wflogs/config.php hacked

  • Resolved Jeffrey2915

    (@jeffrey2915)


    6 years, 5 months ago

    A site I manage which is protected by WordFence was suspended by my Linux host today with the following partial explanation:

    “This email is to inform you that our internal systems have identified potential malware active on your account.

    The following file(s) have been affected:
    ###
    {CAV}Atomicorp.PHP.Malware.051217140223.21012 found for /home/xxxxxxx/public_html/wp-content/wflogs/config.php
    ###

    I assume “Atomicorp” is the scanning software they’re using. Presently I can only access the site via cPanel. I’ve replaced the file in question with a fresh copy from 2 days ago and am awaiting the host to unlock the site.

    I’ve also sent both versions of the file to [email protected] with a reference back to this post. You’ll see that the latest (hacked) version is significantly larger than the previous version, and contains hundreds of additional lines.

    1. Assuming the site is cleared by my host, what should I do most immediately to secure the site?

    2. What do you suggest to prevent future hacking of this WordFence file?

    Thank you!

Viewing 4 replies - 1 through 4 (of 4 total)

  • Hi @jeffrey2915

    You did the right thing by sending both files to the email address you mentioned, our team will investigate these files and act upon that.

    There is another possibility that this is a false positive detection by the software mentioned, your web host can judge on that as well.

    You can also delete the whole wflogs directory (after backing it up) and you will notice that a fresh new copy will be regenerated once you reload any of the plugin’s options page, make sure to switch the firewall status to “Enabled and Protecting” after that.

    Thanks.

    denisdenis

    (@denisdenis)

    My server shows this as a false postive:

    ./public_html/wp-content/wflogs/config-transient.php

    Please, should I take the same action?
    Thanks

    I have a similar issue with a site hacked by what looks like russian spam, redirecting the wordrpess site to spammy ad sites, malware sites, etc.

    /wflogs/ stands out as the main directory with recent changes on the server.

    Did WordFence get hacked?

    Did Wordfence get hacked cause I am seeing the same on wp-content/wflogs/config-transient.php and wp-content/wflogs/config-livewaf.php

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘wflogs/config.php hacked’ is closed to new replies.