Installatron and deleteme.wpxxxx.php

Home Forums BulletProof Security Pro Installatron and deleteme.wpxxxx.php

Tagged: 

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #13551
    Tina Dubinsky
    Participant

    My new host uses Installatron to install program apps including word press (like fantastico does).

    When migrating a new site to the new host, it suggests:

    1. setting up a new word press database first using Installatron
    2. ftping your files over the new install
    3. dropping tables of new install
    4. importing new tables
    5. changing config to new database details

    This has all worked okay except Installatron likes to put its own file in your web directory which helps it to manage wordpress updates.

    I only discovered this as the file which follows this format deleteme.wpXXXX.php was quarantined.   At first, I thought it was someone trying to inject a file onto my server, so I deleted it.  Then after it became persistent, I looked into it further where it was coming from and what it is used for etc.

    How do I get BPS to ignore this file? Should it? Should I just go back and redo everything again, without following the Installatron instructions of my new host?

    Cheers!
    Tina.

    #13553
    AITpro Admin
    Keymaster

    This has all worked okay except Installatron likes to put its own file in your web directory which helps it to manage wordpress updates.

    You do NOT want to allow the Host 3rd party application installer to manage WordPress updates for 2 reasons:

    1.  WordPress automatically does this now with automatic updates.  AutoRestore/Quarantine is fully automated and integrated with the WordPress automatic updates:  http://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/#automation
    2.  Having a 3rd party application manage WordPress files will trigger AutoRestore/Quarantine to quarantine any files that are updated by a 3rd party application.  ARQ will think these files are being modified, added or created by a hacker.

    See this video tutorial for how to exclude (ARQ Calibration) files in ARQ http://forum.ait-pro.com/video-tutorials/#autorestore-quarantine but what I think you should do is contact your Host and ask them how to turn off/disable the WordPress automatic update by the Host 3rd party application for the 2 reasons stated above.

    #21269
    jenni101
    Participant

    Hi there,
    I’ve just had the same thing – about 4 ‘deleteme…php’ files in Quarantine. Good to have found this thread so i understand what it is! Just to confirm, if I disable Installatron for all updates of any kind then (and all scheduled backups for it too?) I can just delete these ‘deleteme’ files in Quarantine?
    Thanks.

    #21270
    AITpro Admin
    Keymaster

    Yep, you can just delete those files.  They are some kind of helper files for Installatron and obviously with a filename like “deleteme” they can be deleted without causing any problems.

    #21272
    jenni101
    Participant

    Thanks – all sorted now!

    #29995
    YoolsLoganta
    Participant

    Hi there,

    Is there a way to keep these deleteme files from getting picked up by autorestore/quarantine? They all have different names, so… But they keep alerting BPS Pro and thus my clients ; )

    Thanks,
    Stefaan

    #29997
    AITpro Admin
    Keymaster

    Unfortunately, since Installatron creates these randomly named files in the hosting account root folder instead of putting these files in an /installatron/ folder for example, then you cannot exclude a folder (/installatron/, /example-folder/, etc) from being checked by ARQ IDPS.  Since the files are randomly named and ARQ IDPS does not allow using Regex since that would negate the effectiveness of ARQ IDPS, then that leaves you with either turning ARQ IDPS Off or deleting this deleteme temporary files when they get quarantined.  We looked at and tested allowing Regex in file exclude rules and that creates a very easy loophole for hackers to be able to beat ARQ IDPS.  Example:  deleteme-hacker-file.php would no longer be checked by ARQ IDPS and the site would be hacked.

Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.