Support » Plugin: NinjaFirewall (WP Edition) » Malware scan failing

  • I have one domain out of several which is refusing to let me do a malware scan. It keeps coming back with an error. Where should I look to see why or what is going on. There is nothing I can see unusual about this domain as the plugins and theme is identical to a couple of other ones which process without problems.

Viewing 15 replies - 1 through 15 (of 18 total)
  • I have a similar problem. See this thread:
    https://wordpress.org/support/topic/anti-malware-scan-stops-after-a-few-seconds/
    But I couldn’t find a problem with the server until now. Still searching.

    I have not been able to track it down. I just get loading of signatures -error. I have not added any signatures as far as I am aware. Where would added signatures be?

    I have deactivated the plugin and reinstalled it. I then uploaded a ninja config file from a domain where there are no issues. It still will not do a malware scan. I notice I do have extra files in the cache folder that are not present elsewhere :

    malscan_time.php (empty) , malscan_tot.sigs (sigs:1929), malscan.count(empty), mailscan.ed(empty),

    malscan.log

    1486048686: [AX] Entering ajax callback
    1486048686: [AX] POSTing request to https://www.mydomain.com/wp-cron.php
    1486048686: [CR] Starting cron
    1486048686: [CR] Starting malware scan
    1486048686: [CR] Cleaning cache
    1486048686: [CR] Loading NinjaFirewall’s signatures
    1486048686: [CR] Looking for potential user-defined signatures
    1486048686: [CR] No user-defined signatures found
    1486048686: [CR] Scanning files
    1486048708: [CR] No malware found
    1486048708: [CR] Exiting malware scan

    Then malscan.mem (20160864)

    If I then compare this with a domain that works

    I only have malscan_time (empty) and

    malscan.log (full of details but it does show an error in that log

    1486043957: [FW] Fetching signatures from /home/xxx/public_html/xxxxxx.com/wp-content/nfwlog/cache/malscan_tot.sigs

    Pretty confusing now. I have checked other working domains and they have slightly different files in their cache directories too.

    • This reply was modified 7 months, 3 weeks ago by  frenchomatic. Reason: no need to have a domain mentioned publicly
    Plugin Author nintechnet

    (@nintechnet)

    Do you mean that you received the ‘Error: unable to load signatures’ message?

    Plugin Author nintechnet

    (@nintechnet)

    Yes I am receiving that error but on only one domain where it works on many others where WP version, plugins and even the theme are the same.

    Basically when i press the scan blue button – I get dots of it processing – then the message “Une erreur est survenue : OK” in a grey box and then when i close the grey box I get Chargement des signatures : Erreur. Transalted that means error in loading signatures. The question is why would it do this on just one domain and none of the others on the same server? Baffling. It is a shared hosting environment so I can only go up the directory path.

    @nintechnet I don’t have root access for this site. Sorry.

    Plugin Author nintechnet

    (@nintechnet)

    Some thoughts:

    -The problem could be the permissions of the /wp-content/plugins/nfwplus/lib/share/ signatures folder. Can you try to chmod it g+w (0775)?

    -ModSecurity WAF is enabled on the server and blocks the request (see https://wordpress.org/support/topic/error-loading-signatures-in-anti-malware-feature/page/4/#post-8379862 )

    -Local IP issue: Added your hostname to /etc/hosts (see https://wordpress.org/support/topic/error-loading-signatures-in-anti-malware-feature/page/4/#post-8148182 ). Obviously, not applicable if you don’t have root access.

    chmod it g+w (0775) – nope that has not worked. Hosting admin says “it looks like signature parsing error, i.e. unable to load signature, but there is absolutely nothing in the log files, neither modsec log is showing anything.”

    Well A2 hosting came back and after many hours, they can’t figure it out. No error logs showing anything meaningful. Their only comment was they believe something is not right in the plugin but they can’t pin it down. My response is how do I delete the whole thing and install it again. Just deleting it from the wp admin panel is bound to leave some traces somewhere. Does it put anything anywhere in the database for example that doesn’t get extracted when deactivated and deleted?

    For me the logic of it working on an other domain on the same server, same WP version, same theme and same plugins, same .htaccess files everywhere doesn’t make sense. However, what I can say is even if I deactivate all plugins, the malware scan still doesn’t work. The plugin behaves impeccably on 15 other domains.

    Not sure where to go next. I suppose the obvious thing to do is upload a completely new copy of WP. Disable the theme and use the default theme etc and then build out.

    Plugin Author nintechnet

    (@nintechnet)

    Without having root access it is almost impossible to see what is going on with your filesystem.

    Another possibility is that you are using the .htninja script to whitelist yourself and that prevent the plugin part of NinjaFirewall to communicate with the firewall’s.

    That is all I have in my .htninja file which is sitting just above public_html. I am going to reinstall wordpress core files completely. Just to eliminate that.

    <?php
    /*
    +===================================================================+
    | NinjaFirewall optional configuration file |
    | |
    | See: http://nintechnet.com/ninjafirewall/wp-edition/help/?htninja |
    +===================================================================+
    */

    // Users of Cloudflare CDN:
    if (! empty($_SERVER[“HTTP_CF_CONNECTING_IP”]) &&
    filter_var($_SERVER[“HTTP_CF_CONNECTING_IP”],FILTER_VALIDATE_IP)) {
    $_SERVER[“REMOTE_ADDR”] = $_SERVER[“HTTP_CF_CONNECTING_IP”];
    }

    Well fresh WP core files doesn’t do it and neither does it run when I deactivate all plugins. I think there must be a server issue even if it runs on other domains. Lightspeed server is a pain – I notice my host is doing work on it to reset it at the moment.

    I am going to make a default setup on the problematical domain and build into it and see what piece is breaking it.The hosting company can’t seem to get to the bottom of it. Is there anything in the database that could cause it?

Viewing 15 replies - 1 through 15 (of 18 total)
  • The topic ‘Malware scan failing’ is closed to new replies.