Title: Malware in /wflogs/attack-data.php?
Last modified: March 20, 2017

---

# Malware in /wflogs/attack-data.php?

 *  [AMX](https://wordpress.org/support/users/lightscapes/)
 * (@lightscapes)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/)
 * Hi,
    My hosting company has informed me that this path contains malware and they
   restricted access to this file. I tried to download it through FTP, I got disconnected
   a few times but finally succeeded.
 * wp-content/wflogs/attack-data.php
 * In Notepad++ this file looks like this:
 * <?php exit(‘Access denied’); __halt_compiler(); ?>
    wfWAF NULNULNULNULNULNULœNULNULNUL…
   and several pages of NULNUL…. Normal Notepad shows empty spaces instead of NUL.
 * I checked the same file on another website and on another host. They are all 
   the same and have 40.083 bytes.
 * Is it a false alarm or something to worry?
    Wordfence hasn’t recorded any admin
   logins from suspicious IPs. My FTP password is long and difficult to brute-force.
    -  This topic was modified 9 years, 2 months ago by [AMX](https://wordpress.org/support/users/lightscapes/).

Viewing 15 replies - 46 through 60 (of 77 total)

[←](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/?output_format=md)
[1](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/?output_format=md)
[2](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/?output_format=md)
4 [5](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/5/?output_format=md)
[6](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/6/?output_format=md)
[→](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/5/?output_format=md)

 *  [rfollett](https://wordpress.org/support/users/rfollett/)
 * (@rfollett)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/#post-8934101)
 * with ref to scans not completing now also in my case. Would a simple option be
   to deactivate and delete, re-install Wordfence – might this work, wont case any
   harm?
 *  [Stevo](https://wordpress.org/support/users/sd142ppr/)
 * (@sd142ppr)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/#post-8934114)
 * I suspect it is a wider 1and1 issue with permissions, as I note that Updraft 
   Plus (backup plugin) is now also taking forever/failing to finish a full backup.
 *  [wfasa](https://wordpress.org/support/users/wfasa/)
 * (@wfasa)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/#post-8934242)
 * Thanks for the update Stevo. If anyone on 1&1 hosting who are experiencing scan
   issues can check their servers error logs (as outlined in my previous posts) 
   and report back with findings that may help.
 *  [Rick Leslie](https://wordpress.org/support/users/pcservices/)
 * (@pcservices)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/#post-8934266)
 * I have just got off the phone from 1and1. They confirm that the issue is a ‘false
   positive’ on their malware scanner and that the file is harmless. They will be
   emailing affected customers to inform them of the error ‘in due course’.
 *  [Stevo](https://wordpress.org/support/users/sd142ppr/)
 * (@sd142ppr)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/#post-8934274)
 * Hi [@wfasa](https://wordpress.org/support/users/wfasa/),
 * The WF scan sems to be very random when it stops (judging from debug screen –
   different point every time). I thought it was Updraft Plus, as I deactivated 
   and deleted it, then got a clean scan. After reinstalling UP, the WF scan hung
   again, so I deactivated/deleted UP again, but this time the scan hangs anyway.
 * SOMETHING is amiss… Still convinced 1and1 settings have done this.
 *  [bosh](https://wordpress.org/support/users/bosh/)
 * (@bosh)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/#post-8934280)
 * My scan will not complete. I also cannot delete the wflogs folder even though
   I managed to transfer some of it to my desktop, it will not delete remotely, 
   its says it is not empty, but it is (I use Trasnmit so it shows hidden files.(
   Error message is Error -126: remote rmdir failed). Ive tried deactivating wordfence,
   then trying to delete, no joy. I reactivate the plugin, still the scan will not
   complete. I cannot find the setting to set a timout limit (Maximum execution 
   time for each scan stage), only maxmimum time for entire scan. Is this only on
   premium?
    -  This reply was modified 9 years, 2 months ago by [bosh](https://wordpress.org/support/users/bosh/).
 *  [Stevo](https://wordpress.org/support/users/sd142ppr/)
 * (@sd142ppr)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/#post-8934318)
 * The main point here is that **scans are NOT finishing for 1and1 customers**. 
   I know that as I have 20+ WP installations with WF on ALL, and ALL are hanging.
 * Therefore it seems somewhat of a wasted exercise to make changes to WF, when 
   it’s clear that 1and1 has made a change somewhere that is affecting the plugin’s
   scan ability.
 * (As an aside to this but relevant, I now have an issue with Updraft Plus being
   able to compile/upload backup files, so it appears something has been severely
   curtailed/throttled).
 * Stevo
 *  [JohnCleary](https://wordpress.org/support/users/johncleary/)
 * (@johncleary)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/#post-8934349)
 * I just checked one of my affected sites and was shocked/surprised to see:
 * Last scan completed: 16 November 2016 7:15 am
 * I’m scanning now in debug mode as per [@wfasa](https://wordpress.org/support/users/wfasa/)
   suggestion…
 *  [wfasa](https://wordpress.org/support/users/wfasa/)
 * (@wfasa)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/#post-8934387)
 * If your scans have not run since 16 November it sounds like WordPress cron may
   have been deactivated at this time.
 * Due to the various issues we see popping up here, I would recommend that everyone
   just hold tight while 1&1 try to get their changes made and send out information
   to all of you about what changes they have made. We will keep an eye on this 
   of course, but hopefully most issues should be resolved once 1&1 have rolled 
   back whatever changes they made that caused this.
 *  [bosh](https://wordpress.org/support/users/bosh/)
 * (@bosh)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/#post-8934410)
 * Thanks for helpful replies. OK. I was going to delet WordFence and start again
   but I think I’ll wait as wfasa suggests. FYI like others are stating, WF scan
   is hanging at different points each time, no consistency. I wont deactivate Updraft
   Plus as it doesnt seem worth going on what Stevo said.
 *  [JohnCleary](https://wordpress.org/support/users/johncleary/)
 * (@johncleary)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/#post-8934423)
 * [@wfasa](https://wordpress.org/support/users/wfasa/) It looks like it’s been 
   trying to run but not completed. I’ll await further instructions from either 
   you or 1&1.
 * It’s been stuck for 30 minutes on: [Mar 20 12:26:44] Calling Wordfence API v2.23:
   [https://noc1.wordfence.com/v2.23/?v=4.7.3&s=<website](https://noc1.wordfence.com/v2.23/?v=4.7.3&s=<website)
   address>;&k=<longnumber>&openssl=<anothernumber>&phpv=5.6.30&betaFeed=0&cacheType
   =disabled&action=password_load_results
    -  This reply was modified 9 years, 2 months ago by [JohnCleary](https://wordpress.org/support/users/johncleary/).
    -  This reply was modified 9 years, 2 months ago by [JohnCleary](https://wordpress.org/support/users/johncleary/).
 *  [Nomadsteam](https://wordpress.org/support/users/nomadsteam/)
 * (@nomadsteam)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/#post-8934508)
 * Same for me. I’m stucked on “Calling Wordfence API v2.23[…]action=send_net_404s.
   Like _bosh_, WF scan is hanging at different stades each time.
 * If someone gets a response from 1&1 about the issue, please come back post here.
 *  [JoomGeek](https://wordpress.org/support/users/fupfac/)
 * (@fupfac)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/#post-8934648)
 * replied from 1&1: it was a mistake they are sorry :p
 *  [Nomadsteam](https://wordpress.org/support/users/nomadsteam/)
 * (@nomadsteam)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/#post-8934702)
 * Yes JoomGeek, but now the WF scans are hanging :/
 * I wrote to 1&1 but no answer yet.
 *  [Stevo](https://wordpress.org/support/users/sd142ppr/)
 * (@sd142ppr)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/4/#post-8934822)
 * UPDATE. SCAN NOW RUNNING CLEAN. VERY FAST.
 * FOR NOW …PROBLEM SOLVED 🙂

Viewing 15 replies - 46 through 60 (of 77 total)

[←](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/?output_format=md)
[1](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/?output_format=md)
[2](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/3/?output_format=md)
4 [5](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/5/?output_format=md)
[6](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/6/?output_format=md)
[→](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/5/?output_format=md)

The topic ‘Malware in /wflogs/attack-data.php?’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

 * 77 replies
 * 32 participants
 * Last reply from: [wfasa](https://wordpress.org/support/users/wfasa/)
 * Last activity: [9 years, 2 months ago](https://wordpress.org/support/topic/malware-in-wflogsattack-data-php/page/6/#post-8947746)
 * Status: not resolved