malicious or unsafe: stats/webalizer.current

  • Resolved oneklema

    (@oneklema)


    1 year, 7 months ago

    I have repeatedly received the following security warnings after scans:

    • Filename:?…/public_html/stats/webalizer.current
    • File Type: Not a core, theme, or plugin file from www.remarpro.com.
    • Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: cat /etc/passwd

      The issue type is: Backdoor:SH/passwdaccess.60
      Description: Theft of server password information. Also sometimes seen in a backdoor known as Liz0ziM

    Between each detection I deleted the file. Also, I visually examined the file to look for evidence of the passwd file info being inside but did not find it. Is there a way to know for sure if this is really malicious or a false positive?

    Thanks for your help!

Viewing 6 replies - 1 through 6 (of 6 total)

  • Hey @oneklema,

    Here’s your answer: Webalizer Flagged as Malicious or Unsafe

    If satisfied with the answer, please mark this topic as “Resolved.”

    Thank you!

    Thread Starter oneklema

    (@oneklema)

    Thanks for the response. I did see that post prior to making my post. It obviously seems similar but not exactly the same (no mention of etc/passwd). And that post was only resolved after the log data being analyzed. Does that post imply that all hits on webalizer.current can be safely ignored?

    Hey @oneklema,

    You should be able to solve your issues by following one or all of the following:

    1. Perform a clean uninstall of Webalizer by following these instructions (or others available online depending on your server setup), then perform a Wordfence scan to ensure the false positive is gone. Once you have confirmed the false positive is gone, then perform a clean install of Webalizer from its official website (or stop using it).
    2. “Send a diagnostic report to wftest @ wordfence.com? You can find the link to do so at the top of the Wordfence > Tools > Diagnostics page. Then click on Send Report by Email. Please add your forum username (@oneklema ) where indicated and respond here after you have sent it so we can be on the lookout for it.”
    3. Perform a security scan of your website (or suspected files) using one of the following malware scanners: VirusTotal, Sucuri SiteCheck, or Internxt.

    Hope this helps. If satisfied with the answer, please mark this topic as “Resolved.”

    Thank you!

    Thread Starter oneklema

    (@oneklema)

    Thanks for the info. I have submitted the email report to wftest.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @oneklema,

    I can’t find any emails tagged with your username currently in our wftest account. Please try again, or export the diagnostics as a .txt from the plugin and manually send it to our inbox.

    I do highly suspect though that Webalizer’s involvement means it’s a log file, but the signature is for a shell. There are likely some probing requests logged that this signature is picking up. It looks most likely to be a false positive as the previous thread suggested.

    It should be safe to ignore this result, as this doesn’t stop other malware checks during scans.

    Thanks,
    Peter.

    Thread Starter oneklema

    (@oneklema)

    Thank you for the reply. I have marked the post as resolved.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘malicious or unsafe: stats/webalizer.current’ is closed to new replies.

Tags