Malware in /wflogs/attack-data.php?

Same here with 1&1.

I have the same email from 1&1. Looks like the “attack” was about 3:36am GMT. Using Wordfence (Free edition)

Same thing, several installations on 1&1 space but only one of them with this kind of problem.

Hacked or not? Any ideas?

Same here. Modified files in ‘wflogs’ (poss modified by 1and1) as shown:

* attack-data.php contains this (as shown, which also seems to generate a lot of white data when copied and pasted!):
<?php exit(‘Access denied’); __halt_compiler(); ?>
wfWAF

* config.php has this at the top of what looks like a normal file:
<?php exit(‘Access denied’); __halt_compiler(); ?>

* ips.php has this at the top, with what looks like normal binary code underneath:
<?php exit(‘Access denied’); __halt_compiler(); ?>

* rules.php has this above probable normal code:
<?php
if (!defined(‘WFWAF_VERSION’)) {
exit(‘Access denied’);
}

Hope this helps!
Stevo

Same warning from 1&1 today
WordPress uptodate
Wordfence Free
File already existed before, date has changed but content is the same !

• This reply was modified 7 years, 8 months ago by pimounet.

Looked at a previous thread & this is the answer from the plugin author

Files are modified when plugins are updated and when plugins perform certain functions. It is normal to see the /wflogs/attack-data.php in that list because that file is updated when your Wordfence Firewall is working.

Possibly just a false alarm?
Had email from client first thing who had email from 1and1.

Same warning from 1&1 today
WordPress uptodate
Wordfence Free

Also binary data in the file starting with wfWAF

I called 1und1 but at least 1st level support had no clue and insisted this is no false alert but couldn’t contact tech staff to confirm. I’m trying it again later this day

Also have 2 sites on 1&1 reported same issue. I had to change the permissions from 200 to 644 to download. this is contents:

<?php exit(‘Access denied’); __halt_compiler(); ?>
wfWAF

UPDATE: I deleted the WF plugin, removed the wflogs folder, and reinstalled WF (Premium).

I have run a scan but it’s stuck here (poss to do with 1and1 file mods/blocks) :
[Mar 20 08:12:30]
Scanning file contents for infections and vulnerabilities
[Mar 20 08:12:30]
Scanning files for URLs in Google’s Safe Browsing List

1and1 already corrected this issue with the non-hacked-wf files. They say that the files can be unlocked by the user in ~3hours (file-permissions back to 604 or anything that works) from now on..

I’ve just received a reply by 1&1 support. They apologized for sending false alarms regarding attack-data.php (Wordfence). They will adjust their scanner.

Thanks for the updates guys! If you experience any issues after the Wordfence files in wflogs were on lock down by your host 1&1, just delete the wflogs folder. It will be recreated the next time any page on your site is visited. Note that you will need to go in and set the Firewall back to “Enabled and protecting” as it will default to “Learning mode” when you delete the wflogs folder.

Hope it all works out from here but let us know if it doesn’t.

HI,
Same here. Got a Mail from 1&1.
Looking with WinSCP and Editor to the same File attack-data.php shows different Content. I took a screenshot to show it.
And yes if I mark in WinSCP all the content of the file there are a lot of blancs after the code.

Thanks wfasa for the very useful plugin! ??

Thanks @wfasa