php file generated in tmp folder ISP reports as hack attack

Hi tcollins123,

That file is the backup file the plugin generates. When it is completed it will be moved into wp-content/backup/ if it is a local backup. So it’s not a hack at all. We use PHP extension while generating it to prevent access to it since it’s not complete or usable while it’s still generating, and also as a further method of preventing illegitimate downloading of it.

So it’s a false positive of their scanner.

Jason.

Hi Jason,

Thanks for the rapid feedback, much appreciated. Unfortunately I don’t think my ISP is going to change its anti virus settings so I am a bit stuck as I’m fairly sure their abuse department will come down on me like ‘a ton of bricks’ if I simply ignore their emails.

so its a problem for me.

Thanks again though.

Tony

Hi Tony,

If you can ask them WHY it got flagged, then maybe we can adjust the way we do things. But of course if their detection system is way way over restrictive that might not be possible, but we can always try if it only takes a small tweak.

One of my developers suggests the issue is that a non-executable file should never be given an executable extension, even for a temporary period.

Would you consider changing to not use any executable suffix?

Tony

Hi Tony,

PHP is not an executable format and just a script, and the file is a valid script that if accessed just exits – the backup data is kept inside that script. This protects from download where if it was ZIP and someone accessed it would download.

This is how it always was in order to keep the backup secure – however, local backups is somewhat different than it used to be and the filename is now randomly generated so maybe this is not as necessary anymore, but it is a sensitive area.

If we can find out the specific pattern the anti-virus is picking up it may be better as we could keep the status-quo and just make things not match the pattern.

Preventing a script from creating PHP files would seem a bit OTT as lots of cache plugins do almost the same in order to speed up page view while still keeping some elements dynamic.

Jason

I understand where you are coming from but I can’t do anything my end about it.

If you do decide to not use php extensions let me know and I’ll revisit your plug in.

Really appreciate your rapid response.

Thanks.

Tony

Hi Tony,

You’ll be able to contact your host and they can provide the specifics on why it was flagged, then you can pass that to me.

As it stands I won’t be able to talk to your host as they won’t tell me anything as I’m not a customer. Also I won’t be able to show them anything where you can.

I understand if it’s too much trouble and you are busy though, or if your host is difficult to worth with, and that’s fine if so. All the best.

Regards,

Jason