Wordfence (issues with modified GOTMLS files)

Home Forums Support Forum Wordfence (issues with modified GOTMLS files)

This topic contains 2 replies, has 2 voices, and was last updated by  Graham Crichton 8 years, 8 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #1254

    Hi there,

    My site has Wordfence and Antimalware installed. Wordfence sends me an email every week telling me what it was up to. Every week it tells me the top modified files are things like:
    wp-content/plugins/gotmls/safe-load/_SESSION/.GOTMLS.6d5683eb555fba4c06d32f417260c326.php

    They are always in the GOTMLS safe load directory and there is always a lot of them.

    So I had a wee look to see what was in one of these files and found some base64 code.

    Php code would begin here

    $GLOBALS["GOTMLS"]["logins"]["e278f3d8359437957452325f82c85676"]=unserialize(base64_decode(“YToxOntzOjM6IkdFVCI7czoxMzoiMTQzNzQxNjAwNy45MiI7fQ==”));

    Php code would end here

    What does this do? When decoded it says this:
    a:1:{s:3:”GET”;s:13:”1437416007.92″;}

    Is this malicious? Anyone know what and why this is?

    Many thanks,
    Graham.

    #1256

    Anti-Malware Admin
    Key Master

    These files are not malicious, they are written by the Brute-Force Login patch installed by my plugin. These are essentially log files that record all the failed login attempts. As you can see from the info you have decoded, those files store a timestamp and method in a serialized array.

    I don’t want to use the database to store that info because the whole point of my Brute-Force patch is to preempt the WordPress boot-loader so as to prevent attacks from having a DDoS effect on your server.

    I am working on a better way to do this though, one that does not require writing to files or using a session.

    #1259

    Thank you. That makes a lot more sense now :-)

Viewing 3 posts - 1 through 3 (of 3 total)

The topic ‘Wordfence (issues with modified GOTMLS files)’ is closed to new replies.

Comments are closed.