Wordfence files getting infected frequently
-
Hey,
The Wordfence config files in my installation seem to get infected far often and that too by the same malware by the looks of it. It appends a massive amount of garbled text (base64 encoded or something) onto the config files for Wordfence. This happens every few days. I’ve attached a screenshot of a file that’s currently infected.
If needed, you can find the entire text body as a comment on the imgur link provided.
The config files have the following permissions and are owned by www-data:
attack-data.php – 660
config-livewaf.php – 660
config-synced.php – 660
config-transient.php – 660
config.php – 660
GeoLite2-Country.mmdb – 755
ips.php – 660
rules.php – 664The infection can happen to any of these files that are owned by www-data. All the rest of my files are owned by ubuntu. Those owned by Ubuntu don’t get infected.
-
You can delete the wflogs directory containing the firewall configuration files and it will be automatically regenerated on any page load.
Then you will have to run through the Learning Mode process again though.
You will also have to run through our site cleaning guide.
Thanks.
- The topic ‘Wordfence files getting infected frequently’ is closed to new replies.
