Malware in /wflogs/attack-data.php?

  • AMX

    (@lightscapes)


    7 years, 1 month ago

    Hi,
    My hosting company has informed me that this path contains malware and they restricted access to this file. I tried to download it through FTP, I got disconnected a few times but finally succeeded.

    wp-content/wflogs/attack-data.php

    In Notepad++ this file looks like this:

    <?php exit(‘Access denied’); __halt_compiler(); ?>
    wfWAF NULNULNULNULNULNULœNULNULNUL…
    and several pages of NULNUL….
    Normal Notepad shows empty spaces instead of NUL.

    I checked the same file on another website and on another host. They are all the same and have 40.083 bytes.

    Is it a false alarm or something to worry?
    Wordfence hasn’t recorded any admin logins from suspicious IPs. My FTP password is long and difficult to brute-force.

    • This topic was modified 7 years, 1 month ago by AMX.
Viewing 15 replies - 16 through 30 (of 77 total)
1 2 3 4 5 6
  • Delia Carballo

    (@soydelia)

    7 years, 1 month ago

    Same here with 1&1.

    olymp1c

    (@olymp1c)

    7 years, 1 month ago

    I have the same email from 1&1. Looks like the “attack” was about 3:36am GMT. Using Wordfence (Free edition)

    eWebjojo

    (@ewebjojo)

    7 years, 1 month ago

    Same thing, several installations on 1&1 space but only one of them with this kind of problem.

    Hacked or not? Any ideas?

    Stevo

    (@sd142ppr)

    7 years, 1 month ago

    Same here. Modified files in ‘wflogs’ (poss modified by 1and1) as shown:

    * attack-data.php contains this (as shown, which also seems to generate a lot of white data when copied and pasted!):
    <?php exit(‘Access denied’); __halt_compiler(); ?>
    wfWAF

    * config.php has this at the top of what looks like a normal file:
    <?php exit(‘Access denied’); __halt_compiler(); ?>

    * ips.php has this at the top, with what looks like normal binary code underneath:
    <?php exit(‘Access denied’); __halt_compiler(); ?>

    * rules.php has this above probable normal code:
    <?php
    if (!defined(‘WFWAF_VERSION’)) {
    exit(‘Access denied’);
    }

    Hope this helps!
    Stevo

    pimounet

    (@pimounet)

    7 years, 1 month ago

    Same warning from 1&1 today
    WordPress uptodate
    Wordfence Free
    File already existed before, date has changed but content is the same !

    • This reply was modified 7 years, 1 month ago by pimounet.
    consiliosa

    (@consiliosa)

    7 years, 1 month ago

    Looked at a previous thread & this is the answer from the plugin author

    Files are modified when plugins are updated and when plugins perform certain functions. It is normal to see the /wflogs/attack-data.php in that list because that file is updated when your Wordfence Firewall is working.

    Possibly just a false alarm?
    Had email from client first thing who had email from 1and1.

    atx6sic6

    (@atx6sic6)

    7 years, 1 month ago

    Same warning from 1&1 today
    WordPress uptodate
    Wordfence Free

    Also binary data in the file starting with wfWAF

    I called 1und1 but at least 1st level support had no clue and insisted this is no false alert but couldn’t contact tech staff to confirm. I’m trying it again later this day

    rfollett

    (@rfollett)

    7 years, 1 month ago

    Also have 2 sites on 1&1 reported same issue. I had to change the permissions from 200 to 644 to download. this is contents:

    <?php exit(‘Access denied’); __halt_compiler(); ?>
    wfWAF

    Stevo

    (@sd142ppr)

    7 years, 1 month ago

    UPDATE: I deleted the WF plugin, removed the wflogs folder, and reinstalled WF (Premium).

    I have run a scan but it’s stuck here (poss to do with 1and1 file mods/blocks) :
    [Mar 20 08:12:30]
    Scanning file contents for infections and vulnerabilities
    [Mar 20 08:12:30]
    Scanning files for URLs in Google’s Safe Browsing List

    generalhawkins

    (@generalhawkins)

    7 years, 1 month ago

    1and1 already corrected this issue with the non-hacked-wf files. They say that the files can be unlocked by the user in ~3hours (file-permissions back to 604 or anything that works) from now on..

    divnull

    (@divnull)

    7 years, 1 month ago

    I’ve just received a reply by 1&1 support. They apologized for sending false alarms regarding attack-data.php (Wordfence). They will adjust their scanner.

    wfasa

    (@wfasa)

    7 years, 1 month ago

    Thanks for the updates guys! If you experience any issues after the Wordfence files in wflogs were on lock down by your host 1&1, just delete the wflogs folder. It will be recreated the next time any page on your site is visited. Note that you will need to go in and set the Firewall back to “Enabled and protecting” as it will default to “Learning mode” when you delete the wflogs folder.

    Hope it all works out from here but let us know if it doesn’t.

    Landyphil

    (@landyphil)

    7 years, 1 month ago

    HI,
    Same here. Got a Mail from 1&1.
    Looking with WinSCP and Editor to the same File attack-data.php shows different Content. I took a screenshot to show it.
    And yes if I mark in WinSCP all the content of the file there are a lot of blancs after the code. Screenshot

    divnull

    (@divnull)

    7 years, 1 month ago

    Thanks wfasa for the very useful plugin! 🙂

    pimounet

    (@pimounet)

    7 years, 1 month ago

    Thanks @wfasa

Viewing 15 replies - 16 through 30 (of 77 total)
1 2 3 4 5 6
  • The topic ‘Malware in /wflogs/attack-data.php?’ is closed to new replies.