Support » Plugin: Wordfence Security - Firewall & Malware Scan » Malware in /wflogs/attack-data.php?

  • AMX

    (@lightscapes)


    Hi,
    My hosting company has informed me that this path contains malware and they restricted access to this file. I tried to download it through FTP, I got disconnected a few times but finally succeeded.

    wp-content/wflogs/attack-data.php

    In Notepad++ this file looks like this:

    <?php exit(‘Access denied’); __halt_compiler(); ?>
    wfWAF NULNULNULNULNULNULœNULNULNUL…
    and several pages of NULNUL….
    Normal Notepad shows empty spaces instead of NUL.

    I checked the same file on another website and on another host. They are all the same and have 40.083 bytes.

    Is it a false alarm or something to worry?
    Wordfence hasn’t recorded any admin logins from suspicious IPs. My FTP password is long and difficult to brute-force.

    • This topic was modified 3 years, 6 months ago by AMX.
Viewing 15 replies - 46 through 60 (of 77 total)
  • with ref to scans not completing now also in my case. Would a simple option be to deactivate and delete, re-install Wordfence – might this work, wont case any harm?

    I suspect it is a wider 1and1 issue with permissions, as I note that Updraft Plus (backup plugin) is now also taking forever/failing to finish a full backup.

    Thanks for the update Stevo. If anyone on 1&1 hosting who are experiencing scan issues can check their servers error logs (as outlined in my previous posts) and report back with findings that may help.

    I have just got off the phone from 1and1. They confirm that the issue is a ‘false positive’ on their malware scanner and that the file is harmless. They will be emailing affected customers to inform them of the error ‘in due course’.

    Hi @wfasa,

    The WF scan sems to be very random when it stops (judging from debug screen – different point every time). I thought it was Updraft Plus, as I deactivated and deleted it, then got a clean scan. After reinstalling UP, the WF scan hung again, so I deactivated/deleted UP again, but this time the scan hangs anyway.

    SOMETHING is amiss… Still convinced 1and1 settings have done this.

    My scan will not complete. I also cannot delete the wflogs folder even though I managed to transfer some of it to my desktop, it will not delete remotely, its says it is not empty, but it is (I use Trasnmit so it shows hidden files. (Error message is Error -126: remote rmdir failed). Ive tried deactivating wordfence, then trying to delete, no joy. I reactivate the plugin, still the scan will not complete. I cannot find the setting to set a timout limit (Maximum execution time for each scan stage), only maxmimum time for entire scan. Is this only on premium?

    • This reply was modified 3 years, 6 months ago by bosh.

    The main point here is that scans are NOT finishing for 1and1 customers. I know that as I have 20+ WP installations with WF on ALL, and ALL are hanging.

    Therefore it seems somewhat of a wasted exercise to make changes to WF, when it’s clear that 1and1 has made a change somewhere that is affecting the plugin’s scan ability.

    (As an aside to this but relevant, I now have an issue with Updraft Plus being able to compile/upload backup files, so it appears something has been severely curtailed/throttled).

    Stevo

    I just checked one of my affected sites and was shocked/surprised to see:

    Last scan completed: 16 November 2016 7:15 am

    I’m scanning now in debug mode as per @wfasa suggestion…

    If your scans have not run since 16 November it sounds like WordPress cron may have been deactivated at this time.

    Due to the various issues we see popping up here, I would recommend that everyone just hold tight while 1&1 try to get their changes made and send out information to all of you about what changes they have made. We will keep an eye on this of course, but hopefully most issues should be resolved once 1&1 have rolled back whatever changes they made that caused this.

    Thanks for helpful replies. OK. I was going to delet WordFence and start again but I think I’ll wait as wfasa suggests. FYI like others are stating, WF scan is hanging at different points each time, no consistency. I wont deactivate Updraft Plus as it doesnt seem worth going on what Stevo said.

    @wfasa It looks like it’s been trying to run but not completed. I’ll await further instructions from either you or 1&1.

    It’s been stuck for 30 minutes on: [Mar 20 12:26:44] Calling Wordfence API v2.23:https://noc1.wordfence.com/v2.23/?v=4.7.3&s=<website address>;&k=<longnumber>&openssl=<anothernumber>&phpv=5.6.30&betaFeed=0&cacheType=disabled&action=password_load_results

    • This reply was modified 3 years, 6 months ago by JohnCleary.
    • This reply was modified 3 years, 6 months ago by JohnCleary.

    Same for me. I’m stucked on “Calling Wordfence API v2.23[…]action=send_net_404s. Like bosh, WF scan is hanging at different stades each time.

    If someone gets a response from 1&1 about the issue, please come back post here.

    replied from 1&1: it was a mistake they are sorry :p

    Yes JoomGeek, but now the WF scans are hanging :/

    I wrote to 1&1 but no answer yet.

    UPDATE. SCAN NOW RUNNING CLEAN. VERY FAST.

    FOR NOW …PROBLEM SOLVED 🙂

Viewing 15 replies - 46 through 60 (of 77 total)
  • The topic ‘Malware in /wflogs/attack-data.php?’ is closed to new replies.