Hold on. Caffeine just kicked in.
So far I assumed that you were right in your assessment that a. you were hacked and b. there is no log trace. However, something doesn't add up. A real attacker with the ability to upload arbitrary files to your site (even just into images) would NOT be defacing your site. They would've uploaded a web shell script at the low end of skill level, or a custom script to thoroughly hack you if they are good. Defacing is something 15 year olds do to boast to their friends that they're l33t h4x0rz or something. It's also what disgruntled ex-employees/-interns/-volunteers do, at least when their IQ would be room temperature or lower. But I digress.
The lowest hanging fruit is stolen / leaked / easily guessable credentials on user accounts with access to the media manager. Find 'em, round 'em up, force 'em to reset their password, and enforce MFA. I contributed the MFA code to Joomla, including the option to force specific groups to use MFA to continue using the site.
Another thing to check is whether legitimate access goes too far. For example, it's pretty easy to mess up JCE's media manager configuration, allowing everyone with access to an editor box on a public page (e.g. a Guest or Registered user accessing a contact page) to upload images anywhere, essentially allowing everyone and their dog to overwrite images. In your logs it looks like any other legitimate image upload. There's an option in JCE to limit each user to their own subdirectory which needs to be explicitly enabled in this use case.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
