wflogs being flagged by server as a suspicious process

  • Resolved katiam

    (@katiam)


    8 years ago

    Hi,

    I want to make sure nothing malicious is going on on my server.. basically, I am getting email alerts from my web host stating that a Suspicious process is running under a cpanel account I have a wordpress site running wordfence on.

    The files being referenced are in a subfolder wflogs (wordfence).

    Any help most appreciated!

    The email I have received details the following:
    —————————————————————————————

    Executable:

    /usr/bin/php

    Command Line (often faked in exploits):

    /usr/bin/php

    Network connections by the process (if any):

    tcp: XXXXXXXX -> XXXXXXXXX

    Files open by the process (if any):

    /usr/local/apache/logs/error_log
    /usr/local/apache/logs/error_log
    /var/cpanel/locale/en.cdb.79762 (deleted)
    /tmp/.ZendSem.B9xDks (deleted)
    /tmp/ZCUDymDx2n (deleted)
    /dev/urandom
    /home/cpanelaccountname/public_html/websitelocation/wp-content/wflogs/ips.php
    /home/cpanelaccountname/public_html/websitelocation/wp-content/wflogs/config.tmp.HoVh4M (deleted)
    /home/cpanelaccountname/public_html/websitelocation/wp-content/wflogs/attack-data.php

Viewing 6 replies - 1 through 6 (of 6 total)
  • benfitts

    (@benfitts)

    We got some servers hacked with lots of suspicious wflogs activity. Including a new file in the root called wordfence-waf.php

    Looks like wordfence has been targetted by a hacker.

    benfitts

    (@benfitts)

    Also you might find some new wflogs folders. I found one in the wp-content directory.

    bluebearmedia

    (@bluebearmedia)

    The file “wordfence-waf.php” in the root, and the wflogs folder in wp-content, are a legitimate part of the Wordfence firewall…

    Note: I’m not part of Wordfence support, just a long time user.

    wfalaa

    (@wfalaa)

    Hi @katiam,
    Reporting these files under “wflogs” directory sounds like a false positive detection, these files are related to the Firewall and they tend to be modified -regularly- by the plugin, you don’t need to worry about that.

    @benfitts just as @bluebearmedia mentioned, these are the Firewall files, nothing is suspicious over here.

    Thanks.

    Thread Starter katiam

    (@katiam)

    Thank you so much @wfalaa, @bluebearmedia, @benfitts most appreciated!!
    I will check to make sure there are no new files/folders etc after your experience @benfitts

    benfitts

    (@benfitts)

    Yep. Those weren’t suspicious files after all. We were using the free wordfence and didn’t think anyone had turned on the firewall. In the old version I don’t think you could without a paid subscription. That is why we were confused.

    Sorry about that.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘wflogs being flagged by server as a suspicious process’ is closed to new replies.