Site Scan SPAM

  • Resolved koorbela

    (@koorbela)


    3 years, 7 months ago

    Hello!

    I need some help. iThemes Security PRO keeps spamming my mailbox. Which wouldn’t be a problem if it was just doing it to mine, because I would set it to send spam to my mailbox, but unfortunately two other administrators are attaching what it sends (my clients).

    The email is called SITE SCAN.

    At first, for months, it sent an error 1-2 times a day saying:

    An error occurred while running the scheduled site scan on Derby-Túr:
    Error Message: Unable to determine if the scan target is allowed: Could not verify keypair: Token not found.
    Error Code: site_verification_failed.response_error

    Then, after I had already disabled all notifications, and cancelled all Site Scan in all settings, and it didn’t stop, I first disabled the extension. To my surprise, it still sent the spam the next day.

    I then DISABLED the add-on 2 days ago. The amazing thing is that I am still receiving the spam mails, even though the plugin has been completely removed from my website!!!

    Now it sends this message:

    An error occurred while running the scheduled site scan on Derby-Túr:
    Error Message: Unable to determine if the scan target is allowed: Target site returned invalid response. The REST API route was not found. Please make sure iThemes Security is up-to-date.
    Error Code: site_verification_failed.connection_error

    What could cause this?? How can it still send a message? How can I get rid of this? I am very fed up with getting this email 1-2-3 times a day and it is bothering my customers.

    Please if anyone has any ideas on how to get rid of this, please let me know!

    Thanks in advance!

Viewing 15 replies - 1 through 15 (of 17 total)
1 2
  • nlpro

    (@nlpro)

    3 years, 7 months ago

    Hi koorbela,

    It sounds like the malware-scan cron task still exists.

    Check the existing cron tasks and make sure the malware-scan cron task is removed.

    +++++ To prevent any confusion, I’m not iThemes +++++

    Thread Starter koorbela

    (@koorbela)

    3 years, 7 months ago

    @nlpro, thanks for the advice!

    I checked, there is no cron with that name, and I got an email again this morning..

    I don’t know how to delete it 🙁

    nlpro

    (@nlpro)

    3 years, 7 months ago

    Ok, no itsec_cron task too ?

    Thread Starter koorbela

    (@koorbela)

    3 years, 7 months ago

    @nlpro Yes, unfortunately that’s not in it either.

    nlpro

    (@nlpro)

    3 years, 7 months ago

    Ok, perhaps these emails have a delayed delivery. What version of the iTSec PRO plugin were you using?

    And you don’t have a mirror/test site that perhaps still has the iTSec PRO plugin installed and that may be responsible for sending these emails?

    Thread Starter koorbela

    (@koorbela)

    3 years, 7 months ago

    @nlpro Unfortunately there is no mirror page.

    The latest version was (I don’t know the exact number anymore)

    The reason I don’t think they are late is that the top of the email always shows the current date.

    nlpro

    (@nlpro)

    3 years, 7 months ago

    Ok, I see.

    I’m afraid I cannot explain where those emails keep coming from.

    But I can assure you that if the iTSec plugin is deactivated and then deleted from a site the malware-scan cron task (which is by default scheduled to run twice daily) is permanently removed. And that should effectively stop any Site Scan emails.

    I’ve actually dived in and looked at the plugin code. No cron task -> no site scan -> no email. It’s as simple as that.

    But if you are still receiving these emails, then we are clearly missing something. Are you 100% sure these emails originate from this site?

    Can you share the URL to the site?

    • This reply was modified 3 years, 7 months ago by nlpro.
    Thread Starter koorbela

    (@koorbela)

    3 years, 7 months ago

    @nlpro Yes, that’s why I’m at a loss too.

    I have installed this extension only on this one site, so I’m sure it sends from this site, and includes the name of the site in the email.

    I have exported the cron list that is present and uploaded it here so you can check it out, in case I’m the only one who missed something.

    https://koorbela.hu/cron-events-all-2022-10-01-15.22.36.csv

    This was shown to me by a plugin: WP Crontrol

    Is there something hidden in there that is causing me to get the emails?`

    nlpro

    (@nlpro)

    3 years, 7 months ago

    I’ve reviewed the list of cron tasks. As far as I can see there is nothing there that links to the iTSec plugin.

    So the only explanation I can think of is delayed delivery of the Site Scan emails. If that is the case, it should stop at some point in time.

    The iTSec plugin is gone. So it cannot create/send ANY new emails (even if the malware-scan cron task would still exist). The code for malware scanning and the code for sending the scan result email is simply no longer there. Please verify the wp-content/plugins/ithemes-security-pro folder no longer exists.

    Thread Starter koorbela

    (@koorbela)

    3 years, 7 months ago

    @nlpro Thanks for your review!

    Yes, I have already checked, this folder is no longer there.

    I don’t know when it will stop, but I’m hoping it will. So far I deleted it 3-4 days ago, but it still sends 1-2x emails a day (I got one this morning).

    I am completely clueless. How long do I have to wait for it to stop, and if it doesn’t, what should I do? What do you suggest?

    nlpro

    (@nlpro)

    3 years, 7 months ago

    I have no clue when they will stop. But you could try and contact the hosting company and ask for their help. They may be able to figure this out.

    Thread Starter koorbela

    (@koorbela)

    3 years, 7 months ago

    All right! Thank you very much for your help, and for taking the time to do this when you’re not even an iThemes employee. Have a nice weekend!

    Plugin Support chandelierrr

    (@shanedelierrr)

    3 years, 7 months ago

    Hi @koorbela, thank you for reaching out. Would you mind checking if you have had another staging site before? We had similar cases a while back where customers still receive the site scan error mails even when the plugin is uninstalled/deleted. It was due to when an older staging/cloned site was thought to be removed (mostly was); however, there are still remnants of itsec tables on the staging server. This would send site scan emails, and it seemed like it was from the live site, but it was from the older staging/cloned site. After going through the old server’s database and removing the remaining itsec tables, the notifications stopped.

    nlpro

    (@nlpro)

    3 years, 7 months ago

    @shanedelierrr

    If this is true then the database of the current live site needs to be inspected for any remaining [prefix]_itsec_* tables too (even more so if there is not/has never been a staging env).

    Plugin Support chandelierrr

    (@shanedelierrr)

    3 years, 7 months ago

    @nlpro that is recommended as well. @koorbela, would you mind also checking for any remaining itsec-tables on your live site’s DB and ensuring that they are removed?

Viewing 15 replies - 1 through 15 (of 17 total)
1 2

The topic ‘Site Scan SPAM’ is closed to new replies.