What are these for: wflogs/ips.php config attack-data

  • nix255

    (@nix255)


    9 years, 5 months ago

    Hi,

    I have my own VPS and a few wordpress sites with wordfence installed. I am getting a lot of alerts from CSF in WHM for suspicious processes taking a long time for each website. These are using files: wp-content/wflogs/ips.php, wp-content/wflogs/config.tmp.xxxxx wp-content/wflogs/attack-data.php

    I thought these files were used by the firewall, but even with the firewall disabled something is still accessing these files and taking a long time causing suspicious process alerts.

    Can you please shed some light on what these files are used for, if it is normal behaviour even with the firewall disabled, and how to stop the processes over-running.

    Thanks.

Viewing 4 replies - 1 through 4 (of 4 total)
  • itechpk

    (@itechpk)

    9 years, 5 months ago

    my hosting provider is also complaining about these files and have suspended 3 of my websites.

    i believe that these (or some) files are used to report attack data to wordfence servers, which we can turn off from settings that do not participate in real time attack reporting …

    i was sure that i had these settings turned off on all my sites where i use woprdfence, but what i think happened is that last week wordfence 6.2.8 is released and the auto update of wordfence has reset the participate setting turn on and my hosting provider took this process as suspicious and suspended my sites….

    by rule, wordfence shouldn’t have changed my set preferences on auto update!!

    i am afraid of my other website sites where it might have eventually turned on the participate in real monitoring program…

    Bogus Exception

    (@bogus-exception)

    9 years, 3 months ago

    So what is/was the deal with these?

    I must have missed the answer/resolution…?

    Recently Modified Files

    Modified	          File
February 5, 2017 9:00pm	  wp-content/wflogs/attack-data.php
February 5, 2017 9:00pm	  wp-content/wflogs/config.php

    Can we keep them from being deleted?

    techspecx

    (@techspecx)

    8 years, 11 months ago

    Hello,

    I would like to know also why I keep getting a report saying that these files have been modified. I ran a scan and have a secondary security plugin but everything is clean. I have 9 websites and it is just this one website that these files keep getting modified:

    wp-content/wflogs/ips.php
    wp-content/wflogs/config.php
    wp-content/wflogs/attack-data.php
    wp-content/wflogs/wafRules.rules
    wp-content/wflogs/rules.php

    Thank you.

    Regards.

    Bogus Exception

    (@bogus-exception)

    8 years, 11 months ago

    Simple.
    You have Wordfence installed, and each <period> a report is generated & sent to them.
    The data is locally collected (what thou see listed), and then after being sent, is deleted.
    Seeing as these folders are not whitelisted, they are reported for this activity just as you’d expect.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘What are these for: wflogs/ips.php config attack-data’ is closed to new replies.