: Date Picker Custom Field (4.4.0) ? | Hikashop Validate free order Plugin (4.4.0) ? | Hikashop Massaction Category Plugin (4.4.0) 1 | Hikashop - Product Cron Update (4.4.0) ? | Hikashop Add to Cart notification P (4.4.0) ? | Hikashop User account Plugin (4.4.0) ? | Hikashop Massaction Order Plugin (4.4.0) 1 | Hikashop TaxCloud Plugin (4.4.0) 0 | Hikashop AcyMailing Plugin (4.4.0) ? | Hikashop UserPoints Plugin (4.4.0) ? | Hikashop Currency Rates Plugin (4.4.0) ? | Hikashop WaitList notification Plug (4.4.0) ? | Hikashop Common Joomla Payment API (4.4.0) ? | Hikashop Paypal Payment Plugin (4.4.0) ? | Ogone Payment Plugin (4.4.0) ? | Hikashop e-COM Easypay Payment Plug (1.2.0) ? | Hikashop Stripe Payment Plugin (1.0.2) 0 | Hikashop Quipu Payment Plugin (1.0.0) 0 | Hikashop Credit Card Payment Plugin (4.4.0) ? | Installer - YOOtheme (1.0.3) 1 | plg_installer_rsfirewall (1.0.0) 1 | AddToAny Share Buttons (1.4.1) 1 | plg_content_shortcode_ultimate (1.0.0) 1 | Content - Widgetkit (2.9.26) 1 | Content - Fast Social Share (3.8) 0 | Hikashop Manual Shipping Plugin (4.4.0) ? | Search - Hikashop Products (4.4.0) ? | Search - Remove Shortcode (1.1.0) 1 | Search - Hikashop Categories/Manufa (4.4.0) ? | plg_user_domainrestriction (2.5.3) 1 | Smart Search - HikaShop Products (4.4.0) 1 | AcyMailing Tag : HikaShop content (4.4.0) ? | AcyMailing : Statistics Plugin (3.7.0) 1 | AcyMailing Tag : content insertion (3.7.0) 1 | AcyMailing : trigger Joomla Content (3.7.0) ? | AcyMailing Tag : Website links (3.7.0) 1 | AcyMailing Tag : Date / Time (5.10.4) 1 | AcyMailing Tag and filter : Communi (3.7.2) ? | AcyMailing Tag and filter : Communi (3.7.2) ? | AcyMailing Tag : Subscriber informa (5.10.4) ? | AcyMailing : share on social networ (1.0.0) ? | AcyMailing Template Class Replacer (5.10.4) 1 | AcyMailing table of contents genera (1.0.0) ? | AcyMailing Manage text (1.0.0) 1 | AcyMailing Tag : Joomla User Inform (5.10.4) ? | AcyMailing Tag : Manage the Subscri (5.10.4) ? | Hikashop Google Analytics Plugin (4.4.0) ? | JUX Coming Soon (1.0.5) 0 | System - S5 Flex Menu (1.0) 1 | System - Hikashop Social Plugin (4.4.0) ? | Hikashop Registration Redirect Plug (4.4.0) ? | Shortcode Ultimate (3.9.5) 1 | plg_system_modulesanywhere (7.11.2) 1 | System - Widgetkit ZOO (2.9.26) 0 | PLG_SYSTEM_SSLREDIRECT (0.11.3) 1 | System - Widgetkit (2.9.26) 1 | User - HikaShop (4.4.0) ? | System - HikaShop Mass Action (4.4.0) ? | AcyMailing : (auto)Subscribe during (5.10.4) ? | HikaShopCustom Price plugin (4.4.0) ? | System - HikaShop Affiliate (4.4.0) ? | Hikashop Product Tag (4.4.0) ? | HikaShop tax calculations override (4.0.1) ? | System - Google Analytics (4.6.1) 1 | AMAZON (3.0.18) ? | plg_system_regularlabs (20.9.11663) 1 | HikaShop Payment Notification plugi (4.4.0) ? | System - RSFirewall! Active Scanner (1.4.0) 1 | HikaShop Product TAG translation (4.4.0) ? | System - Widgetkit K2 (2.9.26) 0 | Hikashop - Mijoshop Fallback Redire (4.4.0) ? | Hikashop Geolocation Plugin (4.4.0) ? | Hikashop no SSL outside checkout Pl (4.4.0) ? | Hikashop - Redshop Fallback Redirec (4.4.0) ? | AcyMailing JCE integration (5.10.4) 1 | HikaShop Google Dynamic Remarketing (4.4.0) ? |

Templates :: Site :: no1_shopping (1.0) 1 |
Templates :: Admin ::

Could you please help?
I'm at a loss here.
Thanks

[pe7er]

Hello,
My hosting provider (OVH) has been blocking a email address from my website (www.mapapas.com), suspecting it has been hacked.

I can confirm the hack because the mailbox receives undeliverable emails notices with the recipient being '[email protected]'.

Actually, everybody can send e-mail from '[email protected]' to some other address [email protected].
And if the other address "someone" does not exist or "example.com" does not accept the mail, the "example.com" mail server server can send a bounce mail notification. Which will be send to '[email protected]'.

Therefore I'd recommend to check how the spam mail was sent.
Can you inspect the mail header of the spam mail that was bounced?
Can you see if they used the IP address of your mail server?

Does your website sends its email via SMTP or PHP mailer? (see Site > Global Configuration)
Do you use anti spam measures like SPF, DKIM, DMARC?

[yaz2411]

Thank you for your answeer.
By checking the header, it looks like the spam mail was sent using my mail server.

SPF is active.

The website send its email via SMTP (SSL/TLS).

Another info that could be relevant: the email address is blocked at OVH only when I add the password under Global Configuration → Server → Mail settings.
I tried just resetting the password at OVH level and the email address has not been blocked for the last hour. Usually it happens in the +/-15 minutes after the reset AND when I update the Mail seetings.

[pe7er]

Ok, so there might be some non-core extension that is vulnerable for sending spam.
Or maybe there's some backdoor script installed that is sending the spam.
To find out what is used to send the spam you could analyze the server access logs or the PHP code in your website:

Analyze server logs
Do you have access to the (Apache?) server logs?
If so, you could check which scripts (URLs) have been used to send the spam.
Check the sent date of the spam and check the server logs at that date/time.

Analyse PHP code
Another (more technical!) approach is to analyse the code of all PHP scripts in your website.
If the spammer use Joomla's SMTP settings to mail the spam, then they use Joomla's mailer object.
Create a backup (using Akeeba Backup) and restore it at your local computer.
Use an IDE (Netbeans, Notepad ++ or the commercial IDE PHPStorm) to search for

Code: Select all

->Send();

to see where the "Send" method of Joomla's getMailer() method is used.

[Jim007]

I had this also, and I found in the contact form that is send a copy to yourself - disable that! I had same issues and 1and1 or ionos called me out on it and actually helped me figure it out.

[Webdongle]

If you have been hacked then the hack files will still be on the server and the hackers will have stolen your new passwords. Yes, hackers plural because the original hacker will undoubtedly have posted the hack on hack forums.

Please see viewtopic.php?f=714&t=946026

[sozzled]

It would be really nice if people read carefully what other people write on this forum. For example,

... everybody can send e-mail from '[email protected]' to some other address [email protected].

In other words, anyone (or everybody) could impersonate [email protected] and send spam to anyone. This doesn't mean (as @Webdongle suggested) that someone's hacked into the mail server used by forum.joomla.org or someone's necessarily hacked into anyone's mail server. As @pe7er wrote earlier, one needs to check the message header of the inbound email to identify the source.

Another thing:

I had this also, and I found in the contact form that is send a copy to yourself - disable that! I had same issues and [webhosting company 1] or [webhosting company 2] called me out on it and actually helped me figure it out.

The OP does not have a contact form at their website. So, while contact forms are often a source of nuisance email and spam (and that's one reason why I don't use them), this is not applicable to the situation. What may be applicable is the fact that the OP's website displays, in clear text, an email address and because of the ability to spoof email, this could be a potential for spam.

Most of us get spam email—for all kinds of reasons ranging from nuisance advertising to potentially dangerous identity theft and financial scams—and most of us deal with it in the usual way. Sometimes webhosting partners—whether acting to protect their interests or those of their customers or just to sell something "extra"—notify their customers of suspicious email activity. Sometimes those suspicions turn out to be insecure websites that have been successfully penetrated by evil-doers and sometimes those suspicions turn out to be innocent, harmless, and easily explained. There's no common thread in these things.

Ultimately, if a website is vital to someone's business—isn't that true for all of us?—we have to pause, deal with these things, engage a professional (perhaps) or relocate and start over somewhere else. I don't know the answer. None of us is immune (and anyone who pretends they are is deluding themselves). Even the best, most secure website in the world could be compromised given the right circumstances. C'est la vie.

[Webdongle]

. This doesn't mean (as @Webdongle suggested) that someone's hacked into the mail server used by forum.joomla.org or someone's necessarily hacked into anyone's mail server.

@sozzled
It is you who needs to read carefully because I didn't suggest that at all. You need to read more carefully. I clearly said "If you have been hacked". That is not 'suggesting' he has been hacked', it is simply a response to the actions that the OP stated in their post.