Malware in /wflogs/attack-data.php?

  • AMX

    (@lightscapes)


    7 years, 8 months ago

    Hi,
    My hosting company has informed me that this path contains malware and they restricted access to this file. I tried to download it through FTP, I got disconnected a few times but finally succeeded.

    wp-content/wflogs/attack-data.php

    In Notepad++ this file looks like this:

    <?php exit(‘Access denied’); __halt_compiler(); ?>
    wfWAF NULNULNULNULNULNUL?NULNULNUL…
    and several pages of NULNUL….
    Normal Notepad shows empty spaces instead of NUL.

    I checked the same file on another website and on another host. They are all the same and have 40.083 bytes.

    Is it a false alarm or something to worry?
    Wordfence hasn’t recorded any admin logins from suspicious IPs. My FTP password is long and difficult to brute-force.

    • This topic was modified 7 years, 8 months ago by AMX.
Viewing 15 replies - 1 through 15 (of 77 total)

  • I received the same notification. I guess you’re in 1&1 too. Any update wordfense ?

    Thread Starter AMX

    (@lightscapes)

    Yes, indeed, I use 1&1.

    I received the same warning there is a similar post here https://www.ads-software.com/support/topic/files-in-wflogs-directory-hacked/#post-8933134 I had a look into the file but I don’t see anything that looks like a hack (I’m not a codder neither). Let see what they say

    Same here with 1&1.

    Same here. 1&1.

    Same here. Also with 1&1. I’ve forwarded the email to [email protected]

    yep. Just got the email warning, Im on 1&1.

    yep, me too. 1and1

    Same here with 1&1. I think it is false alarm, I compared with files on other installations, one I found changed last time back in Jan., exactly same file sizes.

    However, the content of the file looks very strange, as described by lightscapes.

    1&1 says they desactivated the file. It may explain why we don’t see what’s inside the /attach-data.php

    I think that

    1- Either 1&1 go via keyword and when they see a file called /attack-data.php (that would be a very stupid name for an attack by the way) updated (most likely wordfense updates it alone) they freak out
    2- There was a real attack

    Let see who gets the solution first

    Same notification here – 1&1 again… any ideas?

    Was there a real attack that WF intercepted and stored data to be analysied remotely that 1&1 have now picked up as a ‘new’ attack because it was stored on the server?

    Thread Starter AMX

    (@lightscapes)

    I think they only isolated this file, changed the permissions, but you can still download it. I also have 2 new sites on Siteground, 2 weeks old, still in maintenance mode and this file from those sites looks the same to me as the one on 1&1.

    On the other hand, I find it good that they actually scan my webspace for malware, even if it should turn out to be a false alarm.

    • This reply was modified 7 years, 8 months ago by AMX.
    • This reply was modified 7 years, 8 months ago by AMX.

    Dito (1&1) I think, it’s a false report.

    I received the same warning from 1&1 today.

    wp-content/wflogs/attack-data.php

    @lightscapes here I disagree. When they cause thousands of false alarms, they cause stress and useless work. My clients also get these emails, and are of course alarmed by it.

    Strange anyway: On two of my websites it has access rights 660. On another one – but NOT the one for that the mail was sent! – it is 200, and this can therefore not be downloaded anymore.

Viewing 15 replies - 1 through 15 (of 77 total)
  • The topic ‘Malware in /wflogs/attack-data.php?’ is closed to new replies.