Malware in /wflogs/attack-data.php?

Many customers also got this email, would consider a false positive by some internal 1&1 scanner?

I deleted the wflogs folder and then changes firewall back to “Enabled and protecting” and running new scan now but seems to hang on additional files:

[Mar 20 09:06:57] Scanned contents of 235 additional files at 3.70 per second
[Mar 20 09:06:58] Scanned contents of 237 additional files at 3.67 per second
[Mar 20 09:06:59] Scanned contents of 255 additional files at 3.89 per second
[Mar 20 09:07:00] Scanned contents of 289 additional files at 4.33 per second
[Mar 20 09:07:01] Scanned contents of 305 additional files at 4.49 per second
[Mar 20 09:07:03] Scanned contents of 314 additional files at 4.51 per second

hanging here??

Thanks divnull!

rfollett, your scanning issues are most likely due to some other issue. Check your error logs (may be available in the “Logs” section on the Wordfence “Diagnostics” page). You can also enable “debug mode” via the Wordfence Diagnostics page to get more information about each scan stage. Please open a new support thread to discuss scanning issues. Thanks!

• This reply was modified 7 years, 12 months ago by wfasa.

Thanks @wfasa

Hi,

Just received an email from 1and1 explaining it is a false alarm:

Please excuse this error and any inconvenience caused by this false alarm.

After review, we confirm that your file /wp-content/wflogs/attack-data.php does not contain any malicious code. The scanner made a mistake in the previous scan.

The database for the 1&1 Safety Scanner has now been corrected. Please give our systems 2 hours to implement and distribute the correction.

Important: After this 2 hour timeframe, you may upload your file, *** , to your WebSpace. Uploading your file before this could cause another false alarm. If the file still exists in your WebSpace, you can simply change the file permissions back after this timeframe.

We appreciate your cooperation and look forward to continuing to provide you safe and secure hosting.

@wfasa

I deleted the folder as requested, it is recreated immediately by the plugin – and the file attack-data.php looks exactly the same, including the strange NUL values.

So deleting the folder changes nothing – except all whitelisted urls are gone from the firwall-setting. I would not recommend to delete this folder.

On one side it seems to be a false alert, on the other hand it might be useful to find out, where those strange NUL values come from.

• This reply was modified 7 years, 12 months ago by woltis.
• This reply was modified 7 years, 12 months ago by woltis.

Thanks @wfasa ??

1&1 Safety Scanner is faulty.

De-activate Wordfence.

Erase wflogs folder.

Re-activate Wordfence.

wflogs will be re-created.

Regards and thanks to Wordfence team for the very good work !

@jrvidaud

Deleting the folder changes nothing – except all whitelisted urls are gone from the firwall-setting.

The best solution is: do nothing!

It’s a false alert.

In @wfasa ‘s defence; they only said to delete the flogs folder “If you experience any issues after the Wordfence files in wflogs were on lock down by your host 1&1” ??

• This reply was modified 7 years, 12 months ago by JohnCleary.

Sadly i (hastily) did delete my folder. It will replace itself on next attack I hope ??

This is what 1&1 just sent to me:

Please excuse this error and any inconvenience caused by this false alarm.

After review, we confirm that your file /wp-content/wflogs/attack-data.php does not contain any malicious code. The scanner made a mistake in the previous scan.

The database for the 1&1 Safety Scanner has now been corrected. Please give our systems 2 hours to implement and distribute the correction.

Important: After this 2 hour timeframe, you may upload your file, /wp-content/wflogs/attack-data.php, to your WebSpace. Uploading your file before this could cause another false alarm. If the file still exists in your WebSpace, you can simply change the file permissions back after this timeframe. Please see this help article for information on setting permissions.

https://help.1and1.co.uk/article/649968.html

If you should require further information, please reply to this e-mail, leaving our reference [Ticket xxxxxxxx] in your message. You can also call us at 0333 336 5691, from Monday-Friday, 11:00am-22:00pm.

• This reply was modified 7 years, 12 months ago by bosh.

Looks like I’m one of many people who got this message from 1and1 today.

I did the ‘delete the log folder’ trick to ‘reset’ things. That’s all fine. My problem now is that scans don’t complete (never had this issue before, even on high sensitivity mode). I’ve tried the usual increase memory trick, but no joy.

I note that from above, I should start this topic on a new thread, but I’ve added it here, just in case it’s related. I’ve had problems with 1and1 before ‘quarantining’ files they don’t like the look of and that has broken other plugins. Perhaps 1and1 have quarantined something else that’s broken WordFence?

So, for the people who had the 1and1 attack-data issue, are things all fine with scans now? If so, then my scan problem is unrelated and I’ll sort it out elsewhere. If not, then perhaps we could look a little deeper to see what else 1and1 have done..?

@robwheatley I have exactly the same issue Rob, and have contacted Wordfence support about this also.

Hi Rob, in any case you should find a log file from 1and1 on your webspace. Check if there is a forensic directory withing your /logs/ folder. There you should find further infos of what 1and1 locked on your space.

Hi again!
Yes, do not delete wflogs unless you are having issues with blocking or Live Traffic. It completely resets the Firewall!

I see that two people have reported scan issues following this. I’m not sure why deleting wflogs would affect your scans. That’s not something we have seen before so this is why I suggested creating new threads for this. As a general recommendation to debug scans that hang

1. Enable “debug mode” at the bottom of the Wordfence diagnostics page. Run a manual scan. You will now see much more detailed information in the “Scan detailed activity” box. It may give an indication if there are any connection issues with Wordfence servers or if a large file is being scanned right before it stops, the scan may be hanging on that particular file.

2. If it appears that your scan is getting stuck on a large file, you can try disabling “Scan images, binary, and other files as if they were executable” on the Wordfence options page. You can also try lowering the “Maximum execution time for each scan stage” to less than half of what max_execution_time is set to on your server. Typically, a value of 20 should work here. If you want to know what max execution time is set at on your site, you can click “Click to view your system’s configuration in a new window” on the Wordfence Diagnostics page and then search in that page for “max_execution_time”.

3. Check your servers error logs to make sure no Fatal Errors are being generated during the scan. On many sites you can get the servers error logs directly via the “Logs” section on the Wordfence Diagnostics page. If you can not find your error logs there, and you can not find them in your web hosts administration panel, please ask your host to provide them.

Once you have gone through these steps, I would suggest creating a new thread in the forum and present your findings.