Support » Plugin: Sucuri Security - Auditing, Malware Scanner and Security Hardening » Site Not Clean, points to non-existing file

Viewing 15 replies - 1 through 15 (of 23 total)
  • I suspect that this is a WP core file that is missing, and this is why you are showing this error. Is this correct?

    No, that is incorrect.

    If the file is part of a regular WordPress installation but has been deleted, the plugin will print the filename inside a table below the “WordPress Integrity Check” panel. The plugin will also provide an option to restore the content of the file in that case.

    If the error is “Site Not Clean”, it means the URL is returning suspicious code.

    Unfortunately, you didn’t provide the real URL so I cannot confirm this for you. I can only tell you that there is a type of malware that hides itself from the website administrators by checking if the User-Agent in the HTTP request matches one of the popular web crawlers, for example, Googlebot [1]. When the User-Agent is different, the malware returns a “404 Not Found” response, consequently confusing the user.

    Please keep in mind that even if the file doesn’t exist, the malware could still be deceiving you. Please check the access control file (also known as .htaccess) for suspicious redirection rules.

    Marking as resolved, let me know if you need more information.

    [1] https://support.google.com/webmasters/answer/1061943?hl=en

    Thank you for the answer.
    To get the real URL please replace the example.com with proba1 dot web4o dot com.
    The URL returns 500 internal server error even when I check with a google user agent. I don’t see problems with the htaccess file, I tried only with the WP code there but no change. I don’t know how your plugin found this and where is a link to it. It does not say how it come up with that. Also it does not show me the suspicions code. It says hover to see payload, but when I hover I don’t see anything.

    @yorman
    Is it possible that the detected issue is not malware, but just the actual server error? At least I got that idea from the report for the site from the online scanner on your site.

    Not sure why this is marked as resolved, given OP’s other comments. I too have exactly the same issue and it is also a multisite set up – so I suspect that may be relevant – all my other sites scan fine – but this one gives a 500 error for the same file (which does not exist)?

    @adz1111
    Yes, it is not resolved, but they just marked it resolved right away after their first response 🙁

    @adz1111
    You should open a new topic so they see it.

    What I have ended up doing was creating an empty wp-scriptaculous.js file in that path, and now it scans fine because there is no longer a 500 error for that URL.

    Interestingly, if you actually go to that URL (before doing the above) you too will get the 500 error the scanner gets. So the scanner’s report is actually correct. The question is why does that URL give a 500, rather than an expected 404. No idea as yet.

    The other thing I wanted to do (rather than the file hack above) was to do a redirect for that url to a 404, but when I tried using a redirection plugin, the redirect is ignored – again I’m assuming being multisite has something to do with that. So, for now, I’ve left my “hack” in place, hoping it’s not a “bad” thing to do.

    @adz1111
    Yes, good idea with the empty file.
    They should fix the message though. It should not say that the site is not clean, just because there is an 500 error.

    It should not say that the site is not clean, just because there is an 500 error.

    Because “500 Internal Server Errors” are ambiguous by nature, there is no guarantee that your website is clean or not. Better to display a warning so the website owner can investigate. If we do not display a warning after finding a 500 status code in one or more of your web pages, then you will never know about a possible infection.

    So a 500 error could indicate an infection? I did not know that.

    Interesting – but, what are the steps to confirm if it’s an infection or not?

    If the file being scanned doesn’t exist then the scanner somehow thinks it does exist if it’s trying to scan it, so what / where should we be looking to confirm if we really have a problem or not?

    If the file being scanned doesn’t exist then the scanner somehow thinks it does exist if it’s trying to scan it, so what / where should we be looking to confirm if we really have a problem or not?

    The plugin downloads this JSON object from WordPress’ official API service [1] (changing the version number and locale according to your installation). The JSON object contains a list of file and hashes corresponding to the files that make up a regular WordPress installation, in this case, for version 5.1.1.

    The plugin compares each file hash with the checksum of the file in your server to make sure that the content is the same. If the hash is different, the file is marked as “modified”. If the file is missing, it gets flagged as “deleted”. If the plugin finds additional files in the core WordPress directories, they get flagged as “added”.

    The solution for each case is as follows:

    • Modified file: execute the “Restore Content” action
    • Deleted file: execute the “Restore Content” action
    • Added file: execute the “Delete File” action

    Unfortunately, the problem in @nnikolov is not necessarily the same as the problem in @adz1111 website. As I said before, a “500 Internal Server Error” is ambiguous by nature, it’s impossible for me —someone without access to the server— to investigate or offer a solution because there’s a myriad of explanations for the error.

    What I can tell you is, Scriptaculous is not part of any regular WordPress installation. For some reason, your website contains a folder with either an “.htaccess” or something similar that’s redirecting the traffic to a file with errors, that’s why your server is returning a 500 instead of a 404. And it’s not just the JavaScript file that our scanner is reporting, any file inside that folder is returning the 500, here are some examples:

    Go to your server (via SSH, SFTP, FTP, or using a file manager) and check every single file inside this directory [2]. If the folder doesn’t exists, then scan the entire server for anything called “scriptaculous” and you’ll find the origin of the problem.

    [1] https://api.wordpress.org/core/checksums/1.0/?version=5.1.1&locale=en_US
    [2] /public_html/wp-includes/js/scriptaculous/

    Thanks yorman

    That all makes total sense – however, long before checking this forum, I and my host (Cloudways) had searched all the site’s folders and files for anything referencing or containing “scriptaculous”, and nothing at all could be found.

    Had we found something I would have deleted it as I am fully aware that scriptaculous should not be there.

    But something is clearly referencing that file but we are stumped as to what or how. My only other thought is that maybe it is being referenced in an executable of some sort (i.e. not plain text) which is perhaps why we cannot find it?

    @adz1111 can you post a list of all the files (including hidden files) inside this directory [1]. And if there’s any hidden file, like “.htaccess”, can you post the content of that file as well?

    [1] /public_html/wp-includes/js/

    Sure thing – will do over the weekend 🙂

Viewing 15 replies - 1 through 15 (of 23 total)
  • You must be logged in to reply to this topic.