Title: Malware in /wflogs/attack-data.php? Last modified: March 20, 2017 --- # Malware in /wflogs/attack-data.php? * [AMX](https://wordpress.org/support/users/lightscapes/) * (@lightscapes) * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/) * Hi, My hosting company has informed me that this path contains malware and they restricted access to this file. I tried to download it through FTP, I got disconnected a few times but finally succeeded. * wp-content/wflogs/attack-data.php * In Notepad++ this file looks like this: * wfWAF NULNULNULNULNULNULœNULNULNUL… and several pages of NULNUL…. Normal Notepad shows empty spaces instead of NUL. * I checked the same file on another website and on another host. They are all the same and have 40.083 bytes. * Is it a false alarm or something to worry? Wordfence hasn’t recorded any admin logins from suspicious IPs. My FTP password is long and difficult to brute-force. - This topic was modified 9 years, 2 months ago by [AMX](https://wordpress.org/support/users/lightscapes/). Viewing 15 replies - 31 through 45 (of 77 total) [←](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/?output_format=md) [1](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/?output_format=md) [2](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/?output_format=md) 3 [4](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/?output_format=md) [5](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/5/?output_format=md) [6](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/6/?output_format=md) [→](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/?output_format=md) * [Ov3rfly](https://wordpress.org/support/users/ov3rfly/) * (@ov3rfly) * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/#post-8933577) * Many customers also got this email, would consider a false positive by some internal 1&1 scanner? * [rfollett](https://wordpress.org/support/users/rfollett/) * (@rfollett) * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/#post-8933584) * I deleted the wflogs folder and then changes firewall back to “Enabled and protecting” and running new scan now but seems to hang on additional files: * [Mar 20 09:06:57] Scanned contents of 235 additional files at 3.70 per second [ Mar 20 09:06:58] Scanned contents of 237 additional files at 3.67 per second [ Mar 20 09:06:59] Scanned contents of 255 additional files at 3.89 per second [ Mar 20 09:07:00] Scanned contents of 289 additional files at 4.33 per second [ Mar 20 09:07:01] Scanned contents of 305 additional files at 4.49 per second [ Mar 20 09:07:03] Scanned contents of 314 additional files at 4.51 per second * hanging here?? * [wfasa](https://wordpress.org/support/users/wfasa/) * (@wfasa) * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/#post-8933611) * Thanks divnull! * rfollett, your scanning issues are most likely due to some other issue. Check your error logs (may be available in the “Logs” section on the Wordfence “Diagnostics” page). You can also enable “debug mode” via the Wordfence Diagnostics page to get more information about each scan stage. Please open a new support thread to discuss scanning issues. Thanks! - This reply was modified 9 years, 2 months ago by [wfasa](https://wordpress.org/support/users/wfasa/). * Thread Starter [AMX](https://wordpress.org/support/users/lightscapes/) * (@lightscapes) * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/#post-8933634) * Thanks [@wfasa](https://wordpress.org/support/users/wfasa/) * [cmarcc](https://wordpress.org/support/users/cmarcc/) * (@cmarcc) * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/#post-8933660) * Hi, * Just received an email from 1and1 explaining it is a false alarm: * > Please excuse this error and any inconvenience caused by this false alarm. > After review, we confirm that your file /wp-content/wflogs/attack-data.php > does not contain any malicious code. The scanner made a mistake in the previous > scan. > The database for the 1&1 Safety Scanner has now been corrected. Please give > our systems 2 hours to implement and distribute the correction. > Important: After this 2 hour timeframe, you may upload your file, *** , to > your WebSpace. Uploading your file before this could cause another false alarm. > If the file still exists in your WebSpace, you can simply change the file permissions > back after this timeframe. > We appreciate your cooperation and look forward to continuing to provide you > safe and secure hosting. * [woltis](https://wordpress.org/support/users/woltis/) * (@woltis) * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/#post-8933668) * [@wfasa](https://wordpress.org/support/users/wfasa/) * I deleted the folder as requested, it is recreated immediately by the plugin – and the file attack-data.php looks exactly the same, including the strange NUL values. * So deleting the folder changes nothing – except all whitelisted urls are gone from the firwall-setting. I would not recommend to delete this folder. * On one side it seems to be a false alert, on the other hand it might be useful to find out, where those strange NUL values come from. - This reply was modified 9 years, 2 months ago by [woltis](https://wordpress.org/support/users/woltis/). - This reply was modified 9 years, 2 months ago by [woltis](https://wordpress.org/support/users/woltis/). * [JohnCleary](https://wordpress.org/support/users/johncleary/) * (@johncleary) * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/#post-8933767) * Thanks [@wfasa](https://wordpress.org/support/users/wfasa/) 🙂 * [jrvidaud](https://wordpress.org/support/users/jrvidaud/) * (@jrvidaud) * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/#post-8933831) * 1&1 Safety Scanner is faulty. * De-activate Wordfence. * Erase wflogs folder. * Re-activate Wordfence. * wflogs will be re-created. * Regards and thanks to Wordfence team for the very good work ! * [woltis](https://wordpress.org/support/users/woltis/) * (@woltis) * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/#post-8933849) * [@jrvidaud](https://wordpress.org/support/users/jrvidaud/) * Deleting the folder changes nothing – except all whitelisted urls are gone from the firwall-setting. * **The best solution is: do nothing!** * It’s a false alert. * [JohnCleary](https://wordpress.org/support/users/johncleary/) * (@johncleary) * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/#post-8933888) * In [@wfasa](https://wordpress.org/support/users/wfasa/) ‘s defence; they only said to delete the flogs folder “**If you experience any issues after the Wordfence files in wflogs were on lock down by your host 1&1**” 🙂 - This reply was modified 9 years, 2 months ago by [JohnCleary](https://wordpress.org/support/users/johncleary/). * [bosh](https://wordpress.org/support/users/bosh/) * (@bosh) * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/#post-8933961) * Sadly i (hastily) did delete my folder. It will replace itself on next attack I hope 😉 * **This is what 1&1 just sent to me:** * > Please excuse this error and any inconvenience caused by this false alarm. > After review, we confirm that your file /wp-content/wflogs/attack-data.php > does not contain any malicious code. The scanner made a mistake in the previous > scan. > The database for the 1&1 Safety Scanner has now been corrected. Please give > our systems 2 hours to implement and distribute the correction. > Important: After this 2 hour timeframe, you may upload your file, /wp-content/ > wflogs/attack-data.php, to your WebSpace. Uploading your file before this could > cause another false alarm. If the file still exists in your WebSpace, you can > simply change the file permissions back after this timeframe. Please see this > help article for information on setting permissions. > [http://help.1and1.co.uk/article/649968.html](http://help.1and1.co.uk/article/649968.html) > If you should require further information, please reply to this e-mail, leaving > our reference [Ticket xxxxxxxx] in your message. You can also call us at 0333 > 336 5691, from Monday-Friday, 11:00am-22:00pm. - This reply was modified 9 years, 2 months ago by [bosh](https://wordpress.org/support/users/bosh/). * [rob.wheatley](https://wordpress.org/support/users/robwheatley/) * (@robwheatley) * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/#post-8933987) * Looks like I’m one of many people who got this message from 1and1 today. * I did the ‘delete the log folder’ trick to ‘reset’ things. That’s all fine. My problem now is that scans don’t complete (never had this issue before, even on high sensitivity mode). I’ve tried the usual increase memory trick, but no joy. * I note that from above, I should start this topic on a new thread, but I’ve added it here, just in case it’s related. I’ve had problems with 1and1 before ‘quarantining’ files they don’t like the look of and that has broken other plugins. Perhaps 1and1 have quarantined something else that’s broken WordFence? * So, for the people who had the 1and1 attack-data issue, are things all fine with scans now? If so, then my scan problem is unrelated and I’ll sort it out elsewhere. If not, then perhaps we could look a little deeper to see what else 1and1 have done..? * [Stevo](https://wordpress.org/support/users/sd142ppr/) * (@sd142ppr) * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/#post-8934008) * [@robwheatley](https://wordpress.org/support/users/robwheatley/) I have exactly the same issue Rob, and have contacted Wordfence support about this also. * [generalhawkins](https://wordpress.org/support/users/generalhawkins/) * (@generalhawkins) * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/#post-8934014) * Hi Rob, in any case you should find a log file from 1and1 on your webspace. Check if there is a forensic directory withing your /logs/ folder. There you should find further infos of what 1and1 locked on your space. * [wfasa](https://wordpress.org/support/users/wfasa/) * (@wfasa) * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/#post-8934097) * Hi again! Yes, **do not delete wflogs unless you are having issues with blocking or Live Traffic**. It completely resets the Firewall! * I see that two people have reported scan issues following this. I’m not sure why deleting wflogs would affect your scans. That’s not something we have seen before so this is why I suggested creating new threads for this. As a general recommendation to debug scans that hang * 1. Enable “debug mode” at the bottom of the Wordfence diagnostics page. Run a manual scan. You will now see much more detailed information in the “Scan detailed activity” box. It may give an indication if there are any connection issues with Wordfence servers or if a large file is being scanned right before it stops, the scan may be hanging on that particular file. * 2. If it appears that your scan is getting stuck on a large file, you can try disabling “Scan images, binary, and other files as if they were executable” on the Wordfence options page. You can also try lowering the “Maximum execution time for each scan stage” to less than half of what max_execution_time is set to on your server. Typically, a value of 20 should work here. If you want to know what max execution time is set at on your site, you can click “Click to view your system’s configuration in a new window” on the Wordfence Diagnostics page and then search in that page for “max_execution_time”. * 3. Check your servers error logs to make sure no Fatal Errors are being generated during the scan. On many sites you can get the servers error logs directly via the “Logs” section on the Wordfence Diagnostics page. If you can not find your error logs there, and you can not find them in your web hosts administration panel, please ask your host to provide them. * Once you have gone through these steps, I would suggest creating a new thread in the forum and present your findings. Viewing 15 replies - 31 through 45 (of 77 total) [←](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/?output_format=md) [1](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/?output_format=md) [2](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/?output_format=md) 3 [4](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/?output_format=md) [5](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/5/?output_format=md) [6](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/6/?output_format=md) [→](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/?output_format=md) The topic ‘Malware in /wflogs/attack-data.php?’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) * 77 replies * 32 participants * Last reply from: [wfasa](https://wordpress.org/support/users/wfasa/) * Last activity: [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/6/#post-8947746) * Status: not resolved