Malware URL in readme.txt

I don’t think this is nothing to worry about.

That URL has been at the readme for many years and might be the domain has expired or something and spammers took it over. However, now Google says there’s malware there. See Google’s report:

https://www.google.com/transparencyreport/safebrowsing/diagnostic/index.html?hl=en-US#url=https://blog.brainhost.com/10-plugins-that-will-speed-up-your-wordpress-site/

Here’s the report https://www.wordfence.com plugin gives:

/html/wp-content/plugins/w3-total-cache/readme.txt
Filename: wp-content/plugins/w3-total-cache/readme.txt
Bad URL: https://blog.brainhost.com/10-plugins-that-will-speed-up-your-wordpress-site/)
File type: Not a core, theme or plugin file.
Issue first detected: 32 mins ago.
Severity: Critical
Status New
This file contains a suspected malware URL listed on Google’s list of malware sites. Wordfence decodes base64 when scanning files so the URL may not be visible if you view this file. The URL is: https://blog.brainhost.com/10-plugins-that-will-speed-up-your-wordpress-site/) – More info available at Google Safe Browsing diagnostic page.

I hope I did not react too fast but I went ahead and deleted the file. Can anyone shed further light about this situation.

I’m still not sure what to do .I have W3 Total Cache installed on my five website and have received Wordfence error messages for all of them saying the plugin contains malware. Not being technical in any way, I’m not sure what to do about it.

There is an absolute ton of links in that file. It’s not malware but it certainly looks like that file made it into the repository.

It’s only a readme text file. It doesn’t actually do anything so it’s totally safe to delete. In fact, from a security standpoint it’s actually a good thing to delete readme files anyhow. I manage roughly 75 websites and trust me, they run just fine without readme’s.

Thanks for this thread. Got the W3 read me, Wordfence message, as well. Deleted the wp-content/plugins/w3-total-cache/readme.txt file.

Sorry. Skippy How do you delete that file? ??

@eric, I used Filezilla (FTP) to delete the file. If you don’t have FTP available and if you have access to a cpanel that has a file manager for your domain, you should be able to delete the file. If you are uncomfortable doing this, your hosting company may be able to help you.

Thanks all, I had the same question. Special thanks to Mikael for the link to Google’s safe browsing tool. I didn’t know that existed.

FYI: The readme file is what the plugin’s info page displays here in the repository; hence all the links (see the “other notes” tab)

@gjefle is right. It’s just a readme and should be safe to delete. That’s what I’ll do then. Thanks so much to everyone who replied/shared their thoughts.

When I checked the URL in Google now it turns out the following statement:
Current status:
Not dangerous

Safe Browsing has not recently seen malicious content on blog.brainhost.com.

So I guess there is no need to fret over this or the report from Wordfence? Or would you recommend deleting the file anyhow? The file will most probably come back again when updating W3T cace plugin…

Well, I just removed all w3 total cache of my sites. I think was not performing well. Because I have Wordfence working on my sites, I have activated their cache with the Falcon engine… Wow! So faster than w3 Total Cache. I think, w3 total cache is may be a good plugin, but not working well on shared hosting.

If the bad URL gives the alert message from Wordfence, why is not taken off of the file in question by w3 total cache authors… Weird…

It’s just a readme txt file. Don’t worry. It is safe to delete it.

I was hit by a defences1(dot)com injection into a config file today (18 June 2016).

I think the source is the CDN (W3 Cache or CloudFlare or …)

” … Some Content Delivery Networks (CDNs) enable fraudsters to deploy phishing attacks with valid SSL certificates. Not only does this make the fraudulent sites appear more credible, but they also benefit from the fast response times provided by the CDN. …”

https://news.netcraft.com/archives/2013/10/07/phishers-using-cloudflare-for-ssl.html

I’ve been suffering from a series of different attacks, mostly bots that started when my site was hosted on a shared server at HostGator. Other sites on my server were infected for months before I was infected. My first symptoms was a slow site, so I signed up for CloudFlare, then for SiteLock. My site went down and I restored it 3 times, before I moved to another web host with a dedicated IP.

” … The traffic between the original web server and CloudFlare remains unencrypted unless the web server owner has his own certificate installed on his machine. Almost everyone who browses a https domain reached from CloudFlare is unaware that just half of the route is encrypted. When they see the padlock on their screen, they feel that everything is safe. This is why phishers love CloudFlare’s SSL. It’s easy to use for a cybercriminal with numerous domains hidden behind the privacy services of various registrars. …”

https://www.crimeflare.com/cfssl.html

I canceled my CloudFlare and SiteLock when I left HostGator, but I cannot stop SiteLock from scanning my domain and suspect CloudFlare is similar. I suspect there is something still living amongst my WordPress files on my new server.