A few weeks ago I started experiencing redirects on my site. I paid for MalCare and I don't seem to be having an issue on my main site anymore, but members of my forum have reported experiencing redirects, especially when clicking on the Messages button. 

Every other day I get a notification from MalCare saying my site has been hacked, when I check the report, it's always for the following 3 files on my forum:

 

• applications/core/interface/imageproxy/imageproxy.php)
• admin/upgrade/extractCic.php)
• applications/core/interface/task/web.php)

 

When I check these files on the server, they are renamed something like this:

• imageproxy.php.bv3014.suspected

 

I also have been unable to update my forum, I believe because of these 3 files.

Could anyone please provide any help or suggestions on what I can do?

I do appreciate it. Thank you.

It's always good to be safe!  😄 

 

Thanks Randy for the reply, I figured as much, but just wanted to be sure. 🙏

If you're using the default skin that comes with the software, then I recommend seeing if any of the skin templates have been altered.  Also, check the various 3rd party apps you have installed (if any) to make sure that they are legit.  It's quite possible that something is happening internally (not guaranteed, but better to check and be sure).  If the skin is a 3rd party skin, ask the author if they'd be willing to examine the skin to see if it's been altered in any malicious way.

Assuming that everything is clean internally, it's time to look outside of the IPS suite.  Have you installed anything else on your domain that isn't party of the suite?  Subdomain, another URL for a different type of page, etc.?  If so, check the contents there to see if anything has been maliciously added.  If not, then you may need to contact your hosting company for assistance in figuring out how someone was able to install malicious code on your site.  There could be a security update they need to install or a setting that needs to be changed.

Before doing ANYTHING though, download a full backup of EVERYTHING!  (Full database and all the files for your website.)  This will serve two purposes.  One is in case something more goes wrong, you can restore and retry.  Second is that you could provide the files (and/or data) to someone you can trust to look through and see if they can find anything malicious.

 

It's always good to be safe!  😄 

Better safe than sorry!

If they got in via wordpress, in theory moving to the cloud should be fix the problem. If the problem was the Wordpress SSO AND if you moved it to the cloud, you might have problems. But given I have not seen similar issues for the plugin itself, my guess would be it was Wordpress itself that was the initial compromise vector. Moving to cloud should be good. 

Moving to cloud hosted would most probably fix the issue (except i fou export/import your theme as the faulty links are probably somewhere in its code).

But seriously this is like switching car to a long-term rental because you have a flat tire.

and yet some of us can't afford a Ferrari, even a rental (plus there are many situation where a Ferrari won't go where your old nissan goes) 🙂