System Warning: New file added

  • Resolved deeveedee

    (@deeveedee)


    6 years, 7 months ago

    I am running Sucuri Security plugin 1.8.8 on my WordPress 4.8.1 site and am intrigued by the auditing capability that it provides. The Sucuri audit log shows the following entry which occurred at a time when no admin users were logged into my site via the WordPress admin panel:

    System Warning: New file added: (multiple entries): IP: 127.0.0.1

    When I checked the dates of the “new files added,” they are old dates and none of the files reported are actually “new.”

    Is it possible that Sucuri is incorrectly reporting “new files added” in its audit log? If not, and these are actually files that have been added or restored for some reason, should I be concerned?

    What concerns me about this is that one of the new files added is “.htaccess” and the file was added by a user running on local host (127.0.0.1).

    Since Sucuri is reporting this warning with IP 127.0.0.1, would these files have been added by a locally running process or by my hosting provider?

Viewing 4 replies - 1 through 4 (of 4 total)
  • yorman

    (@yorman)

    6 years, 7 months ago

    Yes, that is what it means.

    The entries in the log with the user system are the ones initiated by the website itself, without user interaction. To keep the same format as the other logs, the plugin uses the IP 127.0.0.1; so yes, your assumption that “[…] these files have been added by a locally running process or by my hosting provider” is correct.

    Someone used FTP, SSH or the file manager available in your hosting account to create them, or the server itself created them; since this operation was performed outside of WordPress, the plugin has no way to know who exactly created them nor how, hence the use of the ambiguous “system — 127.0.0.1” references.

    Marking as resolved, feel free to re-open if you need more information.

    Thread Starter deeveedee

    (@deeveedee)

    6 years, 7 months ago

    @yorman,

    Thank you for your quick reply. This is very helpful and a great feature! In most cases, the files listed in the Sucuri audit log have “old” dates, so according to the file system, none of the files appear to be added/changed. What are the criteria that Sucuri uses to identify ‘new files added?’

    For example, one of the files listed by Sucuri in the ‘new file added’ list is ‘.htaccess’ yet this file has an old date and does not appear to have changed.

    Thank you for your great plugin and great support.

    yorman

    (@yorman)

    6 years, 7 months ago

    What are the criteria that Sucuri uses to identify ‘new files added?’

    There are two criteria for two different tools.

    WordPress Integrity

    The integrity tool obtains a copy of the files included in the version of WordPress that you have installed from a public API service maintained by the WordPress organization. The plugin scans your project, and for every file that is not in the list obtained from the API it flags them as new/added.

    Audit Logs

    The plugin scans your entire project the first time you generate the API key, and assuming that your website is clean at the moment, it sends the list to the Sucuri API service. For every subsequent scan the plugin checks which files are currently in your project against the list of files that were sent to the API the first time, any difference is reported in the audit logs.

    Flagged Files with Old Dates

    Every file system has a metadata entry to store information about a file, this includes the size, modification date, parent directory, etc. It is fairly easy to change these dates with utilities like the touch command in Unix. Below you can find an example that I took from my Mac computer:

    $ echo "" 1> file.txt
$ ls -lhias -- file.txt
  1B Sep 05 10:06 file.txt
$ touch -t 199910311503 -- file.txt
$ ls -lhias -- file.txt
  1B Oct 31  1999 file.txt

    Notice how I created a new file on September 05 at 10:06 am, and later used the touch command to change the date to October 31, 1999 at 03:03 pm. Because there is no way to prevent this from a high level as it is with PHP, the plugin can simply show whatever the file system is reporting, a malicious user can create new files in your website and make them pass as old files to mislead. There is no way to explain this to the regular users in an easy way, so we just show the date for simplicity, but technically speaking, the date should be removed as it adds just to the confusion.

    Let me know if you need more information.

    Thread Starter deeveedee

    (@deeveedee)

    6 years, 7 months ago

    Thank you for your very thorough reply and thanks for your great support.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘System Warning: New file added’ is closed to new replies.