Scan can't continue
-
I’ve just installed Wordfence and the scan hangs with the following error message..
Scan can’t continue – stored data not found after a fork. Got type:boolean
I killed the scan and then checked debug mode in options. Please advise….Here are the lines after the error
[Sep 16 11:49:19] Scan can’t continue – stored data not found after a fork. Got type: boolean
[Sep 16 11:49:30] Scan kill request received.
[Sep 16 11:57:45] Calling Wordfence API v2.17:https://noc1.wordfence.com//v2.17/?v=4.3.1&s=http%3A%2F%2Ffilousachrysochous.com&k=7ec10aa8b9eda88276f74dbf5307c25a99bb4d7a619e050c7c74aa2dcffeba36f0ce342887be3bda14c47fe97169913ad6b1a5853d737f779897bed23feb1ef255bc2cb50297489ebf92922327d800a0&action=ping_api_key
-
The “data not found after a fork” message is usually caused by blocking your wp-admin folder, either with another plugin, or manually in the .htaccess file.
More details are here:
My scans don’t finish. What would cause that?If this doesn’t help, reply and let us know here.
Ok thanks
I checked the plu-ins and found one I haven’t uploaded called Log-in Wall. I deleted it.
I ran the scan again and sent the full activity log to WF. I’ve noticed some strange lines in the activity log clearly referring to products such as..
1. where scan enters fork
‘domain’ => ‘filousachrysochous.com’,
‘httponly’ => ”,
)),
),
‘filename’ => NULL,
Thu, 17 Sep 15 11:56:00 +0000::1442480160.6430:4:info::getMaxExecutionTime() returning config value: 26
Thu, 17 Sep 15 11:56:00 +0000::1442480160.6428:4:info::Got value from wf config maxExecutionTime: 26
Thu, 17 Sep 15 11:56:00 +0000::1442480160.6422:4:info::Calling startScan(true)
Thu, 17 Sep 15 11:55:59 +0000::1442480159.8365:4:info::Entered fork()
Thu, 17 Sep 15 11:55:59 +0000::1442480159.8362:4:info::Calling fork() from wordfenceHash::processFile with maxExecTime: 26
Thu, 17 Sep 15 11:55:59 +0000::1442480159.8358:4:info::Hashing item in base dir: /home2/jimmy/public_html/66-bvlgari-purse-folding-njxy.html
Thu, 17 Sep 15 11:55:59 +0000::1442480159.8245:4:info::Scanning: /home2/jimmy/public_html/658-tadashi-shoji-piece-an.html (Mem:63.2M)
Thu, 17 Sep 15 11:55:59 +0000::1442480159.8241:4:info::Hashing item in base dir: /home2/jimmy/public_html/658-tadashi-shoji-piece-an.html
Thu, 17 Sep 15 11:55:59 +0000::1442480159.8106:4:info::Scanning: /home2/jimmy/public_html/655X-radio-clock-watch-seiko-afdm.html (Mem:63.2M)
Thu, 17 Sep 15 11:55:59 +0000::1442480159.8102:4:info::Hashing item in base dir: /home2/jimmy/public_html/655X-radio-clock-watch-seiko-afdm.html
Thu, 17 Sep 15 11:55:59 +0000::1442480159.8058:4:info::Scanning: /home2/jimmy/public_html/653Q-rayban-optical-tla.html (Mem:63.2M)
Thu, 17 Sep 15 11:55:59 +0000::1442480159.8054:4:info::Hashing item in base dir: /home2/jimmy/public_html/653Q-rayban-optical-tla.html
Thu, 17 Sep 15 11:55:59 +0000::1442480159.7930:4:info::Scanning: /home2/jimmy/public_html/651E-chloe-shoes-hqul.html (Mem:63.2M)
Thu, 17 Sep 15 11:55:59 +0000::1442480159.7926:4:info::Hashing item in base dir: /home2/jimmy/public_html/651E-chloe-shoes-hqul.html
Thu, 17 Sep 15 11:55:59 +0000::1442480159.7874:4:info::Scanning: /home2/jimmy/public_html/650-gagamilano-manyuare-hu.html (Mem:63.2M)
Thu, 17 Sep 15 11:55:59 +0000::1442480159.7869:4:info::Hashing item in base dir: /home2/jimmy/public_html/650-gagamilano-manyuare-hu.html
Thu, 17 Sep 15 11:55:59 +0000::1442480159.7807:4:info::Scanning: /home2/jimmy/public_html/648Z-harajuku-oakley-rlhh.html (Mem:63.2M)
Thu, 17 Sep 15 11:55:59 +0000::1442480159.7802:4:info::Hashing item in base dir: /home2/jimmy/public_html/648Z-harajuku-oakley-rlhh.html
Thu, 17 Sep 15 11:55:59 +0000::1442480159.7577:4:info::Scanning: /home2/jimmy/public_html/645T-uniqlo-lace-camisole-jzif.html (Mem:63.2M)
Thu, 17 Sep 15 11:55:59 +0000::1442480159.7572:4:info::Hashing item in base dir: /home2/jimmy/public_html/645T-uniqlo-lace-camisole-jzif.html
Thu, 17 Sep 15 11:55:59 +0000::1442480159.7470:4:info::Scanning: /home2/jimmy/public_html/644A-gucci-bag-mens-fgvn.html (Mem:63.2M)and
2. lots more similar line of activity in the middle..
Thu, 17 Sep 15 11:46:17 +0000::1442479577.9055:4:info::Hashing item in base dir: /home2/jimmy/public_html/20150809182932-WXCnjt-26.html
Thu, 17 Sep 15 11:46:17 +0000::1442479577.9004:4:info::Scanning: /home2/jimmy/public_html/20150809182931-SZSfvg-19.html (Mem:63.2M)
Thu, 17 Sep 15 11:46:17 +0000::1442479577.9001:4:info::Hashing item in base dir: /home2/jimmy/public_html/20150809182931-SZSfvg-19.html
Thu, 17 Sep 15 11:46:17 +0000::1442479577.8938:4:info::Scanning: /home2/jimmy/public_html/20150809182902-gvv-TSD-49.html (Mem:63.2M)
Thu, 17 Sep 15 11:46:17 +0000::1442479577.8934:4:info::Hashing item in base dir: /home2/jimmy/public_html/20150809182902-gvv-TSD-49.html
Thu, 17 Sep 15 11:46:17 +0000::1442479577.8739:4:info::Scanning: /home2/jimmy/public_html/20150809182731-LRRxez-69.html (Mem:63.2M)
Thu, 17 Sep 15 11:46:17 +0000::1442479577.8735:4:info::Hashing item in base dir: /home2/jimmy/public_html/20150809182731-LRRxez-69.html
Thu, 17 Sep 15 11:46:17 +0000::1442479577.8672:4:info::Scanning: /home2/jimmy/public_html/20150809182544-UXHoju-10.html (Mem:63.2M)
Thu, 17 Sep 15 11:46:17 +0000::1442479577.8668:4:info::Hashing item in base dir: /home2/jimmy/public_html/20150809182544-UXHoju-10.html
Thu, 17 Sep 15 11:46:17 +0000::1442479577.8647:4:info::Scanning: /home2/jimmy/public_html/20150809182456-UVEwrg-90.html (Mem:63.2M)<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”><head>
<style type=”text/css”>
body {background-color: #ffffff; color: #000000;}3. then this towards the end..
<tr><td class=”e”>_ENV[“HTTP_REFERER”]</td><td class=”v”>http://filousachrysochous.com/wp-admin/admin.php?page=Wordfence</td></tr>
<tr><td class=”e”>_ENV[“HTTP_USER_AGENT”]</td><td class=”v”>Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0</td></tr>
<tr><td class=”e”>_ENV[“HTTP_X_HTTP_PROTO”]</td><td class=”v”>HTTP/1.1</td></tr>
<tr><td class=”e”>_ENV[“HTTP_X_LOG_7528″]</td><td class=”v”>80.189.3.200</td></tr>
<tr><td class=”e”>_ENV[“HTTP_X_REAL_IP”]</td><td class=”v”>80.189.3.200</td></tr>
<tr><td class=”e”>_ENV[“HTTP_X_REQUESTED_WITH”]</td><td class=”v”>XMLHttpRequest</td></tr>
<tr><td class=”e”>_ENV[“PATH”]</td><td class=”v”>/bin:/usr/bin</td></tr>
<tr><td class=”e”>_ENV[“PHPRC”]</td><td class=”v”>/opt/php54/lib</td></tr>
<tr><td class=”e”>_ENV[“QUERY_STRING”]</td><td class=”v”><i>no value</i></td></tr>
<tr><td class=”e”>_ENV[“REDIRECT_STATUS”]</td><td class=”v”>200</td></tr>
<tr><td class=”e”>_ENV[“REMOTE_ADDR”]</td><td class=”v”>80.189.3.200</td></tr>
<tr><td class=”e”>_ENV[“REMOTE_PORT”]</td><td class=”v”>48371</td></tr>
<tr><td class=”e”>_ENV[“REQUEST_METHOD”]</td><td class=”v”>POST</td></tr>
<tr><td class=”e”>_ENV[“REQUEST_URI”]</td><td class=”v”>/wp-admin/admin-ajax.php</td></tr>
<tr><td class=”e”>_ENV[“SCRIPT_FILENAME”]</td><td class=”v”>/home2/jimmy/public_html/wp-admin/admin-ajax.php</td></tr>
<tr><td class=”e”>_ENV[“SCRIPT_NAME”]</td><td class=”v”>/wp-admin/admin-ajax.php</td></tr>
<tr><td class=”e”>_ENV[“SERVER_ADDR”]</td><td class=”v”>192.185.5.217</td></tr>
<tr><td class=”e”>_ENV[“SERVER_ADMIN”]</td><td class=”v”>webmaster@filousachrysochous.com</td></tr>
<tr><td class=”e”>_ENV[“SERVER_NAME”]</td><td class=”v”>filousachrysochous.com</td></tr>
<tr><td class=”e”>_ENV[“SERVER_PORT”]</td><td class=”v”>80</td></tr>
<tr><td class=”e”>_ENV[“SERVER_PROTOCOL”]</td><td class=”v”>HTTP/1.1</td></tr>
<tr><td class=”e”>_ENV[“SERVER_SIGNATURE”]</td><td class=”v”><address>Apache Server at filousachrysochous.com Port 80</address>
</td></tr>
<tr><td class=”e”>_ENV[“SERVER_SOFTWARE”]</td><td class=”v”>Apache</td></tr>
<tr><td class=”e”>_ENV[“UNIQUE_ID”]</td><td class=”v”>VfqBlcC5BDIAARYZj8AAAAIR</td></tr>
</table>
<h2>PHP License</h2>
<table border=”0″ cellpadding=”3″ width=”600″>
<tr class=”v”><td>
<p>
This program is free software; you can redistribute it and/or modify it under the terms of the PHP License as published by the PHP Group and included in the distribution in the file: LICENSE
</p>
<p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
</p>
<p>If you did not receive a copy of the PHP license, or have any questions about PHP licensing, please contact license@php.net.
</p>
</td></tr>
</table>
</div></body></html>Also in the Google search results it says “This site might be hacked”
I’m not the least bit technical but I can see from the spurrious lines in the report that relate to products – ray ban, gucci bag mens etc that the site is hacked.
What to do?
Sorry to hear that — you’re right that the site must have been hacked.
We have a guide for cleaning hacked sites here:
How to clean a hacked site using WordfenceYou should back up the site before trying to clean it, in case you remove something important by mistake.
I would start with changing passwords — since so far you have only seen a ton of .html files, it might be that the hosting / control panel login or FTP password was too simple, or was somehow exposed.
Since you mentioned that you are not very technical, you will probably need to skip the section that begins with “If you have SSH access to your server…”
Much of the rest of the guide includes setting some Wordfence options, and running scans, to find bad files.
The “.html” files in the main folder of the site can just be removed manually. WordPress only comes with a “readme.html” file in the main folder, so the others should be safe to remove. (Don’t manually remove “.php” files or others, if you’re not sure they are bad though.)
The topic ‘Scan can't continue’ is closed to new replies.
