Malware in /wflogs/attack-data.php?

AMX
(@lightscapes)

8 years, 11 months ago
Hi,
My hosting company has informed me that this path contains malware and they restricted access to this file. I tried to download it through FTP, I got disconnected a few times but finally succeeded.

wp-content/wflogs/attack-data.php

In Notepad++ this file looks like this:

<?php exit(‘Access denied’); __halt_compiler(); ?>
wfWAF NULNULNULNULNULNULœNULNULNUL…
and several pages of NULNUL….
Normal Notepad shows empty spaces instead of NUL.

I checked the same file on another website and on another host. They are all the same and have 40.083 bytes.

Is it a false alarm or something to worry?
Wordfence hasn’t recorded any admin logins from suspicious IPs. My FTP password is long and difficult to brute-force.
- This topic was modified 8 years, 11 months ago by AMX.

Viewing 15 replies - 1 through 15 (of 77 total)

1 2 3 4 5 6 →

JoomGeek
(@fupfac)

8 years, 11 months ago

I received the same notification. I guess you’re in 1&1 too. Any update wordfense ?

Thread Starter AMX
(@lightscapes)

8 years, 11 months ago

Yes, indeed, I use 1&1.

JoomGeek
(@fupfac)

8 years, 11 months ago

I received the same warning there is a similar post here https://wordpress.org/support/topic/files-in-wflogs-directory-hacked/#post-8933134 I had a look into the file but I don’t see anything that looks like a hack (I’m not a codder neither). Let see what they say

Alex
(@mheob)

8 years, 11 months ago

Same here with 1&1.

t1nobby
(@t1nobby)

8 years, 11 months ago

Same here. 1&1.

JohnCleary
(@johncleary)

8 years, 11 months ago

Same here. Also with 1&1. I’ve forwarded the email to [email protected]

bosh
(@bosh)

8 years, 11 months ago

yep. Just got the email warning, Im on 1&1.

witherslack
(@witherslack)

8 years, 11 months ago

yep, me too. 1and1

Klaus69
(@klaus69)

8 years, 11 months ago

Same here with 1&1. I think it is false alarm, I compared with files on other installations, one I found changed last time back in Jan., exactly same file sizes.

However, the content of the file looks very strange, as described by lightscapes.

JoomGeek
(@fupfac)

8 years, 11 months ago

1&1 says they desactivated the file. It may explain why we don’t see what’s inside the /attach-data.php

I think that

1- Either 1&1 go via keyword and when they see a file called /attack-data.php (that would be a very stupid name for an attack by the way) updated (most likely wordfense updates it alone) they freak out
2- There was a real attack

Let see who gets the solution first
peripateticfrasmotic
(@peripateticfrasmotic)

8 years, 11 months ago
Same notification here – 1&1 again… any ideas?

Was there a real attack that WF intercepted and stored data to be analysied remotely that 1&1 have now picked up as a ‘new’ attack because it was stored on the server?
- This reply was modified 8 years, 11 months ago by peripateticfrasmotic.
Thread Starter AMX
(@lightscapes)

8 years, 11 months ago
I think they only isolated this file, changed the permissions, but you can still download it. I also have 2 new sites on Siteground, 2 weeks old, still in maintenance mode and this file from those sites looks the same to me as the one on 1&1.

On the other hand, I find it good that they actually scan my webspace for malware, even if it should turn out to be a false alarm.
- This reply was modified 8 years, 11 months ago by AMX.
- This reply was modified 8 years, 11 months ago by AMX.
langhof
(@langhof)

8 years, 11 months ago

Dito (1&1) I think, it’s a false report.

hmkay
(@hmkay)

8 years, 11 months ago

I received the same warning from 1&1 today.

wp-content/wflogs/attack-data.php

Klaus69
(@klaus69)

8 years, 11 months ago

@lightscapes here I disagree. When they cause thousands of false alarms, they cause stress and useless work. My clients also get these emails, and are of course alarmed by it.

Strange anyway: On two of my websites it has access rights 660. On another one – but NOT the one for that the mail was sent! – it is 200, and this can therefore not be downloaded anymore.