yorman
Forum Replies Created
-
The Sucuri plugin keeps a cache of these warnings for 20 minutes in this file [1]. You can reset the cache from the “Data Storage” panel located in the general settings page. SiteCheck — the service that actually scans your website — also keeps a cache for 48 hours in a remote server. You can reset this cache visiting this link [2] and then clicking on the link “Force a Re-scan” at the bottom of the gray container.
[1]
/wp-content/uploads/sucuri/sucuri-sitecheck.php
[2] https://sitecheck.sucuri.net/results/slopiewnie.cba.plThis is related to this ticket [1].
What is this?
Bingbot [2] is crawling your website and in the process, requesting WordPress to clear the oEmbed cache [3].
Is this a virus attack?
No, it is not.
How can I solve?
You can do one or more of the following things:
- Disable WordPress oEmbed API [4]
- Block Bingbot from accessing your website [5]
- Disable alerts for
oembed_cachein the plugin settings
[1] https://wordpress.org/support/topic/issues-with-spamming-post-updates/
[2] https://www.bing.com/toolbox/verify-bingbot
[3] https://oembed.com
[4] https://kinsta.com/knowledgebase/disable-embeds-wordpress/
[5] https://blogs.bing.com/webmaster/2012/05/03/to-crawl-or-not-to-crawl-that-is-bingbots-questionI released the modification that was applied in that commit referenced in my previous comment, but now I realize that I misunderstood your initial feature request. What you want is to have the hostname in the email subject, but I added it into the email body.
I have implemented the code to include the hostname (reverse address of the user IP address) in this commit [1]. However, we do not release new versions of the plugin without passing the changes through an arduous testing process that takes several weeks. You will have to install the development version [2] of the code to get this option before is publicly released.
[1] https://github.com/cixtor/sucuri-wordpress-plugin/commit/da117a8
[2] https://github.com/cixtor/sucuri-wordpress-plugin/archive/master.zipThat sounds like a good idea.
I will add this feature request to my TODO list.
I’ll implement the code when my project manager assign a priority.
Thank you.
This is a bug in your APC installation, not the plugin.
Please refer to this commit [1] for more information.
Here is the solution:
apc.include_once_override = 0 apc.canonicalize = 0 apc.stat = 0
Add these settings to your APC configuration file.
[1] https://github.com/Sucuri/sucuri-wordpress-plugin/commit/f21d2e9
Hello,
php_errorlogis the default name for the log file that PHP uses to report warnings and errors triggered at runtime. Some times these errors are caused by bugs in your code, but other times the errors are triggered by a misconfiguration in the PHP installation and/or the web server.Open the file and read through it, hopefully there will be enough information inside to understand the problem and apply a permanent fix. Notice that some of the warnings may only be fixable by the server administrator, so be prepared to request support to your hosting provider.
The
php_mail.logis similar to thephp_errorlogbut it’s only for warnings and errors triggered during the execution of the PHPmail()function or thesendmailutility. Same as with the other file, open it and see if there is anything that you can fix yourself, but you may also need to ask your hosting provider for help.Alternatively, if the warnings/errors inside both files look harmless, you can mark them as “fixed” which will force the plugin to skip them during the integrity scans.
Marking as resolved, let me know if you need more information.
Hello, the plugin doesn’t detects all the malicious code inside an infected website because it is intended to be a complementary tool for our customers who are already using our web security services, these services already detect and clean the infection, that’s why the plugin doesn’t do it.
In your case, as you have noticed, you will need to clean some files/folders manually.
The inclusion instruction that you found in your configuration file translates to this [1]. It is trying to include an icon file located inside a plugin called “Enhanced Media Library”. This is a common malicious technique that masks the inclusion of a malicious file (in this case, it could be a PHP file) as if it was a file with a different extension (in this example, an “.ico”).
The inclusion in itself doesn’t makes sense, even if the icon is not infected, including a file like this in the configuration file sounds like a bad idea. I am pretty sure that the file contains malware, but without a deeper inspection I cannot confirm.
If I were you, I would delete that line and the suspicious folders.
[1]
/home/www/hakoah.dk/wp-content/plugins/enhanced-media-library/favicon_40490a.icoThe list of files in the screenshot shows a path composed of two sections, one is the
wp-admin/directory and the other isE:\wwwroot\[…]this leads me to think that your website is being hosted in a Windows server. Support for Windows server is limited as the file system is slightly different to Unix, making things like file paths inconsistent.All the files listed in the table are generated by the Sucuri plugin at runtime, if you delete them they will be immediately recreated. You also cannot mark them as false/positives because the entire file path doesn’t exists. When you execute the “mark as fixed” action, the plugin double-checks if the files exist and if not the process stops.
The solution is to fix the file path to handle the Windows’ directory separator.
I will try to find a Windows server where I can test the plugin on. But know that this will take several days, each hosting provider has different server environments, reproducing this bug on my side will take a significant amount of time. I will notify you when I have a fix available.
Taking a look now…
Marking as resolved after no response from the original poster.
Marking as resolved after no response from the original poster.
This is a bug that was fixed several months ago, but the patches have not been released. The development team is still testing other critical changes that were pushed to the development repository after I submitted this patch. Please wait until the release of the next version of the plugin.
Thank you for the suggestion.
You can customize the location of the Sucuri plugin storage folder by setting a constant in the WordPress configuration file named
SUCURI_DATA_STORAGE[1] I will implement your suggestion in a future version of the code.[1] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/cf06eee/src/sucuriscan.lib.php#L265-L291
I am still getting a lot of failed login attempts […] How can I still be getting login attempts with thios type of lockdown that I’ve applied?
Here is a list of possible answers to your question:
- The attacker is constantly changing their IP address;
- The attacker is inside your own LAN (same IP as yours);
- Another plugin is allowing user authentications (extra XMLRPC);
- The “mod_access” module is disabled (invalidates htaccess rules);
- The “lockdown” was incorrectly applied.
I cannot give you a better answer because I don’t have access to your server to confirm that the “lockdown” was correctly applied, maybe you missed something maybe not. I can only speculate about the reasons that are allowing the plugin to report additional login attempts.
If you believe this is a bug in the plugin’s code, let me know and I will investigate further. Otherwise, we can leave this ticket marked as resolved.
I already implemented this feature in the Sucuri Firewall [1].
The Sucuri Firewall has several layers of protection, so you don’t need to worry about blacklisting IP addresses. Sucuri Firewall will automatically blacklist offending IP address, if it detects continuous attacking requests.
However, if for any reason you want to blacklist an IP addresses from even reaching your website, you can do this from the “Blacklist IP Addresses” section located in the Sucuri Firewall dashboard.
Marking as resolved, feel free to re-open the ticket if you need more help.
[1] https://kb.sucuri.net/firewall/Whitelist+and+Blacklist/blacklisting-IP