Symptoms:

1. The presence of the file /uploads/profile/photo-128.jpg. If you present such a file, open it in Notepad, and view its contents. If there php code, then your site been compromised.

2. Extraneous files in folders caсhe/ and hooks/, there may be others. Can be called whatever you like, often: view-cache.php, zx.php, ipbcache.php,df.php,0e168b.php. If they are - again, your site been compromised.

3. File tmpgw4ia4 in the folder tmp, mod-tmp, or in any other folder in which you have written the session.

Treatment:

1. We are looking for any leftover files and delete them. Be sure to delete the file photo-128.jpg, and check the rest of the images for the presence of php code.

2. Go to the database via phpMyAdmin, the table core_hooks_files, we find there at the end of the records that contain the path to the picture and photo-128.jpg file tmpgw4ia4. Remove these lines.

3. Put security patches from Invision Power Services, namely, critical security updates on November 6, 2012 and a critical security update on 27 December 2012.

If your site is hacked and you need help in solving this issue - not hesitate to contact our experts, we will be happy to help.