Spurious "Files modified" alerts

  • Resolved Synchro

    (@synchro)


    8 years, 5 months ago

    I run all my wordpress installations without any web server write access, and only allow writes when performing upgrades.

    I’m getting lots of alerts (120 this morning) like this:

    Someone accessed a script that was modified or created less than 2 hour(s) ago:

SERVER_NAME    : www.example.com
SCRIPT_FILENAME: /var/www/example.com/wp-includes/functions.php
Last changed on: November 21, 2015 @ 05:59:09 (UTC +0000)
REQUEST_URI    : /wp-includes/functions.php

    However, if I go and look at that file on disk:

    -r--r--r--  1 nobody nogroup 150K Aug 20 16:46 functions.php

    i.e. it has not been changed for months and it’s not writable by anyone. This appears to be a false alarm from NF. How can it be prevented?

    https://wordpress.org/plugins/ninjafirewall/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author nintechnet

    (@nintechnet)

    8 years, 5 months ago

    Hi,

    Do you mean you received 120 alerts for the same file (/functions.php) or for 120 different files (normally, you should not receive more than one alert per file)?
    The timestamp in your message (“Aug 20 16:46”) seems to be the mtime, not the ctime. NinjaFirewall will never use the mtime because it is not reliable. Did you check the ctime? If you have shell access, run this command to find it:

    $ stat /var/www/example.com/wp-includes/functions.php

    It should match the “Last changed on” from the firewall email alert.

    Also, ensure that the firewall cache and log folder (/wp-content/nfwlog/) is writable.

    Thread Starter Synchro

    (@synchro)

    8 years, 4 months ago

    It was for 120 different files, all not owned by the web server and all marked read-only.

    I just got another one of these and checked the ctime, and indeed it has a recent timestamp, however, the contents of the file has not been changed and appears innocuous.

    Plugin Author nintechnet

    (@nintechnet)

    8 years, 4 months ago

    Maybe a cronjob ran by you or your host, which browses all folders and changes/forces their permissions to read-only (or their ownership)?
    Some hosts have such scripts and even if your files already have a correct permissions/ownership, their ctime will be changed by the script.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Spurious "Files modified" alerts’ is closed to new replies.