Most likely you updated the iTSec plugin to the latest release (7.5.0) while a File Change Detection scan was still running.
To prevent any confusion, I’m not iThemes.
Could be. What really worried me was a dirty host’s attempts on my site:
404 Detection Notice https://example.com/wp-aa.php?up2018info=1 2019-11-15 07:46:57 – 9 hours ago 193.106.30.99 View Details
404 Detection Notice https://example.com/wp-bb.php?up2018info=1 2019-11-15 06:25:45 – 11 hours ago 193.106.30.99 View Details
404 Detection Notice https://example.com/wp.php?up2018info=1 2019-11-15 04:50:56 – 12 hours ago 193.106.30.99 View Details
404 Detection Notice https://example.com/wp.php?up2018info=1 2019-11-15 04:50:56 – 12 hours ago 193.106.30.99 View Details
Fatal Error and this attack timing are the same.
Any matches in error_log or wp-admin/error_log?
I checked the error_log file from the Cpanel by converting it to txt format. Only have SSL notifications. The last notification on 4 November. No matches.
193.106.30.99 might have tried to execute a file change scan on your computer and got blocked.
What’s the IP address of your site? If it’s 193.106.30.99, you can whitelist it in the plugin settings.
Thanks for your interest and help.
No, that IP address isn’t mine. That’s IP of the person who attacked my website. Everyone should ban this IP. It’s a very dirty host. (https://www.abuseipdb.com/check/193.106.30.99)
I understand from your answer that the danger is gone. Then there’s nothing to worry about?
To me, it looks like the plugin has done the right thing, but wonder about the URLs in both you messages. Did you just copy and paste them, or did you replace anything to hide your site address?
Have you clicked any of the “View Details” links to see more information about the 404s?
It’s weird to get a “file change” scan report for a 404. Have you looked for files with names similar to wp.php, wp-aa.php, etc?
I just only hide my domain address. (example.com) I haven’t changed anything else. And I didn’t name my files like aa, bb.
Here a raw deails:
Module 404 Detection
Type Notice
Description https://example.com/wp-aa.php?up2018info=1
Timestamp 2019-11-15 10:46:57
Host 193.106.30.99
User
URL https://example.com/wp-aa.php?up2018info=1
Raw Details
Hide Raw Details
id => 186
module => four_oh_four
type => notice
code => found_404
timestamp => 2019-11-15 07:46:57
init_timestamp => 2019-11-15 07:46:57
remote_ip => 193.106.30.99
user_id => [empty string]
url => https://example.com/wp-aa.php?up2018info=1
memory_current => 26732552
memory_peak => 26806824
data => Array
SERVER => Array
SERVER_SOFTWARE => Apache
REQUEST_URI => /wp-aa.php?up2018info=1
LSPHP_ENABLE_USER_INI => on
PATH => /usr/local/bin:/usr/bin:/bin
TEMP => /tmp
TMP => /tmp
TMPDIR => /tmp
PWD => /
HTTP_ACCEPT => */*
HTTP_ACCEPT_ENCODING => gzip, deflate
HTTP_CONNECTION => keep-alive
CONTENT_LENGTH => [empty string]
HTTP_HOST => example.com
HTTP_USER_AGENT => Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
HTTP_X_HTTPS => 1
REDIRECT_UNIQUE_ID =>
REDIRECT_SCRIPT_URL => /wp-aa.php
REDIRECT_SCRIPT_URI => https://example.com/wp-aa.php
REDIRECT_HTTPS => on
REDIRECT_SSL_TLS_SNI => example.com
REDIRECT_STATUS => 200
UNIQUE_ID =>
SCRIPT_URL => /wp-aa.php
SCRIPT_URI => https://example.com/wp-aa.php
HTTPS => on
SSL_TLS_SNI => example.com
SERVER_SIGNATURE => [empty string]
SERVER_NAME => example.com
SERVER_ADDR => example.com host adress
SERVER_PORT => 443
REMOTE_ADDR => 193.106.30.99
DOCUMENT_ROOT => /home/example/public_html
REQUEST_SCHEME => https
CONTEXT_PREFIX => [empty string]
CONTEXT_DOCUMENT_ROOT => /home/example/public_html
SERVER_ADMIN => webmaster@example.com
SCRIPT_FILENAME => /home/example/public_html/index.php
REMOTE_PORT => 46164
REDIRECT_URL => /wp-aa.php
REDIRECT_QUERY_STRING => up2018info=1
SERVER_PROTOCOL => HTTP/1.1
REQUEST_METHOD => GET
QUERY_STRING => up2018info=1
SCRIPT_NAME => /index.php
PHP_SELF => /index.php
REQUEST_TIME_FLOAT => 1573804016.9814
REQUEST_TIME => 1573804016
