• Resolved Westlake

    (@westlake)


    Hi, I am running Wordfence on several sites in the same hosting account. For some months my sites have been regularly hacked, and I rely on Wordfence scans to identify the problems and clear them up. Today I completeda scan on one site, then after receiving a clean bill of health, I received an email saying there were problems with domain A, and listing files from domain B. Both sites were scanned by Wordfence before and after the email and found no problems.

    from the email:

    This email was sent from your website “Junior Golf Foundation Of Gull Lake” by the Wordfence plugin.

    Wordfence found the following new issues on “Junior Golf Foundation Of Gull Lake”.

    Alert generated at Thursday 9th of November 2017 at 10:15:41 AM

    Critical Problems:

    * File appears to be malicious: __MACOSX/wp-admin/._async-upload.php

    * File appears to be malicious: public_html/inclineindustries.ca/SimplePie/IRI.php
    * File appears to be malicious: public_html/inclineindustries.ca/Text/favicon_220a5d.ico
    * File appears to be malicious: public_html/inclineindustries.ca/class-wp-metadata-lazyloader.php
    * File appears to be malicious: public_html/inclineindustries.ca/fonts/kldnzbxt.php
    * File appears to be malicious: public_html/inclineindustries.ca/images/smilies/qfphabvm.php
    * File appears to be malicious: public_html/inclineindustries.ca/js/mediaelement/kfnhiucl.php
    * File appears to be malicious: public_html/inclineindustries.ca/js/mediaelement/naknmqeo.php
    * File appears to be malicious: public_html/inclineindustries.ca/theme-compat/comments.php
    * File appears to be malicious: wp-content/cache/et/favicon_ab9df3.ico

    * File appears to be malicious: wp-content/themes/twentyfifteen/favicon_435d1c.ico

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Hi @westlake,

    The reason why the scan with Wordfence on domain A is showing malicious files from domain B is because they’re on the same server and you have the “Scan files outside your WordPress installation” option enabled.

    What is odd is that

    Both sites were scanned by Wordfence before and after the email and found no problems.

    Would you mind disabling the aforementioned option in both Wordfence instances and then run a scan on each instance?

    Do you get the same result?

    Thread Starter Westlake

    (@westlake)

    I performed bulk fix and delete problem file operations on both domains, and both passed Wordfence scans multiple times since I submitted the ticket (I’ve been manually checking my sites to keep on top of them. In my host account FileManager I noted 2 folders that didn’t belong in the “Domain A” directory, _MACOSX and public_html. I deleted both and ran another scan, with no issues found (even though they weren’t found in the scheduled scan a few hours ago either).

    Hi @westlake,

    The fact that you received an alert mentioning those files means that one of the Wordfence scans did find them at some point.

    Maybe the files “appeared” just after a scan (which reported no issues) but were then found by a subsequent scan (which triggered the alert email).

    It seems you have the situation under control now but in order to make sure your site hasn’t been compromised in any way I recommend you follow our site cleaning guide.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Confusing alert-identifies 2 domains’ is closed to new replies.