Title: Malware in /wflogs/attack-data.php?
Last modified: March 20, 2017

---

# Malware in /wflogs/attack-data.php?

 *  [AMX](https://wordpress.org/support/users/lightscapes/)
 * (@lightscapes)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/)
 * Hi,
    My hosting company has informed me that this path contains malware and they
   restricted access to this file. I tried to download it through FTP, I got disconnected
   a few times but finally succeeded.
 * wp-content/wflogs/attack-data.php
 * In Notepad++ this file looks like this:
 * <?php exit(‘Access denied’); __halt_compiler(); ?>
    wfWAF NULNULNULNULNULNULœNULNULNUL…
   and several pages of NULNUL…. Normal Notepad shows empty spaces instead of NUL.
 * I checked the same file on another website and on another host. They are all 
   the same and have 40.083 bytes.
 * Is it a false alarm or something to worry?
    Wordfence hasn’t recorded any admin
   logins from suspicious IPs. My FTP password is long and difficult to brute-force.
    -  This topic was modified 9 years, 2 months ago by [AMX](https://wordpress.org/support/users/lightscapes/).

Viewing 15 replies - 1 through 15 (of 77 total)

1 [2](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/?output_format=md)
[4](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/?output_format=md)
[5](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/5/?output_format=md)
[6](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/6/?output_format=md)
[→](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/?output_format=md)

 *  [JoomGeek](https://wordpress.org/support/users/fupfac/)
 * (@fupfac)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/#post-8933127)
 * I received the same notification. I guess you’re in 1&1 too. Any update wordfense?
 *  Thread Starter [AMX](https://wordpress.org/support/users/lightscapes/)
 * (@lightscapes)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/#post-8933136)
 * Yes, indeed, I use 1&1.
 *  [JoomGeek](https://wordpress.org/support/users/fupfac/)
 * (@fupfac)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/#post-8933145)
 * I received the same warning there is a similar post here [https://wordpress.org/support/topic/files-in-wflogs-directory-hacked/#post-8933134](https://wordpress.org/support/topic/files-in-wflogs-directory-hacked/#post-8933134)
   I had a look into the file but I don’t see anything that looks like a hack (I’m
   not a codder neither). Let see what they say
 *  [Alex](https://wordpress.org/support/users/mheob/)
 * (@mheob)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/#post-8933146)
 * Same here with 1&1.
 *  [t1nobby](https://wordpress.org/support/users/t1nobby/)
 * (@t1nobby)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/#post-8933150)
 * Same here. 1&1.
 *  [JohnCleary](https://wordpress.org/support/users/johncleary/)
 * (@johncleary)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/#post-8933159)
 * Same here. Also with 1&1. I’ve forwarded the email to [samples@wordfence.com](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/samples@wordfence.com?output_format=md)
 *  [bosh](https://wordpress.org/support/users/bosh/)
 * (@bosh)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/#post-8933171)
 * yep. Just got the email warning, Im on 1&1.
 *  [witherslack](https://wordpress.org/support/users/witherslack/)
 * (@witherslack)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/#post-8933174)
 * yep, me too. 1and1
 *  [Klaus69](https://wordpress.org/support/users/klaus69/)
 * (@klaus69)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/#post-8933183)
 * Same here with 1&1. I think it is false alarm, I compared with files on other
   installations, one I found changed last time back in Jan., exactly same file 
   sizes.
 * However, the content of the file looks very strange, as described by lightscapes.
 *  [JoomGeek](https://wordpress.org/support/users/fupfac/)
 * (@fupfac)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/#post-8933210)
 * 1&1 says they desactivated the file. It may explain why we don’t see what’s inside
   the /attach-data.php
 * I think that
 * 1- Either 1&1 go via keyword and when they see a file called /attack-data.php(
   that would be a very stupid name for an attack by the way) updated (most likely
   wordfense updates it alone) they freak out
    2- There was a real attack
 * Let see who gets the solution first
 *  [peripateticfrasmotic](https://wordpress.org/support/users/peripateticfrasmotic/)
 * (@peripateticfrasmotic)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/#post-8933222)
 * Same notification here – 1&1 again… any ideas?
 * Was there a real attack that WF intercepted and stored data to be analysied remotely
   that 1&1 have now picked up as a ‘new’ attack because it was stored on the server?
    -  This reply was modified 9 years, 2 months ago by [peripateticfrasmotic](https://wordpress.org/support/users/peripateticfrasmotic/).
 *  Thread Starter [AMX](https://wordpress.org/support/users/lightscapes/)
 * (@lightscapes)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/#post-8933225)
 * I think they only isolated this file, changed the permissions, but you can still
   download it. I also have 2 new sites on Siteground, 2 weeks old, still in maintenance
   mode and this file from those sites looks the same to me as the one on 1&1.
 * On the other hand, I find it good that they actually scan my webspace for malware,
   even if it should turn out to be a false alarm.
    -  This reply was modified 9 years, 2 months ago by [AMX](https://wordpress.org/support/users/lightscapes/).
    -  This reply was modified 9 years, 2 months ago by [AMX](https://wordpress.org/support/users/lightscapes/).
 *  [langhof](https://wordpress.org/support/users/langhof/)
 * (@langhof)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/#post-8933229)
 * Dito (1&1) I think, it’s a false report.
 *  [hmkay](https://wordpress.org/support/users/hmkay/)
 * (@hmkay)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/#post-8933238)
 * I received the same warning from 1&1 today.
 * wp-content/wflogs/attack-data.php
 *  [Klaus69](https://wordpress.org/support/users/klaus69/)
 * (@klaus69)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/#post-8933252)
 * [@lightscapes](https://wordpress.org/support/users/lightscapes/) here I disagree.
   When they cause thousands of false alarms, they cause stress and useless work.
   My clients also get these emails, and are of course alarmed by it.
 * Strange anyway: On two of my websites it has access rights 660. On another one–
   but NOT the one for that the mail was sent! – it is 200, and this can therefore
   not be downloaded anymore.

Viewing 15 replies - 1 through 15 (of 77 total)

1 [2](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/?output_format=md)
[4](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/?output_format=md)
[5](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/5/?output_format=md)
[6](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/6/?output_format=md)
[→](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/?output_format=md)

The topic ‘Malware in /wflogs/attack-data.php?’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

 * 77 replies
 * 32 participants
 * Last reply from: [wfasa](https://wordpress.org/support/users/wfasa/)
 * Last activity: [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/6/#post-8947746)
 * Status: not resolved