Firewall Log – Bot Accessing PHP Script That Never Existed?

  • Resolved othniel543

    (@othniel543)


    1 month, 3 weeks ago

    I have this strange entry on the firewall log. I have full WAF enabled. It is saying someone accessed a PHP script that was modified/created less than 10 hours ago, however this script is not (and never was) in the location it says it’s in–at least from what I can tell. I also have monitoring enabled and there was no notification of this file being created or modified. Does someone understand what’s going on with this?

    There was another log entry that was exactly the same, except a different IP address and a different PHP script file name. But the same long name with lots of numbers and letters.

    Much appreciated!

    20/Oct/25 13:18:13 #7846517 INFO - 5.161.177.123 POST /561cb3077828e481404e23aacce558ddca09259b8a9bfe7fac714997c0e72094.php - Access to a script modified/created less than 10 hour(s) ago -
    20/Oct/25 13:18:22 #2858706 MEDIUM - 5.161.177.123 POST /wp-admin/admin-ajax.php - Blocked access to admin-ajax.php - [bot detection is enabled]
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Contributor bruandet

    (@bruandet)

    1 month, 3 weeks ago

    You can check your server HTTP log to see what happened at 13:18:13 on October 20. You will likely see the file.
    Maybe there’s a plugin that created a temporary file? The name looks like a sha256 hash. You can try to scan all PHP files in your wp-content/plugins and wp-content/themes folders, and search for the sha256 pattern. Maybe you’ll find the plugin/theme that created it.

    Thread Starter othniel543

    (@othniel543)

    1 month, 3 weeks ago

    That helps, thank you! Yes, I think it’s a temporary file created by a plugin.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.