yorman
Forum Replies Created
-
I apologize for the mistreatment of your case.
Please let me know if you still need help with your ticket(s), I will pass them along to the correct people so they can take immediate care of your website(s). The company has a good reputation regarding the treatment of their customers, it concerns me when a case is not handled correctly. Please tell me if there is anything I can do to help resolve the problem.
If you prefer to contact Sucuri directly, you can do so via e-amil at info@sucuri.net or you can give them a call at +1–888–873–0817 . I can also talk directly to their Security Analysts if you would like me to help in the process.
Thank you for the review.
People can only access your Google account —be that console or anything else— if they have your credentials. The plugin never asks you for your Google credentials, so you can be sure that the email was not added by the plugin.
I believe Sucuri Analysts use your personal Google WebMaster Tools to request a review from Google to remove the blacklist status of your website. This process requires the validation of your website ownership which you gave Sucuri access to after providing your SFTP credentials. Unfortunately, I don’t remember exactly which system nor email address is used to run this ownership validation.
I suggest you to send your inquires to Sucuri Support at info@sucuri.net
Or go to the official website [1] and start a chat with one of the agents.
The start time is the time when the plugin was activated.
There is no option to do this nicely because the scheduled tasks are supervised by WordPress itself, not the plugin. The plugin simply installs the action that wants to execute and WordPress takes care of the rest. In your case, what you have to do is to deactivate the plugin and activate it at the time when you want the scheduled tasks to run at.
WARNING: Deactivating the plugin will delete all your settings and security logs, including the API key and hardening options. Be careful with this option because once you execute it there is no way to recover this information. You’ll need to request a new API key and re-configure all the settings.
As yet, I have been unable to figure out how to set email preferences or change the email address.
This option already exists.
I implemented it myself 5 years ago in 2013.
Go to Sucuri Scanner > Settings > Alerts > Alerts Recipient
Connection issues are difficult to study because the only thing we know from our side is that the scanner couldn’t establish a connection with the website. It is up to the website owner to troubleshoot the issues. Most of the time it’s a DNS propagation problem.
Here [1] for example, it shows that your domain doesn’t have any NS record.
I went ahead and scanned an offline copy of it, the results are here [2].
[1] https://www.whatsmydns.net/#NS/www.archides.at
[2] https://sitecheck.sucuri.net/results/www.archides.atThe option is kept for backward compatibility purposes.
You can send the logs to labs@sucuri.net .
You can also talk directly with a Sucuri Malware Researcher via Twitter using one of the handles listed in this page [1]. If you do so, please add a references to this thread by attaching a link along with the mail/message.
@westonruter created this [1] on Sep 30, 2017.
The changes described there were —by his own words— “[to] cache oEmbeds in an oembed_cache custom post type instead of postmeta when there is no global $post”.
oEmbed [2] is a protocol for site A (such as your blog) to ask site B (such as YouTube) for the HTML needed to embed content from site B. oEmbed was designed to avoid the need to copy and paste HTML from the site hosting the media you wish to embed. It supports videos, images, text, and more.
If you are embedding content from any of these sites [3] then you have oEmbed Cache in your database.
———————————————————————
Now, in order to understand what is happening here, you have to know how WordPress executes scheduled tasks (also known as cronjobs). WordPress doesn’t installs any system-level script to monitor and/or execute the scheduled tasks, instead, it uses the website traffic to determine which tasks need to run at that moment.
If you have a WordPress job scheduled to run every hour, it may —theoretically— run every hour if, and only if, there is constant web traffic for that time. However, if your website is never visited for, let’s say, one month, then none of the scheduled tasks will run for that month. This also includes visits to the administration dashboard.
———————————————————————
Back to the main issue, what I think is happening here is, someone from Russia (or someone using a VPN located in that country) sent one or more HTTP requests to your website. This traffic triggered the execution of a scheduled task designed to clear the oEmbed Cache.
why would this and other IPs be “requesting WordPress to clear the oEmbed cache”?
As explained before, that’s how WordPress works ¯\_(ツ)_/¯
Is there any harm in this?
I wouldn’t worry about it, but don’t take my word for granted. If you have more information about these requests we can take a look and determine if it’s really harmful or not. If you don’t expect traffic from Russia, for example, then that’s something to be wary of.
Why am I only seeing this on one of my three sites on the same server?
Maybe the other sites don’t have oEmbed Cache.
Does this indicate that the site has been compromised in any way?
It’s not possible to say “yes” or “no” without more information.
The logs show a normal behavior of WordPress when the someone is making use of oEmbed. If none of the admins or authors have created posts or pages with embedded content, then maybe the logs are hinting to a “Page Infection” where the attacker is injecting Spam (in the form of text or links) to attract people to other websites with other malicious intents.
[1] https://core.trac.wordpress.org/changeset/41651
[2] https://codex.wordpress.org/Embeds
[3] https://codex.wordpress.org/Embeds#Okay.2C_So_What_Sites_Can_I_Embed_From.3FGuess my final questions are, are you guys looking to add these into your plugin (for checking/how to’s) like you did with the others?
I will have to talk with the rest of the engineering team at Sucuri before I can start working on the addition of the other security headers. Some of them are quite tricky to use without having a good understanding of their individual purpose.
Content-Security-Policy, for example, requires the implementation of a table to allow the webmaster to whitelist the domains that are required to render external assets like CSS, JavaScript, Images, Videos, etc.
Feature-Policy is quite new [1] and as of today only Google Chrome and Safari support it. The specification shows that it uses the same mechanism as CSP to whitelist domains to allow the execution of browser features, so we would need to implement another table to allow the webmaster to configure this setting as well.
I will prepare a document with a justification for each HTTP header and hope that the proposal gets approved to start working on the code. Thank you for the suggestion.
[1] https://wicg.github.io/feature-policy/
[2] https://caniuse.com/#search=feature%20policyI did the “hardening” per your documentation and all is well except the plugin still has the “recommendations” on the right of the dashboard saying I still need to do all the hardening.
The plugin stores the results of the scan for several hours in a cache.
Does that mean I didn’t do it right, or does the plugin need to do a check again?
You can check if your website has the correct security headers using this tool [1]. If you can see the HTTP headers recommended by Sucuri and other security experts, then you’ll just need to wait a few hours for the automatic refresh of the scan.
How would one force the plugin to check again?
- Go to the plugin settings page,
- Locate the “Data Storage” panel,
- Select a file called “sucuri-sitecheck”,
- Click the delete button at the end of the table.
- Go to the plugin dashboard once again.
- Done
The plugin will basically delete this file [2] which you can also delete by yourself using the file manager available in your hosting panel. The plugin will detect that the file doesn’t exists (which is where it stores the scans results) and request a new scan from Sucuri Sitecheck.
Let me know if you need more information.
[1] https://securityheaders.com/
[2] /wp-content/uploads/sucuri/sucuri-sitecheck.phpHello @strackerphil-1 , your investigation was very helpful.
I will implement the code to prevent the Sucuri logs from taking so much space.
I will try to have these changes ready before the next version is released.
Marking ticket as “not resolved” while I work on this case.
Thank you
Ah you are completely right, I missed that part.
Thank you for the report, I will make the appropriate changes to fix this problem.
I running valet locally, also can see the same error in production site.
What’s “valet”?
It tries to create storage folder on admin_init and fails.
All of the operations that write on disk are using the [at] symbol in front of the function. That’s the standard in PHP to silence warnings when the PHP script has no permission to write on disk. There is nothing else we can do there to prevent the warnings, aside from adding more checks that at this point seem to be unnecessary.
It is clear that your WordPress installation has different permissions than the one the PHP script is expecting. If you change the permissions of the directory that the plugin is trying to write to, you will probably fix the problems and the warnings will go away.
Can you please answer these two questions?
- Where are you seeing this warning? error_log or web page?
- What version of the plugin is running in your website?
- Can you open that file in your editor and check line 98?
I ask this because the latest version of the code is using
@fopen(). The [at] symbol before the function name forces the PHP interpreter to hide these warnings. Keeping this in mind, I believe you are either using an old version of the plugin where the [at] symbol is not present, or your web server is mis-configured and ignoring the [at] symbol to force the triggering of the warning.Also, when the server is running on nginx, can you not check that hardening rule?
Nginx doesn’t makes use of access control files like “htaccess”.
The plugin skips these checks if your website is served by Nginx.
The plugin has a simple mechanism to prevent it from using too many resources during a scan. However, implementing an optimized high-level garbage collector in a scripting language like PHP is very difficult if not impossible. The limits set before the scan can be affected by other operations [1].
The warning that you got in “fileinfo.lib.php” line 427 [2] hints us that the problem is during the reading of a file. The file seems to be so big that it doesn’t fit in the memory space allocated by the PHP interpreter.
However, the error is not necessarily with this code, the plugin could be allocating more memory elsewhere and is just here where the PHP interpreter decided to stop the process because it already reached the limit set by “memory_limit” [3].
The solution is not to increase your memory limit, but to modify the file reader to take in consideration the amount of memory available. The problem with this approach is that a hacker can inject a file big enough to be skipped by the scanner, and then put the malicious code at the end.
For now, I suggest you to use the “Ignore Files And Folders During The Scans” panel located in the settings page to instruct the plugin which folder(s) can be skipped during a scan. This will —hopefully— reduce the memory consumption and maybe fix the problem until I can design a better scanner.
I will keep investigating.
[1] https://en.wikipedia.org/wiki/Race_condition
[2] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/ceaf0d2/src/fileinfo.lib.php#L417-L428
[3] http://www.php.net/manual/en/ini.core.php#ini.sect.resource-limits