WordPress readme.html file quarantined repeatedly

Home Forums BulletProof Security Pro WordPress readme.html file quarantined repeatedly

This topic contains 5 replies, has 2 voices, and was last updated by  AITpro Admin 3 years, 4 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #21013

    Jack Smith
    Participant

    I have been getting continuous messages in quarantine stating “/home/content/xxxxx/09/2120909/html/readme.html” has been quarantined.  It is the same file, over and over, with the quarantine messages running about 9 seconds apart: I have ran the delete on this, but it keeps coming back.  This morning I had 61 emails, notifying me of this same file being quarantined 61 times.  This appears to have just started on Feb. 19th.

    readme.html              /home/content/xxxxx/09/2120909/html/readme.html             2015-02-20 06:10:27
    readme.html              /home/content/xxxxx/09/2120909/html/readme.html             2015-02-20 06:20:36
    readme.html              /home/content/xxxxx/09/2120909/html/readme.html             2015-02-20 06:40:54
    readme.html              /home/content/xxxxx/09/2120909/html/readme.html             2015-02-20 06:51:04
    readme.html              /home/content/xxxxx/09/2120909/html/readme.html             2015-02-20 07:01:13
    readme.html              /home/content/xxxxx/09/2120909/html/readme.html             2015-02-20 07:11:27

    #21014

    Jack Smith
    Participant

    UPDATE: [Quarantine Log entries deleted as they are not related to this issue]

    #21015

    Jack Smith
    Participant

    Security Log is showing the following:

    [403 GET / HEAD Request: January 29, 2015 - 9:07 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 173.208.203.138
    Host Name: 173.208.203.138
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: //info_sub.asp
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
    
    [403 GET / HEAD Request: January 29, 2015 - 9:07 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 173.208.203.138
    Host Name: 173.208.203.138
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: //edu.asp
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
    
    [WP Automatic Update - ARQ was turned Off - February 19, 2015 - 9:42 am]
    
    [WP Automatic Update - ARQ wp-includes File Backup - February 19, 2015 - 9:42 am]
    File: /home/content/xxxxx/09/2120909/html/wp-includes/taxonomy.php
    
    [WP Automatic Update - ARQ wp-includes File Backup - February 19, 2015 - 9:42 am]
    File: /home/content/xxxxx/09/2120909/html/wp-includes/script-loader.php
    
    [WP Automatic Update - ARQ wp-includes File Backup - February 19, 2015 - 9:42 am]
    File: /home/content/xxxxx/09/2120909/html/wp-includes/class-wp-customize-setting.php
    
    [WP Automatic Update - ARQ wp-includes File Backup - February 19, 2015 - 9:42 am]
    File: /home/content/xxxxx/09/2120909/html/wp-includes/class-wp-customize-manager.php
    
    [WP Automatic Update - ARQ wp-includes File Backup - February 19, 2015 - 9:42 am]
    File: /home/content/xxxxx/09/2120909/html/wp-includes/js/media-audiovideo.min.js
    
    [WP Automatic Update - ARQ wp-includes File Backup - February 19, 2015 - 9:42 am]
    File: /home/content/xxxxx/09/2120909/html/wp-includes/js/media-grid.min.js
    
    [WP Automatic Update - ARQ wp-includes File Backup - February 19, 2015 - 9:42 am]
    File: /home/content/xxxxx/09/2120909/html/wp-includes/js/media-grid.js
    
    [WP Automatic Update - ARQ wp-includes File Backup - February 19, 2015 - 9:42 am]
    File: /home/content/xxxxx/09/2120909/html/wp-includes/js/media-audiovideo.js
    
    [WP Automatic Update - ARQ wp-includes File Backup - February 19, 2015 - 9:42 am]
    File: /home/content/xxxxx/09/2120909/html/wp-includes/js/tinymce/wp-tinymce.js.gz
    
    [WP Automatic Update - ARQ wp-includes File Backup - February 19, 2015 - 9:42 am]
    File: /home/content/xxxxx/09/2120909/html/wp-includes/js/tinymce/plugins/wpeditimage/plugin.min.js
    
    [WP Automatic Update - ARQ wp-includes File Backup - February 19, 2015 - 9:42 am]
    File: /home/content/xxxxx/09/2120909/html/wp-includes/js/tinymce/plugins/wpeditimage/plugin.js
    
    [WP Automatic Update - ARQ wp-includes File Backup - February 19, 2015 - 9:42 am]
    File: /home/content/xxxxx/09/2120909/html/wp-includes/link-template.php
    
    [WP Automatic Update - ARQ wp-includes File Backup - February 19, 2015 - 9:42 am]
    File: /home/content/xxxxx/09/2120909/html/wp-includes/version.php
    
    [WP Automatic Update - ARQ wp-includes File Backup - February 19, 2015 - 9:42 am]
    File: /home/content/xxxxx/09/2120909/html/wp-includes/general-template.php
    
    [WP Automatic Update - ARQ wp-includes File Backup - February 19, 2015 - 9:42 am]
    File: /home/content/xxxxx/09/2120909/html/wp-includes/update.php
    
    [WP Automatic Update - ARQ wp-includes File Backup - February 19, 2015 - 9:42 am]
    File: /home/content/xxxxx/09/2120909/html/wp-includes/date.php
    
    [WP Automatic Update - index.php file locked - February 19, 2015 - 9:42 am]
    
    [WP Automatic Update - wp-blog-header.php file locked - February 19, 2015 - 9:42 am]
    
    [WP Automatic Update - PHP Error Log timestamp synchronized - February 19, 2015 - 9:42 am]
    
    [WP Automatic Update - WP Update Time - February 19, 2015 - 9:42 am]
    WP Version Synchronized
    WP Update Time: February 19 2015 09:41
    BPS DB Value Time +15: February 19 2015 09:56
    
    [WP Automatic Update - ARQ was turned back On - February 19, 2015 - 9:42 am]
    #21019

    AITpro Admin
    Keymaster

    Do these steps to correct the readme.html file repeatedly being quarantined issue/problem:
    1.  Go to AutoRestore and Turn Off the ARQ Cron.
    2.  Click the Delete Files buttons for: Root Files, wp-admin Files, wp-includes Files and wp-content Files.
    3.  Click the Backup Files buttons for: Root Files, wp-admin Files, wp-includes Files and wp-content Files.
    4. Turn the ARQ Cron back On.
    5. If there are any left over readme.html files in Quarantine you can either restore them or delete them from Quarantine.

    The Security Log shows a couple of random hacker probes that were blocked and the WordPress Automatic Update for the WordPress 4.1.1 Automatic update.

    #21021

    Jack Smith
    Participant

    HOORAY!!  That fixed the problem.  I have had no other quarantine messages, or chatter from that file.

    Thanks a bunch!

    #21022

    AITpro Admin
    Keymaster

    Great!  Thanks for confirming that.  We know what the root cause of this problem is and are looking at the best way to permanently fix this.  It is a problem that rarely occurs, but it should never occur.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.