Error reaching a page suddenly

SYSTEM INFORMATION
OS type and version Ubuntu 20.04
Webmin version Latest

For very long time we have a webshop running without problem. A couple of weeks ago it was probably hacked and used for spam. We never found out what had really happened but after blocking a port the spam sending stopped and all has worked as normal. Until today
When I try to reach the backoffice on https://jv74.se/admin123jv74/ I get that I have no access. There is no trace in any logs. To be sure it was not the shop platform itself, I restored a 24 hour old backup from when I know the shop worked without a problem. The shop works normal on https://jv74.se

Where to start looking? 3 other domains on the same server works normal

@Havouza is that prestashop? I would check apache error logs in virtualmin for that domain. I’ve see the issue like this when prestashop was restored from backup and there was issue with htaccess file - missing or misconfigured. Check if the file exist.

Also I would suggest you never give out your admin link login which is unique for each prestashop install

The admin login link is not unique for each install, I set it myself and can just change it if I get the sho to work again.

The issue came without any backup restore. I restored the backup just to see if that solved it. But I will check the error log again.

This is the error in apache error log

[access_compat:error] [pid 1525926:tid 140024506996480] [client 212.102.63.78:60881] AH01797: client denied by server configuration: /home/jv74/public_html/wp-admin/defaults.php

Thats what I mean - once setup during install = unique. I think you cannot change admin link just like that as it will result 403 error as well. Is there htaccess file in place?

Ah I just saw your new reply while replying to previous, I can confirm that https://jv74.se/ is running on prestahop and not wordpress. Folder /wp-admin is for wordpress which is different cms

I found that if I disable the admin .htaccess file I can login.

The content is this

<FilesMatch ‘.(py|exe|php|PHP|Php|PHp|pHp|pHP|pHP7|PHP7|phP|PhP|php5|suspected)$’>
Order allow,deny
Deny from all

Great, then log in to prestrashop as admin and regenerate htaccess and it should be fine. or keep admin logging locked and edit htaccess file each time you need to login to backend as admin (which is noisy - I would rather setup some 2fa with admin page) anyway this is not related to virtualmin.

The strange thing is we have a second shop, a clone of number 1 except products. This shop has NO .htaccess in the admin folder. Can the one in the affected shop been planted there when it was hacked

thats why I suggested once you in admin panel, regenerate htaccess from within prestashop, that will make sure site will work correctly and will replace any mess within existing '‘planted’ htaccess with correct permissions. It looks like the deny all in that htaccess file was indeed planted to prevent you to be able to login.

It seems obvious it was. It contains stuff that doesn’t make sense if you know what your system looks like.

Also, it’s very likely many other files were modified. It would be extremely unusual for someone to gain the ability to write to your web root, and only do obvious stuff. They almost certainly added many ways to get back in.