Title: Malware in /wflogs/attack-data.php?
Last modified: March 20, 2017

---

# Malware in /wflogs/attack-data.php?

 *  [AMX](https://wordpress.org/support/users/lightscapes/)
 * (@lightscapes)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/)
 * Hi,
    My hosting company has informed me that this path contains malware and they
   restricted access to this file. I tried to download it through FTP, I got disconnected
   a few times but finally succeeded.
 * wp-content/wflogs/attack-data.php
 * In Notepad++ this file looks like this:
 * <?php exit(‘Access denied’); __halt_compiler(); ?>
    wfWAF NULNULNULNULNULNULœNULNULNUL…
   and several pages of NULNUL…. Normal Notepad shows empty spaces instead of NUL.
 * I checked the same file on another website and on another host. They are all 
   the same and have 40.083 bytes.
 * Is it a false alarm or something to worry?
    Wordfence hasn’t recorded any admin
   logins from suspicious IPs. My FTP password is long and difficult to brute-force.
    -  This topic was modified 9 years, 2 months ago by [AMX](https://wordpress.org/support/users/lightscapes/).

Viewing 15 replies - 16 through 30 (of 77 total)

[←](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/?output_format=md)
[1](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/?output_format=md)
2 [3](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/?output_format=md)
[4](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/?output_format=md)
[5](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/5/?output_format=md)
[6](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/6/?output_format=md)
[→](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/?output_format=md)

 *  [Delia Carballo](https://wordpress.org/support/users/soydelia/)
 * (@soydelia)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/#post-8933307)
 * Same here with 1&1.
 *  [olymp1c](https://wordpress.org/support/users/olymp1c/)
 * (@olymp1c)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/#post-8933313)
 * I have the same email from 1&1. Looks like the “attack” was about 3:36am GMT.
   Using Wordfence (Free edition)
 *  [eWebjojo](https://wordpress.org/support/users/ewebjojo/)
 * (@ewebjojo)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/#post-8933324)
 * Same thing, several installations on 1&1 space but only one of them with this
   kind of problem.
 * Hacked or not? Any ideas?
 *  [Stevo](https://wordpress.org/support/users/sd142ppr/)
 * (@sd142ppr)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/#post-8933351)
 * Same here. Modified files in ‘wflogs’ (poss modified by 1and1) as shown:
 * * attack-data.php contains this (as shown, which also seems to generate a lot
   of white data when copied and pasted!):
    **<?php exit(‘Access denied’); __halt_compiler();?
   > wfWAF
 * * config.php has this at the top of what looks like a normal file:
    **<?php exit(‘
   Access denied’); __halt_compiler(); ?>**
 * * ips.php has this at the top, with what looks like normal binary code underneath:
   **
   <?php exit(‘Access denied’); __halt_compiler(); ?>**
 * * rules.php has this above probable normal code:
    **<?php if (!defined(‘WFWAF_VERSION’)){
   exit(‘Access denied’); }
 * Hope this helps!
    Stevo
 *  [pimounet](https://wordpress.org/support/users/pimounet/)
 * (@pimounet)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/#post-8933401)
 * Same warning from 1&1 today
    WordPress uptodate Wordfence Free File already existed
   before, date has changed but content is the same !
    -  This reply was modified 9 years, 2 months ago by [pimounet](https://wordpress.org/support/users/pimounet/).
 *  [consiliosa](https://wordpress.org/support/users/consiliosa/)
 * (@consiliosa)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/#post-8933402)
 * Looked at a previous thread & this is the answer from the plugin author
 * Files are modified when plugins are updated and when plugins perform certain 
   functions. It is normal to see the /wflogs/attack-data.php in that list because
   that file is updated when your Wordfence Firewall is working.
 * Possibly just a false alarm?
    Had email from client first thing who had email
   from 1and1.
 *  [atx6sic6](https://wordpress.org/support/users/atx6sic6/)
 * (@atx6sic6)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/#post-8933435)
 * Same warning from 1&1 today
    WordPress uptodate Wordfence Free
 * Also binary data in the file starting with wfWAF
 * I called 1und1 but at least 1st level support had no clue and insisted this is
   no false alert but couldn’t contact tech staff to confirm. I’m trying it again
   later this day
 *  [rfollett](https://wordpress.org/support/users/rfollett/)
 * (@rfollett)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/#post-8933448)
 * Also have 2 sites on 1&1 reported same issue. I had to change the permissions
   from 200 to 644 to download. this is contents:
 * <?php exit(‘Access denied’); __halt_compiler(); ?>
    wfWAF
 *  [Stevo](https://wordpress.org/support/users/sd142ppr/)
 * (@sd142ppr)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/#post-8933474)
 * UPDATE: I deleted the WF plugin, removed the wflogs folder, and reinstalled WF(
   Premium).
 * I have run a scan but it’s stuck here (poss to do with 1and1 file mods/blocks):
   [
   Mar 20 08:12:30] Scanning file contents for infections and vulnerabilities [Mar
   20 08:12:30] Scanning files for URLs in Google’s Safe Browsing List
 *  [generalhawkins](https://wordpress.org/support/users/generalhawkins/)
 * (@generalhawkins)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/#post-8933484)
 * 1and1 already corrected this issue with the non-hacked-wf files. They say that
   the files can be unlocked by the user in ~3hours (file-permissions back to 604
   or anything that works) from now on..
 *  [divnull](https://wordpress.org/support/users/divnull/)
 * (@divnull)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/#post-8933493)
 * I’ve just received a reply by 1&1 support. They apologized for sending false 
   alarms regarding attack-data.php (Wordfence). They will adjust their scanner.
 *  [wfasa](https://wordpress.org/support/users/wfasa/)
 * (@wfasa)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/#post-8933518)
 * Thanks for the updates guys! If you experience any issues after the Wordfence
   files in wflogs were on lock down by your host 1&1, just delete the wflogs folder.
   It will be recreated the next time any page on your site is visited. Note that
   you will need to go in and set the Firewall back to “Enabled and protecting” 
   as it will default to “Learning mode” when you delete the wflogs folder.
 * Hope it all works out from here but let us know if it doesn’t.
 *  [Landyphil](https://wordpress.org/support/users/landyphil/)
 * (@landyphil)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/#post-8933539)
 * HI,
    Same here. Got a Mail from 1&1. Looking with WinSCP and Editor to the same
   File attack-data.php shows different Content. I took a screenshot to show it.
   And yes if I mark in WinSCP all the content of the file there are a lot of blancs
   after the code. ⌊Screenshot⌉
 *  [divnull](https://wordpress.org/support/users/divnull/)
 * (@divnull)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/#post-8933544)
 * Thanks wfasa for the very useful plugin! 🙂
 *  [pimounet](https://wordpress.org/support/users/pimounet/)
 * (@pimounet)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/#post-8933572)
 * Thanks [@wfasa](https://wordpress.org/support/users/wfasa/)

Viewing 15 replies - 16 through 30 (of 77 total)

[←](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/?output_format=md)
[1](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/?output_format=md)
2 [3](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/?output_format=md)
[4](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/?output_format=md)
[5](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/5/?output_format=md)
[6](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/6/?output_format=md)
[→](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/?output_format=md)

The topic ‘Malware in /wflogs/attack-data.php?’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

 * 77 replies
 * 32 participants
 * Last reply from: [wfasa](https://wordpress.org/support/users/wfasa/)
 * Last activity: [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/6/#post-8947746)
 * Status: not resolved