Hi there,
My site has Wordfence and Antimalware installed. Wordfence sends me an email every week telling me what it was up to. Every week it tells me the top modified files are things like:
wp-content/plugins/gotmls/safe-load/_SESSION/.GOTMLS.6d5683eb555fba4c06d32f417260c326.php
They are always in the GOTMLS safe load directory and there is always a lot of them.
So I had a wee look to see what was in one of these files and found some base64 code.
Php code would begin here
—
$GLOBALS["GOTMLS"]["logins"]["e278f3d8359437957452325f82c85676"]=unserialize(base64_decode(“YToxOntzOjM6IkdFVCI7czoxMzoiMTQzNzQxNjAwNy45MiI7fQ==”));
—
Php code would end here
What does this do? When decoded it says this:
a:1:{s:3:”GET”;s:13:”1437416007.92″;}
Is this malicious? Anyone know what and why this is?
Many thanks,
Graham.
These files are not malicious, they are written by the Brute-Force Login patch installed by my plugin. These are essentially log files that record all the failed login attempts. As you can see from the info you have decoded, those files store a timestamp and method in a serialized array.
I don’t want to use the database to store that info because the whole point of my Brute-Force patch is to preempt the WordPress boot-loader so as to prevent attacks from having a DDoS effect on your server.
I am working on a better way to do this though, one that does not require writing to files or using a session.
Thank you. That makes a lot more sense now 
