Malware files aren’t deleted, but made 0 byte files

  • Anti-Malware does it job of detection of malware / backdoors on my websites where Wordfence doesn’t. However it won’t delete the files, just make the files 0 byte files. Wordfence if it finds offensive files, it repairs or deletes the malware files. With Anti-Malware, I have to manually go through the hosting’s file manager to lookup and delete files.

    If it’s a bug please fix it, if it’s by design, please add an option to allow the user to delete the malware files which are not able to be repaired.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Eli

    (@scheeeli)

    Thank you for the feedback. This is not a bug and there are some very good reasons to not delete the files:

    In many cases the infected file is included or required by other files on the site. If the file is deleted before the references to it are removed from all other files then it could cause an error on your website that might break the site or even prevent the rest of the repair from completing successfully. So I decided that removing the malicious contents from the file is the safest way to complete the repair and also prevents the website from crashing.

    Some malicious files are pinged regularly by bot or checked by the hacker’s automated scripts. Deleting those files would cause your WordPress install to handle all those malicious pings and return your 404 page, which will needlessly burden your server with all that unnecessary overhead and send up red flags to your hacker that you need to be hacked again. By leaving the files empty those pings will return a 200 response (indicating that all is well) even though they will run no code and take no resources from your server.

    There are also some types of infections that are embedded somewhere else on the server and are frequently scanning the filesystem to see if all the planted malware files are still present and immediately replacing them if they are gone, so it can sometime help to prevent reinfections from a cross-contaminated site to leave the empty files there as placeholders so that they don’t get rewritten.

    All of these conditions are only relevant some of the time and in many cases these files can be deleted without ill affects, but there is also no threat no danger and no problems caused by leaving these empty files on the system. I know that it may look scary or ugly to see files with weird name in directory where you know those files should not be, but I choose to err on the side of safety and leave the empty files in place. Most WordPress admins and content creators will never even know that the files are still there, but for those sysadmins and developers who look at the files on the server and have a personal issue with the clutter or the eyesore of leaving those empty files on the system, they generally also have the skills to remove them if they feel that the reasons form deleting them outweigh the reasons for leaving them.

    There is a nice little command that will clean up all the empty files in one go if you want an easy way to clean up after an infection is dealt with:

    find /path/to/public_html -type f -size 0 -name “*.php” -delete

    Thread Starter chall3ng3r

    (@chall3ng3r)

    Thanks for your detailed reply. It makes sense as you explained.

    Still, if there’s option in settings or from quarantine section to delete the files, that would be great.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.