Site went down, found 98K config file

  • Resolved bast-hotep

    (@bast-hotep)


    8 years, 3 months ago

    Entire site was coming up 403 forbidden. I found a huge version of config.php in wflogs, renamed it as something else and Wordfence apparently reconstructed a good config file, but site was still down. Host support said that Wordfence seemed to be blocking my IP (in spite of it being whitelisted) and that the .htaccess file was corrupt, he renamed that and site was back up.

    So I guess my questions are…

    1. Is a config file that size unusual? It appears to be largely an encoded binary.
    2. Is there anyone at Wordfence I can securely send it to if it might be a clue against hackers?
    3. Is there a way to scan Wordfence to make sure it hasn’t been compromised?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author WFMattR

    (@wfmattr)

    Hi,

    Sorry to hear about the trouble — 98k is an ok size for the config file, and it does include some encoded content for efficiency. You can send a copy of the file to us at wftest[at]wordfence[dot]com, and include a link to this post in the message. Please also reply here to be sure I don’t miss it if it goes into spam. A normal Wordfence scan should also pick up any malware in these files if any was included, but I suspect there was a technical problem rather than a hack.

    The config file alone normally shouldn’t cause the whole site to show a 403, but if the host has “mod_security” or something similar, it could convert 500’s to 403’s. It’s also possible that blocking on the site isn’t working normally — if you can also email us a diagnostic report using the “Send Report by Email” button near the bottom of the Diagnostics page on the Wordfence menu, I can check on that as well.

    -Matt R

    Thread Starter bast-hotep

    (@bast-hotep)

    Thanks so much for the info and your offer! It turns out that somehow, Wordfence was reporting unusual activity by a particular address that I blocked on cPanel, not realizing that address belonged to either a Cloudflare or Sucuri server. The support tech thought it was a Wordfence problem, but as soon as I removed that last entry from .htaccess, everything was back to normal.

    Plugin Author WFMattR

    (@wfmattr)

    Great, glad to hear it’s all sorted out!

    -Matt R

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Site went down, found 98K config file’ is closed to new replies.