Skip to main content
mySites.guru

Active Joomla security alerts: Helix3 File WriteJCE Profiles HackPageBuilder CK RCEiCagenda VulnerabilitySP Page Builder Zero Day

Suspect Content vs Hacked Files: Two mySites.guru Tools, One Big Difference

Suspect Content vs Hacked Files: Two mySites.guru Tools, One Big Difference

Your audit finishes and you go looking at the files it flagged. mySites.guru now hands you two separate tools for this, not one list. One of them, Suspect content, is a pile of files worth a look. The other, Hacked files, is a pile of files that are hacked, full stop. Knowing which tool you’re in changes what you do next.

The big difference comes down to how a file lands in each tool. Suspect content matches on the file’s content. Hacked files matches on the file’s hash. That one distinction is why they’re separate, and it’s worth a minute to understand before you start deleting anything. If your sites aren’t connected yet, a free security audit will show you both tools against your own webspace.

Two tools, one source scan

Every mySites.guru audit reads every file in your webspace, every line, including the dormant files a browser-based scanner never sees. The full mechanics of the scan are a post of their own. From that one scan, two different detection methods feed two different tools:

  • Suspect content: the file’s content matches one or more of 2,000+ hand-written hack patterns. Translation: worth a look. This is a heuristic, and false positives are expected.
  • Hacked files: the file’s MD5 hash matches a file already confirmed as hacked. Translation: confirmed. This is a fact, with no false positives.

You’ll find both sitting next to each other under the Hacked group in your audit:

The mySites.guru Hacked tools group showing Check Suspect Patterns Matched Content In Files and Hacked Files (100% Certain) as two separate tools

These two used to share a list. Giving each its own tool means you never again confuse a file that needs a human eye with a file that has already been condemned.

One thing surprises people: the Suspect content tool may well contain hacked files. Not files we’ve cleared, files we simply haven’t confirmed yet. A backdoor dropped on your site this morning matches our patterns the moment we scan it, so it shows up under Suspect content. It only moves to the Hacked files tool once its exact hash is on our confirmed list, which happens after a human or the AI reviews it. Suspect content is the inbound net. Hacked files is everything that net has already caught and condemned.

What does a suspect content match actually mean?

A suspect content match means a file in your webspace contains code matching at least one of more than 2,000 patterns built from real hacks found on real Joomla and WordPress sites over two decades. It does not mean the file is malicious. It means the file uses code that hackers also use, and it deserves a look.

Hackers write in the same language as legitimate developers. move_uploaded_file() powers every legitimate upload form, and every dropped webshell. mail() sends your contact form enquiries, and a spammer’s payload. Base64 turns up in CSS image handling as often as it does in obfuscated backdoors. A pattern match without context proves nothing either way, which is exactly why these files land in Suspect content rather than Hacked files.

False positives here are the design working, not failing. The patterns are deliberately inclusive because the alternative is missing the one real backdoor among the 20,000 files on a typical site. The Suspect content tool’s job is to shrink 20,000 files down to a dozen worth reading, and across the 90,000+ sites connected to mySites.guru, that’s exactly what it does. This is the same reason a host’s scanner can wrongly flag legitimate code, as happened when OVH called one of our backup files malware. The difference is what you do with the flag: investigate it, or treat it as a verdict.

Click any flagged file name and the tool shows you the exact matched lines with line numbers, alongside the file’s modification date, size, and permissions. You can edit the file in place or delete it without ever opening an FTP client. Here’s a real one, a BYTE_BUNK webshell caught with 7 pattern matches across its 1,698 lines, from shell_exec() calls to its own boastful title tag:

The suspect content match view showing 7 matched lines in a BYTE_BUNK webshell, including a shell_exec call and upload handlers

The Hacked files tool means act now

The Hacked files tool lists files whose MD5 hash matches a file already confirmed as hacked. An identical hash means identical bytes: your file is the same, character for character, as one that has been examined and condemned before. There is no maybe at this confidence level, and no false positives. Where Suspect content judges a file on what it contains, Hacked files judges it on what it is, the full-file hash, which is why this tool gets to call its results facts.

Every one of the 14,000+ hashes on that list has been through review before it earned its place. For years that reviewer was me, reading each backdoor line by line before flagging it. Today the AI malware analysis adds confirmed-malicious verdicts to the same list, and I still see every AI verdict and overrule the wrong ones before they pollute the data.

Important

A file in the Hacked files tool means your site is compromised, not just that one file. The attacker got in somehow. Deleting the file removes a symptom, not the entry point.

Confirmed hacked files in the mySites.guru Hacked files tool, each one a full-file hash match against the confirmed list

If a file lands in Hacked files, switch from triage to incident response: follow our guide to fixing a hacked Joomla or WordPress site, or hand the whole job to fix.mysites.guru for a set-fee cleanup.

How do I triage a wall of flagged files?

Work in confidence order: the Hacked files tool first, then AI verdicts on the Suspect content list, then manual review. This turns a wall of thirty flags into three short queues, and most of the time the third queue is empty by the time you reach it.

Step 1: open the Hacked files tool. Anything listed here is a confirmed compromise, a full-file hash match. Stop triaging and start cleaning, as above. If this tool is empty, good, but don’t stop: a freshly dropped backdoor we haven’t confirmed yet is sitting in Suspect content, not here.

Step 2: AI analysis on the Suspect content list. Click the AI icon on any single file, or use Analyse Files with AI to queue the lot. Each file comes back with a verdict: safe, suspicious, or malicious, with the problem lines identified. Verdicts are cached globally by file hash, so the files of a popular plugin have usually been analysed by someone already and come back instantly at no cost. A malicious verdict adds that file’s hash to the confirmed list, so the next time anyone meets that exact file, it lands straight in their Hacked files tool.

Coloured AI analysis icons next to suspect files in mySites.guru, showing analysed and unanalysed states

Step 3: manually review what’s left. For the handful of files the AI marks suspicious, open the matched lines and apply context the AI may lack. Does the file belong to a plugin you actually installed? Does its modification date match the rest of the package, or did it change last Tuesday at 3am? Is it a PHP file sitting in an images folder? Compare it against the original extension package if you can.

If a file survives all three steps and you’re still unsure, send it to me and I’ll look at it myself. That offer has been part of the service since 2012.

Your confirmed hack protects everyone else

Every confirmed hacked file makes the whole network safer. The moment a hash is confirmed, whether by my review or an AI verdict I’ve checked, it joins the global hacklist, and the next audit of any connected site checks against it. The same backdoor dropped on a hundred sites only needs to be condemned once.

This crowd-sourced model is why detection improves daily rather than quarterly. We run over 3,000 audits a day and find over 200 hacked sites a week, and every one of those finds feeds patterns and hashes back into the checks that run on your sites tomorrow.

What if I’m still not sure about a file?

Don’t whitelist it, because you can’t: mySites.guru deliberately has no user whitelisting, for reasons (including an expensive legal one) covered in the suspect content deep-dive. A file you hide from yourself today is a backdoor you won’t see next month.

Instead, leave it flagged and treat it as a known quantity. A suspect flag costs you nothing while it sits there; you’ll re-confirm it in seconds on the next audit with cached AI verdicts. And if a file ever nags at you, that’s what the manual review channel is for.

Further Reading

Frequently Asked Questions

What is the difference between the Suspect content and Hacked files tools in mySites.guru?
Suspect content matches on a file's content: the file contains code matching one or more of our 2,000+ hand-written hack patterns, so it needs context to judge. Hacked files matches on a file's hash: the MD5 of the entire file is identical to a previously confirmed hacked file, so it is the same file byte for byte, with no doubt. Content match is a heuristic, hash match is a fact, which is why they are two separate tools.
Can the Suspect content tool contain actual hacked files?
Yes. Suspect content lists every file whose content matches a pattern, including a freshly dropped backdoor we have not yet reviewed and added to the hacked-files database. Once a file is confirmed, by a human or by the AI, its hash joins the confirmed list and that exact file then surfaces in the Hacked files tool instead.
Can a file in the Hacked files tool be a false positive?
No. A file only appears in Hacked files when the MD5 hash of the entire file matches a hash from a file already confirmed as hacked. Identical hash means identical contents, so the verdict carries over with certainty.
Should I delete every file in the Suspect content tool?
No. Many suspect files are legitimate code that happens to use the same PHP functions hackers use. Investigate first: read the matched lines, run the AI analysis, or compare the file against the original plugin or extension package.
Why does mySites.guru flag legitimate files at all?
The patterns are deliberately inclusive because malware authors write in the same language as legitimate developers. Casting a wide net means reviewing a dozen files instead of missing the one that matters among 20,000.
How does the AI malware analysis help with triage?
One click sends a flagged file to Claude or GPT using your own API key and returns a safe, suspicious, or malicious verdict with the problem lines identified. Results are cached globally by file hash, so files already analysed by anyone return instantly at no cost. A malicious verdict also adds the file's hash to the confirmed list, moving that file into the Hacked files tool for everyone.
What should I do first if a file appears in the Hacked files tool?
Treat the site as compromised. Don't just delete the file: the attacker got in somehow, so follow a full cleanup process or hand the site to fix.mysites.guru for a set-fee fix.

What our users say

Elke Alberth
Elke Alberthmedia sued
★★★★★

I don't know how I could manage all my clients' websites without mysites.guru. Plugins are updated with just a few clicks, and the alerts about malicious files are invaluable! Thanks!!!

Read more reviews
Andreas Karrer
Andreas KarrerKARRERlabs
★★★★★

Managing a dozen+ Joomla client sites used to mean checking each one manually. mysites.guru gives me one clean overview: health checks, CVE alerts, full audits, all in one place. And when I hit a genuine edge case (a Postgres-backed Joomla site), Phil personally dug into it within hours. Great tool, even better support.

Read more reviews

Read all 216 reviews →

Ready to Take Control?

Start with a free site audit. No credit card required.

Get Your Free Site Audit