A Possible False Negative? Unable to open wp-content/wflogs/ips.php…

Hi,

Site in trouble – http://mayankrungta.in
Version of WordFence – Version 6.1.8 # The drop down doesn’t allow this version. I don’t know why

I am debugging a potential attack on my site. In my attempt to do so I blocked several IPs trying to look for xmlrpc file. WordFence did not help me detect any problems. I am using the free version. Today I noticed another thing – the logs are flooded with the following messages –

[Mon Jun 13 18:30:31.061556 2016] [:error] [pid 15920] [client 104.223.253.156:59569] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:32.606659 2016] [:error] [pid 6266] [client 104.223.253.156:51692] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:33.257808 2016] [:error] [pid 14251] [client 104.223.253.156:37441] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:35.087847 2016] [:error] [pid 1850] [client 104.223.253.156:42470] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:40.181061 2016] [:error] [pid 14339] [client 104.223.253.156:56799] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:44.197842 2016] [:error] [pid 21426] [client 104.223.253.156:40075] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:44.262231 2016] [:error] [pid 14379] [client 104.223.253.156:40269] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:47.862139 2016] [:error] [pid 15898] [client 104.223.253.156:50468] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:50.442134 2016] [:error] [pid 9168] [client 104.223.253.156:57726] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.
[Mon Jun 13 18:30:50.484498 2016] [:error] [pid 15920] [client 104.223.253.156:57861] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.

The IP I checked –

https://www.abuseipdb.com/check/104.223.253.156

didn’t seem suspicious. Should I block this IP? I open the file and it looks like something has been injected into it –

$ cat ~/html/xxx.in/wp-content/wflogs/ips.php
<?php exit('Access denied'); __halt_compiler(); ?>
��.�W����\}*W���
c˯�*W���~
          ^�*W����޽*W��mɅd�*W���
h�*W���
k��*W��%s��WW��M����+W���&׵→W��%▮J←�→W���\I⎺→W����;�→W����←W����→←W��PR�9←W��[┌�JI├←W��↓�      b�←W��U�W���
┴�←W��LJ�↓W���   H �↓W��⒢�↓W��/W��[b·/W��]�)W��└d�┐┬0W��R�1W��Ú��o1W��=a�<�1W���ʡ�:W��ƓZ1W���ү�2W���tւ��2W��z����&4W��qf�0u4W���L�4W��p}|��4W��Y�H��4W���B�j5W���k��6W��>Ҙ�6W������a�6W���f���6W��>R��6W���ʡ��6W���7W�������7W���
                                                                                     8W��z�d��r8W���W���-!�:W��g��5W����UW����W���v#
                                                                                                                                    >W��)L�L>W��_�k>W��>Ң*:?W��-@��Z?W��l;T�Z?W��3�g�?W���_
                                              a��?W��Úӷ@W��XvX@W��.i

��OAW��G&�ZAW���&V�BW��hCW����w1’�CW��>ҘWc”GW���u��GW��h�H
BJW��_s�jJW���\HX��JW��[!%W��� qrkELW�� W��j�^NW��X�NW��<�MrNW���x-�NW��%�s”{W��j���TQW����
�QW����?5�vQW��\’:�SW��h�SW��[yN(�)TW��E߬`UW��H/7~UW���ƧUW��%�G�;W���tW��3�%|vW���
WW���R�MXW����W��\<����YW��ZW��Nn2sP|ZW��41_cW���myW���PtW���F0W��yN�f(W������]W��RM��]W

I re-ran WordFence scan and it continues to show clean. If the stuff in the php file is injected code why is the tool missing the file. I thought I sat and cleaned the whole site in the last few days and if it is still infected and tools aren't helping I am at a loss.

Please advise what should be my next steps. I am reverting to the version below obviously -

$ cat wp-content/wflogs/ips.php
<?php exit(‘Access denied’); __halt_compiler(); ?>`

Additionally, I downloaded the latest wordpress code (4.5.2) and did a diff with the one I am using. There are no other altered files though gotmls is pointing me to suspicious files. I don’t know what to do for wp-content. Was hoping that WordFence does that for me. Here is the output from gotmls –

.git/index
wp-content/plugins/better-wp-security/core/modules/core/js/mc-validate.js
wp-content/plugins/captcha/bws_menu/js/shortcode-button.js
wp-content/plugins/wordfence/js/jquery-ui-timepicker-addon.js
wp-includes/js/json2.js
wp-includes/js/json2.min.js
wp-includes/js/tw-sack.min.js
wp-includes/js/tinymce/tiny_mce_popup.js
wp-includes/pomo/translations.php

The above were identified as potential threats and I don’t see ips.php here either. Maldetec also gave a clean chit –

# maldet -a /
Linux Malware Detect v1.5
(C) 2002-2015, R-fx Networks <[email protected]>
(C) 2015, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(25582): {scan} signatures loaded: 10824 (8909 MD5 / 1915 HEX / 0 USER)
maldet(25582): {scan} building file list for /, this might take awhile…
maldet(25582): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(25582): {scan} file list completed in 18s, found 284696 files…
maldet(25582): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine…
maldet(25582): {scan} scan of / (284696 files) in progress…

maldet(25582): {scan} scan completed on /: files 284696, malware hits 0, cleaned hits 0, time 295s
maldet(25582): {scan} scan report saved, to view run: maldet –report XXXXXXXXXXX

Anything else that I should be doing? Any other info that I share can be of help?

The first of the errors occured at –

[Mon Jun 13 17:28:08.122791 2016] [:error] [pid 31218] [client 104.223.253.156:51079] Unable to open /opt/html/xxx.in/wp-content/wflogs/ips.php for reading and writing.

I changed the permission of .htaccess to give write access to user (not group www-admin) around that time. Not sure that can help trigger it. But that’s all I can remember.

Also, I don’t understand wordfence-waf.php resides in the root directory, shoudln’t all plugin related files be contained within wp-content? Sorry if I am mistaken.

If it is any help, I ran into the word fence missing table error which is very prevalent I noticed (on forums) and only for WordFence specifically in my case. I reinstalled the plugin after deleting everything a day or so back. I commit the files to a git repository and then pull the changes to other sites keeping them consistent. I am considering not tracking wp-content anymore but then any inconsistency in files will be missed. Any advice there would help also.

Hope this helps.

Thanks in advance,
Mayank

https://ww.wp.xz.cn/plugins/wordfence/