Unknown .mx files found by scan

  • Resolved crumblingcalcite

    (@crumblingcalcite)


    3 years, 9 months ago

    Thank you for the awesome plugin!

    I’m having a strange issue and I’m not sure if it’s related to Wordfence or not, but would love some suggestions if you have any. It’s a bit complex, but I’ll try and keep it short.

    Basic Info:
    Linux, Apache
    PHP 7.3.20
    Wordfence Version 7.4.9 (1594219913)
    WordPress 5.4.2

    Starting on July 12th, Wordfence found approximately 750 Unknown files (that start with .mx in the file name) on a site I manage for a client of mine.

    The strange files are throughout the public_html folder, including WordPress Core, Plugin and Theme folders. Wordfence found/warns about approximately 750 files (with a Standard & High Sensitivity Scan), but a general search for .mx files within the public_html folder returns around 6-7 thousand files.

    The strange files follow this naming format: .mx.########.mx where the #s are an 8 digit incremental number starting with 11. So for an example: .mx.11401215.mx

    The files themselves appear to be direct copies of WordPress files – I’ve compared a few to a fresh download of WordPress and they’re exact matches.

    After some testing, I found out that the timestamp on the files all correspond to the start time of a Wordfence scan. If I delete the files they don’t reappear until another scan is performed.

    Nothing specific was changed on July 12th that I know of and it doesn’t directly correspond with the release date of Wordfence version 7.4.9 on July 8th, which makes me think the underlying issue may be with my hosting?

    The hosting company wasn’t helpful, but did say there was a permission issue with the hosting account, which they supposedly fixed. I don’t know if they actually fixed it, since the strange file issue persists. I don’t know exactly how the Wordfence scan functions technically but could the unknown files be related to a permissions issue when scanning? I don’t see anything directly related in the error logs.

    Thanks for any help!

Viewing 12 replies - 1 through 12 (of 12 total)
  • Plugin Support wfphil

    (@wfphil)

    3 years, 9 months ago

    Hi @crumblingcalcite

    We have seen a few other cases of this. Who is your hosting provider please to help us track this?

    The number between .mx and .mx appear to be the inode numbers of the original files and something on the server is generating these MX files when the scanner reads these files.

    Please escalate your ticket with your hosting provider to investigate and let us know the outcome.

    Thread Starter crumblingcalcite

    (@crumblingcalcite)

    3 years, 9 months ago

    Hi @wfphil

    Thank you very much for your quick reply and your thoughts on what’s going on.

    The website is hosted with HostMonster.

    I’ll reach out again to the hosting company and send them what you said. Hopefully they’ll be able to fix it. I’ll let you know what happens.

    Thanks again.

    Plugin Support wfphil

    (@wfphil)

    3 years, 9 months ago

    Hi @crumblingcalcite

    Thank you for the update.

    Please keep me posted if your hosting provider finds out what is causing the file generation.

    Plugin Support wfphil

    (@wfphil)

    3 years, 8 months ago

    Hi @crumblingcalcite

    We are speaking with a contact at EIG that own HostMonster. Can you let me know your domain name that has this issue via email to wftest [at] wordfence [dot] com.

    Add your forum user name @crumblingcalcite in the email subject field and let me know here when the email has been sent so that I can look for it.

    Thanks.

    Thread Starter crumblingcalcite

    (@crumblingcalcite)

    3 years, 8 months ago

    Hi @wfphil

    I just sent an email with the domain name.

    Thank you for your help.

    Plugin Support wfphil

    (@wfphil)

    3 years, 8 months ago

    Hi @crumblingcalcite

    Thank you for the update.

    Thread Starter crumblingcalcite

    (@crumblingcalcite)

    3 years, 8 months ago

    Hi @wfphil

    I reached out to the hosting company and after a few hours I was able to explain what was going on. In case it helps someone else out in the future – in the end I literally had to show them what was happening. I had them watch some of the .mx files, then I deleted them, then I started a Wordfence scan (which made the files reappear) and then I had them confirm that the .mx files had reappeared. After that they decided to escalate the ticket.

    A couple of days later we received an email followup:

    “Thank you for contacting support. I’m responding to the ticket ######. I sincerely apologize for the delay in the response. Thank you for your understanding and cooperation. This ticket is raised since you r hosting account is generating .mx.########.mx files in the account. I do apologize to you if you experience any inconvenience due to this issue. I understand your concern related to the hosting account security. I’m glad to review your request and help you.

    I have reviewed your ticket notes. I was able to replicate the issue reported in the ticket. I have investigated more about this issue, reviewing other cases with similar example. As per our internal tracker we did receive an ERT from WordFence directly stating that this is happening to several of their clients.

    We are currently tracking accounts with similar issue to get more information about the cause for this issue. From our present research we are advised that these files are copy of php files that are scanned. These files are not malicious. So if you don’t want them, I request you to remove them manually from the account. Please note that we are currently aware of this issue and we are tracking the similar account with this issue to come to a conclusion.

    I thank you for the opportunity to assist you today. If you have any concern related to the ticket or want to convey any message to us, you could reply back to this email with complete details. We are happy to review it and help you.”

    They haven’t mentioned anything yet about the root cause or a fix, so I guess it’s now a waiting game.

    Thanks again for the help.

    ankitdarda

    (@ankitdarda)

    3 years, 8 months ago

    I am having similar issue. This will be helpful to know.
    our website http://www.jcstl.org is hosted on bluehost.com

    • This reply was modified 3 years, 8 months ago by ankitdarda.
    Plugin Support wfphil

    (@wfphil)

    3 years, 8 months ago

    Hi @crumblingcalcite

    Thank you for the update.

    We are still in communication with EIG that own HostMonster and as soon as we have definitive answers from them then I can let you know.

    @ankitdarda the same applies to you as Bluehost is also owned by EIG.

    blmurch

    (@blmurch)

    3 years, 8 months ago

    Hello. I have the same issues. We are hosted with BlueHost. What information would be helpful to help debug? I just got an email for the first time on August 4th.

    Alert generated at Tuesday 4th of August 2020 at 06:29:46 PM

    See the details of these scan results on your site at: https://coup53.com/wp-admin/admin.php?page=WordfenceScan

    High Severity Problems:

    * Unknown file in WordPress core: wp-includes/.mx.54920526.mx
    * Unknown file in WordPress core: wp-includes/.mx.54920531.mx
    * Unknown file in WordPress core: wp-includes/.mx.54920544.mx
    * Unknown file in WordPress core: wp-includes/widgets/.mx.54919963.mx
    * Unknown file in WordPress core: wp-includes/widgets/.mx.54919964.mx
    * Unknown file in WordPress core: wp-includes/widgets/.mx.54919965.mx
    * Unknown file in WordPress core: wp-includes/widgets/.mx.54919966.mx
    * Unknown file in WordPress core: wp-includes/widgets/.mx.54919967.mx
    * Unknown file in WordPress core: wp-includes/widgets/.mx.54919968.mx
    * Unknown file in WordPress core: wp-includes/widgets/.mx.54919970.mx
    * Unknown file in WordPress core: wp-includes/widgets/.mx.54919972.mx
    * Unknown file in WordPress core: wp-includes/widgets/.mx.54919973.mx
    * Unknown file in WordPress core: wp-includes/widgets/.mx.54919974.mx
    * Unknown file in WordPress core: wp-includes/widgets/.mx.54919975.mx
    * Unknown file in WordPress core: wp-includes/widgets/.mx.54919976.mx
    * Unknown file in WordPress core: wp-includes/widgets/.mx.54919977.mx
    * Unknown file in WordPress core: wp-includes/widgets/.mx.54919978.mx
    * Unknown file in WordPress core: wp-includes/widgets/.mx.54919980.mx
    * Unknown file in WordPress core: wp-includes/widgets/.mx.54919981.mx

    Plugin Support wfphil

    (@wfphil)

    3 years, 8 months ago

    Hi @blmurch

    As noted in my last reply, no information required thanks as we are already in communication with EIG that own Bluehost and as soon as we have definitive answers from them then I can let everyone know here.

    Plugin Support wfphil

    (@wfphil)

    3 years, 8 months ago

    @blmurch

    EIG, that own Bluehost, have said that the MX files are being created by a server-side malware scanner called Monarx and that the MX files will be removed from your hosting account automatically. We asked EIG how quickly the MX files should be removed and we were still waiting for a response one week later. The current course of action that you have if these MX files are being reported in your Wordfence scan results is to manually delete them from your hosting account.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Unknown .mx files found by scan’ is closed to new replies.