SC36DC Posted June 25, 2023 Posted June 25, 2023 A few weeks ago I started experiencing redirects on my site. I paid for MalCare and I don't seem to be having an issue on my main site anymore, but members of my forum have reported experiencing redirects, especially when clicking on the Messages button. Every other day I get a notification from MalCare saying my site has been hacked, when I check the report, it's always for the following 3 files on my forum: applications/core/interface/imageproxy/imageproxy.php) admin/upgrade/extractCic.php) applications/core/interface/task/web.php) When I check these files on the server, they are renamed something like this: imageproxy.php.bv3014.suspected I also have been unable to update my forum, I believe because of these 3 files. Could anyone please provide any help or suggestions on what I can do? I do appreciate it. Thank you.
Randy Calvert Posted June 25, 2023 Posted June 25, 2023 Run a diff between the suspected file and the same file from the client area. That will tell you if the file was actually modified. If there is no difference between the two, it’s a false positive issue with the scanner. If you for some reason can’t do an auto update, download a set of files from the client area, upload them, and run domain.com/admin/upgrade. SC36DC 1
Miss_B Posted June 25, 2023 Posted June 25, 2023 Have you checked the contents of those files? SC36DC 1
Marc Posted June 26, 2023 Posted June 26, 2023 I would just upload fresh of those files from your client area. If they then are marked again, it would seem you are getting false positives, so would need to whitelist those SC36DC 1
SC36DC Posted June 26, 2023 Author Posted June 26, 2023 4 hours ago, Marc Stridgen said: I would just upload fresh of those files from your client area. If they then are marked again, it would seem you are getting false positives, so would need to whitelist those I replaced the 3 files mentioned from a fresh download from client area, then I just refreshed the page that was stuck on "Extracting", and it continued the Download/Extracting/Upgrade process. Now, members of my forum are experiencing malicious redirects ONLY once they access the Messaging option on the forum, HELP PLEASE!!!!!!!!!!!!!🙏
Marc Posted June 26, 2023 Posted June 26, 2023 Could you please let me know what you mean by experiencing malicious redirects. Are they getting a suspected message as you mention above, or is something actively being redirected? If the latter, you need to investigate that with your hosting company. You should upload a fresh set of files from your client area (a full set) and run the upgrader from /admin/upgrade
SC36DC Posted June 26, 2023 Author Posted June 26, 2023 Just now, Marc Stridgen said: Could you please let me know what you mean by experiencing malicious redirects. Are they getting a suspected message as you mention above, or is something actively being redirected? If the latter, you need to investigate that with your hosting company. You should upload a fresh set of files from your client area (a full set) and run the upgrader from /admin/upgrade Members have posted that when they try to upload an image in a post or clicked on a message in the Messaging system, popups happen, then it goes to another site, often sexually explicit. According to one member, their Avast reported that site as Phishing. Regarding uploading a fresh site of files, would that be via FTP, and if so, I just overwrite all files when transferring, that will keep all current images and data safe and intact? Also, I have reached out to customer support and asked about moving my self hosted forum over to cloud, and to ask if by having it hosted on cloud, I would not have to worry about this type of problem, and the reply was "if you ever were to have a problem with like DoS attacks or malicious content injection, our team would take care of that for you." This is great, but unfortunately at this time I don't think I can afford the monthly fee for this. Thanks for the reply Marc.
Randy Calvert Posted June 26, 2023 Posted June 26, 2023 6 minutes ago, SC36DC said: Regarding uploading a fresh site of files, would that be via FTP, and if so, I just overwrite all files when transferring, that will keep all current images and data safe and intact? Yes via FTP and overwrite anything. All the current images and data would be safe. The data is in the database and user uploaded images would not be in the files downloaded from the client area. You're replacing IPB core system files, not the user generated ones. SC36DC 1
SC36DC Posted June 26, 2023 Author Posted June 26, 2023 Just now, Randy Calvert said: Yes via FTP and overwrite anything. All the current images and data would be safe. The data is in the database and user uploaded images would not be in the files downloaded from the client area. You're replacing IPB core system files, not the user generated ones. Thanks Randy for the reply, I figured as much, but just wanted to be sure. 🙏
Wolfie Posted June 27, 2023 Posted June 27, 2023 7 hours ago, SC36DC said: Thanks Randy for the reply, I figured as much, but just wanted to be sure. 🙏 If you're using the default skin that comes with the software, then I recommend seeing if any of the skin templates have been altered. Also, check the various 3rd party apps you have installed (if any) to make sure that they are legit. It's quite possible that something is happening internally (not guaranteed, but better to check and be sure). If the skin is a 3rd party skin, ask the author if they'd be willing to examine the skin to see if it's been altered in any malicious way. Assuming that everything is clean internally, it's time to look outside of the IPS suite. Have you installed anything else on your domain that isn't party of the suite? Subdomain, another URL for a different type of page, etc.? If so, check the contents there to see if anything has been maliciously added. If not, then you may need to contact your hosting company for assistance in figuring out how someone was able to install malicious code on your site. There could be a security update they need to install or a setting that needs to be changed. Before doing ANYTHING though, download a full backup of EVERYTHING! (Full database and all the files for your website.) This will serve two purposes. One is in case something more goes wrong, you can restore and retry. Second is that you could provide the files (and/or data) to someone you can trust to look through and see if they can find anything malicious. 7 hours ago, Randy Calvert said: It's always good to be safe! 😄 Better safe than sorry! SC36DC 1
SC36DC Posted June 27, 2023 Author Posted June 27, 2023 @Marc Stridgen I've emailed in support, but only heard back from a sales associate, please let me know or direct me to someone who can answer this, if I move my community over from self-hosted to the Cloud, will you guys be able to get rid of whatever malware has infected my forum and is causing so many members to have malicious redirected when clicking on links on the forum? From what the Sales associate told me, NO ONE on Cloud hosting has experienced this type of malware, but because I already have it, can it still be "treated" and taken care of? Thank you.
Randy Calvert Posted June 27, 2023 Posted June 27, 2023 (edited) Moving to cloud would remove any infected files because they don’t use the original raw files provided by you. They want the source files to get to the uploads folder and the folder with third party resources in it. The main IPB core files with source code are not used. So in a majority of the cases it should fix it. But for example if your theme was edited, that might be carried over too. It depends on exactly what is injecting the bad code. That’s why it’s hard to give you a simple yes/no answer. It depends on what is actually the root cause of your problem. But if it’s on the cloud and having issues still, they should be able to help isolate where it’s happening. (For example having you switch to a default theme to see if it fixes problem.) Edited June 27, 2023 by Randy Calvert SC36DC 1
SC36DC Posted June 27, 2023 Author Posted June 27, 2023 2 minutes ago, Randy Calvert said: Moving to cloud would remove any infected files because they don’t use the original raw files provided by you. They want the source files to get to the uploads folder and the folder with third party resources in it. So in a majority of the cases it should fix it. But for example if your theme was edited, that might be carried over too. It depends on exactly what is injecting the code. I am using a IPSFOCUS theme created by @Ehren I originally problem got this issue via a Wordpress plugin or something having to do with Wordpress. So I guess moving over to cloud would be beneficial in keeping my community separate from my main site and Wordpress.
Randy Calvert Posted June 27, 2023 Posted June 27, 2023 If they got in via wordpress, in theory moving to the cloud should be fix the problem. If the problem was the Wordpress SSO AND if you moved it to the cloud, you might have problems. But given I have not seen similar issues for the plugin itself, my guess would be it was Wordpress itself that was the initial compromise vector. Moving to cloud should be good. SC36DC 1
Marc Posted June 28, 2023 Posted June 28, 2023 14 hours ago, SC36DC said: @Marc Stridgen I've emailed in support, but only heard back from a sales associate, please let me know or direct me to someone who can answer this, if I move my community over from self-hosted to the Cloud, will you guys be able to get rid of whatever malware has infected my forum and is causing so many members to have malicious redirected when clicking on links on the forum? From what the Sales associate told me, NO ONE on Cloud hosting has experienced this type of malware, but because I already have it, can it still be "treated" and taken care of? Thank you. We can certainly get you sorted out SC36DC 1
jesuralem Posted June 28, 2023 Posted June 28, 2023 Moving to cloud hosted would most probably fix the issue (except i fou export/import your theme as the faulty links are probably somewhere in its code). But seriously this is like switching car to a long-term rental because you have a flat tire. SC36DC 1
Marc Posted June 28, 2023 Posted June 28, 2023 1 minute ago, jesuralem said: But seriously this is like switching car to a long-term rental because you have a flat tire. Only the old car was an old nissan with dodgy wheels that kept throwing out the tires, and the rental is a Ferrari, with a set of secret ninja mechanics that change flat tires without you having ever known they were flat in the first place SC36DC 1
jesuralem Posted June 28, 2023 Posted June 28, 2023 and yet some of us can't afford a Ferrari, even a rental (plus there are many situation where a Ferrari won't go where your old nissan goes) 🙂 SC36DC 1
SC36DC Posted June 29, 2023 Author Posted June 29, 2023 16 hours ago, Marc Stridgen said: We can certainly get you sorted out I've reached out to support to get my community moved to the cloud.
Randy Calvert Posted June 29, 2023 Posted June 29, 2023 Marc and Olivia do a good job with making the migration go pretty well. They've got it down to a science!! SC36DC 1
SC36DC Posted June 29, 2023 Author Posted June 29, 2023 2 hours ago, Randy Calvert said: Marc and Olivia do a good job with making the migration go pretty well. They've got it down to a science!! That's great to hear. Looking forward to the move and a more secure environment.
Marc Posted June 29, 2023 Posted June 29, 2023 7 hours ago, SC36DC said: That's great to hear. Looking forward to the move and a more secure environment. Look forward to getting you over 🙂 SC36DC 1
SC36DC Posted June 29, 2023 Author Posted June 29, 2023 Any idea how long it takes to hear back from support regarding the move request?
Marc Posted June 30, 2023 Posted June 30, 2023 There have been answers on your tickets there. I see you are waiting for an answer on of those as a follow up question. It can take a couple of days for some queries to be responded to. Please bear with us. SC36DC 1
Recommended Posts