Cerber Quick Scan-Unattended file suspicious code

  • Resolved ragingeagle

    (@ragingeagle)


    4 years, 10 months ago

    I’m new to WP/Cerber. installed free version. It immediately stopped hacking. purchased pro version. Quick Scan report provided one “high” risk finding:

    /wp-content/wflogs/rules.php Suspicious Code Found, Unable to Delete

    Suspicious code signatures found
    Line 382: 2.9.4.116
    Line 745: 2.3.6.1
    Line 2582: 192.200.108.100

    A suspicious external IPv4 address found. Can cause data leakage. (IPV4)

    Ran Whois on these URLs
    2.9.4.116:https://www.whois.com/whois/2.9.4.116
    2.3.6.1: https://www.whois.com/whois/2.3.6.1
    192.200.108.100: https://www.whois.com/whois/2.3.6.1
    This URL comes back to a business: Organization: GorillaServers, Inc. (GORIL-3)
    Examination of the “rules.php” file reveals code (I don’t understand) refereing, primarily, to whitelists and blacklists.

    Have searched forum entries until head aches but cannot determine if this file is something to be worried about.

    Additionally scan reproted “medium” threat:
    /.htaccess contained:
    Suspicious directives found
    Line 42: https://%{REMOTE_ADDR}/$

    A suspicious redirection to another, probably phishing website. (RWEB)

    I don’t have the knowledge to know if these problems -particularly the undeleatable one – should be of concern.

    thank you
    RE

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author gioni

    (@gioni)

    Hi! You can delete /wp-content/wflogs/rules.php if you don’t use Wordfence. The better approach is to delete not active plugins from within the WordPress dashboard so that they can clean up their leftovers.

    Also, enable “Change file permissions when necessary” in the scanner settings and try to delete undeleted files.

    Thread Starter ragingeagle

    (@ragingeagle)

    Thank you Gioni.
    I do still have Wordfence activated and do not have any old, undeleted plugins. Does Wordfence cause any conflicts with Cerber that would indicate I should remove Wordfence? If not I’ll just “ignore” that particular threat as it appears it’s part of Wordfence.

    Should I also “ignore” the “suspicious directives”
    “Line 42: https://%{REMOTE_ADDR}/$”
    in the “/.htaccess” file (medium threat) also?

    Thank you again for your assistance
    RE

    Plugin Author gioni

    (@gioni)

    Two security plugins can conflict with each other. This is obvious, right? So if you have Wordfence active, add that issue to the Ignore list. If you recognize the IP address in .htaccess, you can ignore the second issue too.

    Thread Starter ragingeagle

    (@ragingeagle)

    Thanks Gioni, close this one out.
    Terry

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Cerber Quick Scan-Unattended file suspicious code’ is closed to new replies.