Title: php file generated in tmp folder ISP reports as hack attack Last modified: August 21, 2016 --- # php file generated in tmp folder ISP reports as hack attack * [tcollins123](https://wordpress.org/support/users/tcollins123/) * (@tcollins123) * [12 years, 9 months ago](https://wordpress.org/support/topic/php-file-generated-in-tmp-folder-isp-reports-as-hack-attack/) * Hi, * Should you be generating php files onto my website or is this a real hack? * Received this message from 1&1 who host my website. * A few minutes ago, our anti-virus scanner reported that a malicious file has been uploaded to your 1&1 webspace. * Name of the file: ~/wp-content/plugins/wponlinebackup/tmp/backup.zip.fe25fdb2c25da7d9adfe57a401700578b628b5e4. php * Please note: To protect you from dangerous hacker attacks, our anti-virus scanner checks every file that is uploaded to or modified. If a file exhibits malicious patterns, it is automatically disabled. * This detection will continue to run after this message in order to disable any other malicious files. * Please let me know asap as at the moment I cannot continue to use your plug in. * [http://wordpress.org/plugins/wponlinebackup/](http://wordpress.org/plugins/wponlinebackup/) Viewing 7 replies - 1 through 7 (of 7 total) * Plugin Author [Online Backup](https://wordpress.org/support/users/driskell/) * (@driskell) * [12 years, 9 months ago](https://wordpress.org/support/topic/php-file-generated-in-tmp-folder-isp-reports-as-hack-attack/#post-4032586) * Hi tcollins123, * That file is the backup file the plugin generates. When it is completed it will be moved into wp-content/backup/ if it is a local backup. So it’s not a hack at all. We use PHP extension while generating it to prevent access to it since it’s not complete or usable while it’s still generating, and also as a further method of preventing illegitimate downloading of it. * So it’s a false positive of their scanner. * Jason. * Thread Starter [tcollins123](https://wordpress.org/support/users/tcollins123/) * (@tcollins123) * [12 years, 9 months ago](https://wordpress.org/support/topic/php-file-generated-in-tmp-folder-isp-reports-as-hack-attack/#post-4032590) * Hi Jason, * Thanks for the rapid feedback, much appreciated. Unfortunately I don’t think my ISP is going to change its anti virus settings so I am a bit stuck as I’m fairly sure their abuse department will come down on me like ‘a ton of bricks’ if I simply ignore their emails. * so its a problem for me. * Thanks again though. * Tony * Plugin Author [Online Backup](https://wordpress.org/support/users/driskell/) * (@driskell) * [12 years, 9 months ago](https://wordpress.org/support/topic/php-file-generated-in-tmp-folder-isp-reports-as-hack-attack/#post-4032591) * Hi Tony, * If you can ask them WHY it got flagged, then maybe we can adjust the way we do things. But of course if their detection system is way way over restrictive that might not be possible, but we can always try if it only takes a small tweak. * Thread Starter [tcollins123](https://wordpress.org/support/users/tcollins123/) * (@tcollins123) * [12 years, 9 months ago](https://wordpress.org/support/topic/php-file-generated-in-tmp-folder-isp-reports-as-hack-attack/#post-4032593) * One of my developers suggests the issue is that a non-executable file should never be given an executable extension, even for a temporary period. * Would you consider changing to not use any executable suffix? * Tony * Plugin Author [Online Backup](https://wordpress.org/support/users/driskell/) * (@driskell) * [12 years, 9 months ago](https://wordpress.org/support/topic/php-file-generated-in-tmp-folder-isp-reports-as-hack-attack/#post-4032597) * Hi Tony, * PHP is not an executable format and just a script, and the file is a valid script that if accessed just exits – the backup data is kept inside that script. This protects from download where if it was ZIP and someone accessed it would download. * This is how it always was in order to keep the backup secure – however, local backups is somewhat different than it used to be and the filename is now randomly generated so maybe this is not as necessary anymore, but it is a sensitive area. * If we can find out the specific pattern the anti-virus is picking up it may be better as we could keep the status-quo and just make things not match the pattern. * Preventing a script from creating PHP files would seem a bit OTT as lots of cache plugins do almost the same in order to speed up page view while still keeping some elements dynamic. * Jason * Thread Starter [tcollins123](https://wordpress.org/support/users/tcollins123/) * (@tcollins123) * [12 years, 9 months ago](https://wordpress.org/support/topic/php-file-generated-in-tmp-folder-isp-reports-as-hack-attack/#post-4032605) * I understand where you are coming from but I can’t do anything my end about it. * If you do decide to not use php extensions let me know and I’ll revisit your plug in. * Really appreciate your rapid response. * Thanks. * Tony * Plugin Author [Online Backup](https://wordpress.org/support/users/driskell/) * (@driskell) * [12 years, 9 months ago](https://wordpress.org/support/topic/php-file-generated-in-tmp-folder-isp-reports-as-hack-attack/#post-4032607) * Hi Tony, * You’ll be able to contact your host and they can provide the specifics on why it was flagged, then you can pass that to me. * As it stands I won’t be able to talk to your host as they won’t tell me anything as I’m not a customer. Also I won’t be able to show them anything where you can. * I understand if it’s too much trouble and you are busy though, or if your host is difficult to worth with, and that’s fine if so. All the best. * Regards, * Jason Viewing 7 replies - 1 through 7 (of 7 total) The topic ‘php file generated in tmp folder ISP reports as hack attack’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/wponlinebackup_7192a1.svg) * [Online Backup for WordPress](https://wordpress.org/plugins/wponlinebackup/) * [Frequently Asked Questions](https://wordpress.org/plugins/wponlinebackup/#faq) * [Support Threads](https://wordpress.org/support/plugin/wponlinebackup/) * [Active Topics](https://wordpress.org/support/plugin/wponlinebackup/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wponlinebackup/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wponlinebackup/reviews/) ## Tags * [malicious](https://wordpress.org/support/topic-tag/malicious/) * [php file](https://wordpress.org/support/topic-tag/php-file/) * [tmp](https://wordpress.org/support/topic-tag/tmp/) * 7 replies * 2 participants * Last reply from: [Online Backup](https://wordpress.org/support/users/driskell/) * Last activity: [12 years, 9 months ago](https://wordpress.org/support/topic/php-file-generated-in-tmp-folder-isp-reports-as-hack-attack/#post-4032607) * Status: not resolved