Thanks for reaching out. You might want to reach out to your hosting company and ask them if Blogvault is something they add as a feature. They have several hosting companies listed as partners on their site. Let us know what they say.
Tim
Hi Tim,
My host just confirmed that they are not using the Blogvault plugin and I am also not using it. So I am curious about how it’s getting generated.
Btw, Sucuri also does not flag it as malicious but it does alert that core files have been modified.
Thanks,
Raj
Have you looked at server cron jobs? That’s usually where I’d start on a regenerated file. Can you also send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.
NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email
Thanks
Thanks. I will try to check the cron jobs.
I have sent the report as suggested.
Thanks for reaching out. I saw you have this plugin installed:
https://wordpress.org/plugins/backup/
Can you ask the author if the bv_connector file is theirs?
Tim
Thanks, Tim.
Backup plugin confirmed that the file is not created by them.
Can you email a copy of the file to wftest @ wordfence . com?
Thanks
Tim
Hey Tim,
I have sent the file.
Thanks
Raj
Thanks for sending that.
I installed Blogvault on a test site here and compared your bv_connector file with the one installed on the test site with the plugin. The only difference was the encryption key, which really was to be expected. You wouldn’t want multiple sites connecting with the same public and private keys. So I went to Blogvault’s site to ask a question and in their chat window I saw that the rep on duty was “Lee from Malcare”. I checked the Malcare site and on their Terms and Conditions page (https://www.malcare.com/tos) I saw this (see screenshot emailed to you) :
“By accessing or using our Websites including but not limited to https://blogvault.net, https://www.migrateguru.com, https://www.malcare.com or https://wpremote.com (“Websites”) or using our plugins including but not limited to the BlogVault, Migrate Guru and MalCare plug-ins (the “Plug-ins”), or accessing any other website, software application or plugin that links to this Terms and…”
So, I believe this belongs to Malcare and that they regenerate the file on your website. Please verify with them. You can provide the connector file and ask them to stop regenerating it if you don’t want it there.
Tim
Funny addition to the story, Lee from Malcare finally answered my initial query “Is Blogvault now part of the Malcare family?” with an enthusiastic “Yes, it is!” So my guess is there’s your culprit. 🙂
Tim
Thanks Tim, for solving this mystery.🙂
I will mark the thread closed.
Raj
It was definitely a mystery. I feel like I need a Scooby Snack now! 😉
Tim
Scooby snack sounds fun! 🙂
Confirming that after I deactivated Malware, the file did not appear.
Raj
