Hi,
The File Guard alert displays the date and time.
Can you check in the firewall log if something happened at that time?
Then, you will need to check the HTTP server log too. It will definitely show the attacker action at that time.
If it does not show anything, check your FTP log as the hacker could upload from FTP as well.
Hi,
strange things happened in the log file but i can’t understand,
i started a scan in my account and i found a malicious file that goes quarantined,
i also change the ftp password with a stronger,
Thanks,
Stathis
Hi,
Ensure you enabled “File Check” to run hourly too, so that it will detect any changes to your files.
You may have a backdoor on your site.
Hi,
maybe the backdoor is the file i found: wp-xmlrpc.php
i will make some scans,
Thanks,
Stathis
Hi,
Probably, but if you are unsure, you can post the file to http://pastebin.com/ and give us the link.
Hi,
i have the file but it can’t open because blocked of my antivirus,
notepad can’t opened too, not even ziped,
any suggestions to give you the file?
Thanks,
Stathis
Hi,
Maybe you can try to rename it to wp-xmlrpc.txt, but I don’t know if that will work.
Hi,
i think must open to rename, my notepad can’t open the file,
it is for sure a malicious file, i found it in the wp-includes directory,
i googled for backdoor and returned that the wp-includes directory is an often place for backdoors and the files often named similar to wordpress files,
Thanks
Stathis
Hi,
There is an option in NinjaFirewall to block access to PHP files in the /wp-includes/ folder (“Firewall Policies > Block direct access to any PHP file located in one of these directories”).
Hi,
yes, it is already checked, i feel that with ninjafirewall my site is safe,
you have great support,
Thanks,
Stathis
