• mehmetg

    (@mehmetg)


    What’s this? How to solve this fatal error?

    Module File Change
    Type Fatal Error
    Description Scan Failed
    Timestamp 2019-11-15 04:50:56
    User
    URL
    https://example.com/wp.php?up2018info=1
    Raw Details
    id => 172
    module => file_change
    type => fatal
    code => file-scan-aborted
    timestamp => 2019-11-15 04:50:56
    init_timestamp => 2019-11-15 04:50:55
    remote_ip => 193.106.30.99
    user_id => [empty string]
    url => https://example.com/wp.php?up2018info=1
    memory_current => 26603776
    memory_peak => 26795280
    data => Array
    id => file-change
    step => get-files
    chunk => includes

    What’s this? How to solve this fatal error?

Viewing 8 replies - 1 through 8 (of 8 total)
  • nlpro

    (@nlpro)

    Most likely you updated the iTSec plugin to the latest release (7.5.0) while a File Change Detection scan was still running.

    To prevent any confusion, I’m not iThemes.

    mehmetg

    (@mehmetg)

    Could be. What really worried me was a dirty host’s attempts on my site:

    404 Detection Notice https://example.com/wp-aa.php?up2018info=1 2019-11-15 07:46:57 – 9 hours ago 193.106.30.99 View Details
    404 Detection Notice https://example.com/wp-bb.php?up2018info=1 2019-11-15 06:25:45 – 11 hours ago 193.106.30.99 View Details
    404 Detection Notice https://example.com/wp.php?up2018info=1 2019-11-15 04:50:56 – 12 hours ago 193.106.30.99 View Details
    404 Detection Notice https://example.com/wp.php?up2018info=1 2019-11-15 04:50:56 – 12 hours ago 193.106.30.99 View Details

    Fatal Error and this attack timing are the same.

    Gal Baras

    (@galbaras)

    Any matches in error_log or wp-admin/error_log?

    mehmetg

    (@mehmetg)

    I checked the error_log file from the Cpanel by converting it to txt format. Only have SSL notifications. The last notification on 4 November. No matches.

    Gal Baras

    (@galbaras)

    193.106.30.99 might have tried to execute a file change scan on your computer and got blocked.

    What’s the IP address of your site? If it’s 193.106.30.99, you can whitelist it in the plugin settings.

    mehmetg

    (@mehmetg)

    Thanks for your interest and help.

    No, that IP address isn’t mine. That’s IP of the person who attacked my website. Everyone should ban this IP. It’s a very dirty host. (https://www.abuseipdb.com/check/193.106.30.99)

    I understand from your answer that the danger is gone. Then there’s nothing to worry about?

    Gal Baras

    (@galbaras)

    To me, it looks like the plugin has done the right thing, but wonder about the URLs in both you messages. Did you just copy and paste them, or did you replace anything to hide your site address?

    Have you clicked any of the “View Details” links to see more information about the 404s?

    It’s weird to get a “file change” scan report for a 404. Have you looked for files with names similar to wp.php, wp-aa.php, etc?

    mehmetg

    (@mehmetg)

    I just only hide my domain address. (example.com) I haven’t changed anything else. And I didn’t name my files like aa, bb.

    Here a raw deails:

    Module 404 Detection
    Type Notice
    Description https://example.com/wp-aa.php?up2018info=1
    Timestamp 2019-11-15 10:46:57
    Host 193.106.30.99
    User
    URL https://example.com/wp-aa.php?up2018info=1
    Raw Details
    Hide Raw Details

    id => 186
    module => four_oh_four
    type => notice
    code => found_404
    timestamp => 2019-11-15 07:46:57
    init_timestamp => 2019-11-15 07:46:57
    remote_ip => 193.106.30.99
    user_id => [empty string]
    url => https://example.com/wp-aa.php?up2018info=1
    memory_current => 26732552
    memory_peak => 26806824
    data => Array
    SERVER => Array
    SERVER_SOFTWARE => Apache
    REQUEST_URI => /wp-aa.php?up2018info=1
    LSPHP_ENABLE_USER_INI => on
    PATH => /usr/local/bin:/usr/bin:/bin
    TEMP => /tmp
    TMP => /tmp
    TMPDIR => /tmp
    PWD => /
    HTTP_ACCEPT => */*
    HTTP_ACCEPT_ENCODING => gzip, deflate
    HTTP_CONNECTION => keep-alive
    CONTENT_LENGTH => [empty string]
    HTTP_HOST => example.com
    HTTP_USER_AGENT => Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
    HTTP_X_HTTPS => 1
    REDIRECT_UNIQUE_ID =>
    REDIRECT_SCRIPT_URL => /wp-aa.php
    REDIRECT_SCRIPT_URI => https://example.com/wp-aa.php
    REDIRECT_HTTPS => on
    REDIRECT_SSL_TLS_SNI => example.com
    REDIRECT_STATUS => 200
    UNIQUE_ID =>
    SCRIPT_URL => /wp-aa.php
    SCRIPT_URI => https://example.com/wp-aa.php
    HTTPS => on
    SSL_TLS_SNI => example.com
    SERVER_SIGNATURE => [empty string]
    SERVER_NAME => example.com
    SERVER_ADDR => example.com host adress
    SERVER_PORT => 443
    REMOTE_ADDR => 193.106.30.99
    DOCUMENT_ROOT => /home/example/public_html
    REQUEST_SCHEME => https
    CONTEXT_PREFIX => [empty string]
    CONTEXT_DOCUMENT_ROOT => /home/example/public_html
    SERVER_ADMIN => webmaster@example.com
    SCRIPT_FILENAME => /home/example/public_html/index.php
    REMOTE_PORT => 46164
    REDIRECT_URL => /wp-aa.php
    REDIRECT_QUERY_STRING => up2018info=1
    SERVER_PROTOCOL => HTTP/1.1
    REQUEST_METHOD => GET
    QUERY_STRING => up2018info=1
    SCRIPT_NAME => /index.php
    PHP_SELF => /index.php
    REQUEST_TIME_FLOAT => 1573804016.9814
    REQUEST_TIME => 1573804016

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.