Wordfence creates files in global /tmp

  • Resolved analbeard

    (@analbeard)


    8 years, 5 months ago

    I run wordfence on one cPanel account on my server and since the 9th of October I’ve been receiving regular emails from LFD (part of the CSF firewall) that there are suspicious files being created in /tmp. These are always of the name config.tmp.phFxui or attack.tmp.phFxui, and after some research I discovered that similarly-named files also exist in Wordfence’s local tmp dir.

    Could anyone explain why this is happening? It’s definitely new behaviour. I’m on Version 6.2.2.

Viewing 5 replies - 1 through 5 (of 5 total)

  • Hi!
    When the Firewall is working it writes to those files so what you are seeing is likely the temp files created when those files are written to. I’m not sure why it would only be happening since the 9th of October. Did you enable the Wordfence Firewall recently? If not, it’s possible that we added some rule that the CSF Firewall is reacting to. I’m really curious about the file extension I don’t think I’ve ever seen that before. Is that a setting particular to your system?

    Thread Starter analbeard

    (@analbeard)

    Hi, thanks for getting back to me!

    So Wordfence has been active on this install for nearly a year now, and I’ve not touched any settings in months. I do have my plugins set to update automatically overnight if a newer version is available, so I assumed (rightly or wrongly) that an update had changed some behaviour.

    My Wordfence config is pretty vanilla, so I don’t think it’s anything I’ve enabled. Should Wordfence even want to use /tmp, instead of it’s own tmp dir?

    Here’s a small sample of some of the files in /tmp

    
attack.tmp.104qOG
attack.tmp.114pcP
attack.tmp.1167wn
attack.tmp.130SRv
attack.tmp.14uo6x
attack.tmp.15SuNg
attack.tmp.17ve3z
attack.tmp.18xIGH
attack.tmp.198Hpk
attack.tmp.1AazTu

config.tmp.zXk7lp
config.tmp.zxqKVl
config.tmp.Zxqy06
config.tmp.zXt8mt
config.tmp.zxTZvn
config.tmp.Zxy3ab
config.tmp.zy2b29
config.tmp.ZY7J6z
config.tmp.zyazvt
config.tmp.ZycZgW

    Currently there are now none of these files in wp-content/plugins/wordfence/tmp

    Thanks!

    Hi again!
    Okay so the temp files get random file extensions. That explains that.

    The reason Wordfence uses the temp directory on your server is that the Wordfence Firewall needs to write to files. The reason it needs to do this is that it loads before all other PHP code on your server and at that point there is not yet a connection to your database. So in order for the Firewall to have any memory at all it needs to save things directly to file. Any writing to file will create files in your servers temp directory. So if you want to run the Firewall there isn’t really a way around it.

    Is this the additional Firewall you are using?

    https://configserver.com/cp/csf.html

    Thread Starter analbeard

    (@analbeard)

    Sure, I’ve no issues with Wordfence using /tmp if it’s necessary, but I just find it odd that the behaviour has changed recently.

    Yes, that’s what I’m using (and LFD which generates the emails is part of CSF).

    Thanks! I suspect it started happening now either because of new rules added to CSF Firewall or new rules added to Wordfence Firewall. I’ll notify our devs just in case they want to make any adjustments.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Wordfence creates files in global /tmp’ is closed to new replies.