• Resolved chatmandesign

    (@chatmandesign)


    I am seeing Critical Problems similar to the following reported on several sites that have both Wordfence and BackupBuddy installed:

    File appears to be malicious: wp-content/uploads/backupbuddy_temp/dr3dt5f6cm/importbuddy.php

    As far as I can tell, the files being flagged look like legit temp files created by BackupBuddy while making backups.

    Has anyone else seen this issue? I’d like to confirm that I’m correct in believing these are false positives.

    (At least one of the sites that have been reporting this has the latest Wordfence 6.0.10 and BackupBuddy 4.1.2.2, and I believe they all do, though I haven’t individually double-checked every site.)

    https://www.ads-software.com/plugins/wordfence/

Viewing 15 replies - 1 through 15 (of 17 total)
  • Hey chatmandesign, I’m also having the same issue: Although my backupbuddy is Version 6.1.0.2 and I have the latest version of Wordfence 6.0.10

    File appears to be malicious: wp-content/uploads/backupbuddy_temp/15125h1rp3/importbuddy.php
    Filename:	wp-content/uploads/backupbuddy_temp/15125h1rp3/importbuddy.php
    File type:	Not a core, theme or plugin file.
    Issue first detected:	15 mins ago.
    Severity:	Critical
    Status	New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: "ZXZhbC".

    I’m guessing this might be a false positive – from searching around the internet, hopefully the author responds back.

    We’re in discussions with backupbuddy about this. For now, choose to ignore this file in scans.

    tim

    Thread Starter chatmandesign

    (@chatmandesign)

    Thanks, Tim!

    Same problem here.

    Wordfence: Version 6.0.10
    BackupBuddy: Version 6.1.0.5

    Like persiux, Wordfence displays: “The text we found in this file that matches a known malicious file is: “ZXZhbC”.

    Hi,
    I have the same problem here, but is with the file wp-track.php
    I would like to know if is a false-positive case.
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “ZXZhbC”.

    Plugin Author WFMattR

    (@wfmattr)

    @tatianamedina, the wp-track.php file on your site is probably a different issue, and is likely to be a malicious file.

    It is best to follow the steps in the instructions below, if it is a malicious file:
    My site was hacked. How do I use Wordfence to clean it?

    If you have the option to restore the original file, you can choose that (it might be part of a plugin, since I see at least one plugin uses this filename) — but if you see the message “Not a core, theme or plugin file”, you might only be able to delete it.

    Hello,

    I’ve been seeing a lot of these notifications as well in the past month or two. Most times when I go and try to inspect the suspect file, it is already gone from the backupbuddy_temp folder. So I just ignore, or if it is still there, I just delete the file. Any update on whether or not these are legit malicious files would be great!

    Thanks,
    Jonah

    Could be because of the PACKDATA used by BackupBuddy:

    <?php /*
    ###PACKDATA,BEGIN
    ###PACKDATA,FILE_START,/_importbuddy/importbuddy/index.htm,importbuddy/index.htm
    PGh0bWw+PC9odG1sPg==
    ###PACKDATA,FILE_END,/_importbuddy/importbuddy/index.htm,importbuddy/index.htm
    ....

    which is data packed in a certain way by the importbuddy plugin and then loading using functionality function unpack_importbuddy, probably to save space and or load things quicker.

    Same issue, I would appreciate an update from either of the developers.

    WordPress 4.2.4
    Wordfence 6.0.15
    Backup Buddy 6.1.0.2

    The solution is to add *importbuddy.php* to the option to “Exclude files from scan that match these wildcard patterns” under scan options.

    tim

    I submitted a support ticket to ithemes, and this was the response I received. Without specifically saying so, it is implied that the files are NOT malicious:

    From:Thomas Oliver (iThemes Support)
    Jul 27, 13:48

    Those are just temp files. They can be deleted anytime after a backup attempt has been made. BackupBuddy does regular housekeeping on temp files at certain intervals (sorry, I can’t remember if it’s done every week or every so many days). So it should delete old temp files after a certain time. But you can still manually delete them via FTP/SFTP at anytime after any backup attempt as been made.

    Hope that helps.

    Thanks,
    Thomas

    @wfsupport – thanks for providing a suitable fix.

    @wfmattr the link is broken. I can probably find the information elsewhere, but I just wanted to notify you.

    It is best to follow the steps in the instructions below, if it is a malicious file:
    My site was hacked. How do I use Wordfence to clean it?

    Plugin Author WFMattR

    (@wfmattr)

    Ricardo,

    Thanks for the notice — the link has been fixed!

    -Matt R

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘Wordfence false positives (?) from BackupBuddy’ is closed to new replies.