False postoves

  • Resolved drmrgood

    (@drmrgood)


    3 years, 3 months ago

    Hi to all of you!
    First I need to say that your plugin is great!
    I use the free version.
    Today I get the positive malware scan on one of the wordfence files.
    The file is: wp-content/wflogs/index.php .
    Scan says this: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: wfconfig’;\x0d\x0a\x09\x09\x09\x09if ( $wpdb->get_var( “SHOW TABLES LIKE ‘{$a5e5b45b88a2c361714f8a054befe5df1}'” ) == $a5e5b45b88a2c361714f8a054befe5df1 ) {\x0d\x0a\x09\x09\x09\x09\x09$ae6dbc64714a026ab1ddfa9bf42689cb3 = $wpdb->get_row( “S…

    What to do now?
    Is this a false positive or not?

    BR

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)

  • This is most likely not a false positive. 99% of the time, only hackers use hex encoded function names. I would take the site down for maintenance and begin clearing out hacked files. If you didn’t put that file there, I would say there is a high likelihood that your site has been compromised.

    Are you comfortable with providing a pastebin.com link to the contents of the wp-content/wflogs/index.php file? I’d like to see what all is in it.

    Thread Starter drmrgood

    (@drmrgood)

    All of a sudden the file index.php placed in wp-content/wflogs folder no longer exists.

    Plugin Support wfscott

    (@wfscott)

    Hello, @drmrgood.

    I would not expect to see that file or contents in the wflogs folder. As a last resort, you can delete the wflogs folder itself (I would make a local backup of it) and the folder will regenerate the contents, however, keep in mind you will lose some block data and the protection will go into Learning Mode. I would then recommend you switch from Learning Mode to Enabled and Protecting via Wordfence > Firewall > All Firewall Options > Web Application Firewall Status.

    I would recommend running a high sensitivity scan (Wordfence > Scan > Scan Options and Scheduling) to see if anything else suspicious is found, then if need be, consider having a site cleaning or audit done to further check for malware.

    Please let me know if you have any questions.

    Scott

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘False postoves’ is closed to new replies.