Hi,
Where is it hanging on the scan? Is it a large file? You should be able to tell a file name that it is stuck on. You could try excluding that file from the scan to see if you can get farther.
-Brian
It seems to be different files each time. A few last-scanned files:
- /better-wp-security/core/class-ithemes-sync-verb-itsec-set-temp-whitelist.php
- /better-wp-security/core/class-ithemes-sync-verb-itsec-get-lockouts.php
- /wp-admin/js/user-suggest.js
iThemes security is installed, but not activated
I turned on Debug mode and included the last couple of lines of the last failed scan. There’s a 404 in there, too.
[Mar 27 08:15:54:1427444154.486395:4:info] Scan process ended after forking.
[Mar 27 08:15:54:1427444154.241381:2:error] Scan can't continue - stored data not found after a fork. Got type: boolean
[Mar 27 08:15:54:1427444154.215380:4:info] Setting up scanRunning and starting scan
[Mar 27 08:15:54:1427444154.194379:4:info] Setting up error handling environment
[Mar 27 08:15:54:1427444154.174378:4:info] Requesting max memory
[Mar 27 08:15:54:1427444154.152376:4:info] Done become admin
[Mar 27 08:15:54:1427444154.134375:4:info] Scan authentication complete.
[Mar 27 08:15:54:1427444154.111374:4:info] Scan will run as admin user 'admin' with ID '1' sourced from: singlesite get_users() function
[Mar 27 08:15:54:1427444154.091373:4:info] Becoming admin for scan
[Mar 27 08:15:54:1427444154.068371:4:info] Checking saved cronkey against cronkey param
[Mar 27 08:15:54:1427444154.051371:4:info] Exploding stored cronkey
[Mar 27 08:15:53:1427444153.977366:4:info] Fetching stored cronkey for comparison.
[Mar 27 08:15:53:1427444153.957365:4:info] Checking cronkey
[Mar 27 08:15:53:1427444153.938364:4:info] Scan engine received request.
[Mar 27 08:15:53:1427444153.027312:4:info] Starting cron via proxy at URL http://noc1.wordfence.com/scanp/hk.test.damaged.systems/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=1&cronKey=43340000255d00006ed20000
[Mar 27 08:15:52:1427444152.970309:4:info] Test result of scan start URL fetch: array ( 'headers' => array ( 'server' => 'micro_httpd', 'cache-control' => 'no-cache', 'date' => 'Fri, 27 Mar 2015 09:15:56 GMT', 'content-type' => 'text/html', 'connection' => 'close', ), 'body' => '404 Not Found 404 Not Found File not found. micro_httpd ', 'response' => array ( 'code' => 404, 'message' => 'Not Found', ), 'cookies' => array ( ), 'filename' => NULL, )
[Mar 27 08:15:52:1427444152.832301:4:info] getMaxExecutionTime() returning half ini value: 30
[Mar 27 08:15:52:1427444152.810300:4:info] Got max_execution_time value from ini: 60
[Mar 27 08:15:52:1427444152.790298:4:info] Got value from wf config maxExecutionTime:
[Mar 27 08:15:52:1427444152.758297:4:info] Calling startScan(true)
[Mar 27 08:15:52:1427444152.457279:4:info] Entered fork()
[Mar 27 08:15:52:1427444152.436278:4:info] Calling fork() from wordfenceHash::processFile with maxExecTime: 30
[Mar 27 08:15:52:1427444152.391276:4:info] Scanning: C:\xampp\htdocs\test\hk/wp-admin/js/user-suggest.js (Mem:23.8M)
[Mar 27 08:15:52:1427444152.338273:4:info] Scanning: C:\xampp\htdocs\test\hk/wp-admin/js/user-profile.min.js (Mem:23.8M)
[Mar 27 08:15:52:1427444152.268269:4:info] Scanning: C:\xampp\htdocs\test\hk/wp-admin/js/user-profile.js (Mem:23.8M)
Manually going to the 404íng url
(http://noc1.wordfence.com/scanp/hk.test.damaged.systems/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=1&cronKey=43340000255d00006ed20000)
returns ‘OK with http’
I hope you can spot the problem, if you need anything more, don’t hesitate to ask.
Greets
The 404 looks like your AJAX handler is working correctly. To clarify, these test sites are running locally on a desktop running Windows 7 and XAMPP, correct? Your production servers operate properly. What are your production servers running?
Yes, they run on win7 ultimate under XAMPP v3.2.1
The identical production sites run on (from phpinfo)
System Linux web02 3.13.0-46-generic #77~precise1-Ubuntu SMP Mon Mar 2 23:24:50 UTC 2015 x86_64
and
Linux sub.domain.tld 2.6.32-042stab072.10 #1 SMP Wed Jan 16 18:54:05 MSK 2013 i686
Where sub.domain.tld is an address I’m not I want to display publicly. Better safe than sorry I suppose ;P