Support » Plugin: NinjaScanner - Virus & Malware scan » hosting provider 1and1 blocks .sigs.tmp as malicious

  • Resolved danielrufde

    (@danielrufde)


    Currently I have a few cases where the german hosting provider 1and1 (1&1) blocks .sigs.tmp as malicious and the scan is aborted due to the “Fatal error: Snapshot seems to be corrupted.” error.

    You can find our analysis results here.
    To ensure that your website works as usual again, you must change the file permissions back to 604 after the cleanup.

    The following files were most likely uploaded by third parties.
    Please check these files and delete them if necessary.
    ~ /../../../../../../../../../ homepages / xx / xx / htdocs / html / WP / wp-content / ninjascanner / nscan5a369a5b7fbba4.77717443 /cache/.sigs.tmp

    In all likelihood, the following files have been modified by third parties.
    Please check these files and, if necessary, reload them from a non-infected backup onto your web space.
    ~ / html / WP / wp-content / ninjascanner / nscan5a369a5b7fbba4.77717443 / cache / .sigs.tmp
    ~ /../../../../../../../../../ homepages / xx / xx / htdocs / html / WP / wp-content / ninjascanner / nscan5a369a5b7fbba4.77717443 /cache/.sigs.tmp

    I think this did not happen in the past but I’m not sure which part of the file is problematic for them.

    • This topic was modified 3 months, 4 weeks ago by danielrufde.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author nintechnet

    (@nintechnet)

    This is a temp file used during the anti-malware scan. The plugin downloads the signatures from our site, which are hex-encoded because some of them don’t use ASCII characters, it decodes, verifies them and will save them to the .sigs.tmp file so that they are ready to use. The file is deleted at the end of the scanning process. It looks like your host scanned the site at the time NinjaScanner was running.

    you must change the file permissions back to 604 after the cleanup.

    Did they only change the permissions (0000), not the ownership?
    The scanner could check the file permissions and restore them to 6xx, finish the scan and delete the file. Otherwise, I would need to temporarily save the signatures to the DB.

    Thread Starter danielrufde

    (@danielrufde)

    I guess their scanner starts / is triggered when a PHP script execution starts (on access).
    They only changed the permissions, not the ownership.

    Database is probably a good workaround as the scanners will maybe not trip over the content. Maybe an option to choose where to store the tmp / signatures may make sense. Another option would be to use similar tricks like the bad guys and support a custom XOR key for bitwise XORing the string(s).

    Oftrn some scanners directly match hex-encoded strings too. Not sure if base64 would be a better option. Just some ideas. This is the second case at the same hosting provider. All other hosting providers that I had to work with did not cause such issues.

    Plugin Author nintechnet

    (@nintechnet)

    Hex-encoding is often decoded by scanners. I’ll encode it in base64 in the next release and we’ll see if it’s enough. The file is around 100kb, that should not affect the server/site performance.

    Thread Starter danielrufde

    (@danielrufde)

    So far no new cases where the file was flagged as malware and removed because of this. It seems to be resolved now. Closing.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.