yorman
Forum Replies Created
-
Thank you for the list @adz1111
I just noticed that your website is hosted in a Windows Server. I’m not very familiar with Windows, but assumming that you’re using Apache then I suggest you to search the “.htaccess” file in the parent folders because the rules are recursive.
You may also want to talk once again with your hosting provider, because regardless of what the Sucuri Scanner says, one or more pages are returning a “500 Internal Server Error” when the browser attempts to access a file that, apparently, doesn’t exists.
Of course, this is assuming that you’re having the same problem as @nnikolov
Hello @mrbambocha, if it’s not cache (which you seem to have flushed), then it’s possible that the malware is hiding among the HTML for the custom “404 Not Found” WordPress page.
There is a type of malware that checks if the User-Agent in your request matches certain text, for example, Googlebot, and then returns a “404 Not Found” status code when the text is different, effectively hiding from simple inspections, and revealing itself to web crawlers to index their spam.
Scan your website for hidden 404 rules, and then refresh the malware scan cache one more time.
Let me know if you need more information.
@adz1111 can you post a list of all the files (including hidden files) inside this directory [1]. And if there’s any hidden file, like “.htaccess”, can you post the content of that file as well?
[1]
/public_html/wp-includes/js/If the file being scanned doesn’t exist then the scanner somehow thinks it does exist if it’s trying to scan it, so what / where should we be looking to confirm if we really have a problem or not?
The plugin downloads this JSON object from WordPress’ official API service [1] (changing the version number and locale according to your installation). The JSON object contains a list of file and hashes corresponding to the files that make up a regular WordPress installation, in this case, for version 5.1.1.
The plugin compares each file hash with the checksum of the file in your server to make sure that the content is the same. If the hash is different, the file is marked as “modified”. If the file is missing, it gets flagged as “deleted”. If the plugin finds additional files in the core WordPress directories, they get flagged as “added”.
The solution for each case is as follows:
- Modified file: execute the “Restore Content” action
- Deleted file: execute the “Restore Content” action
- Added file: execute the “Delete File” action
Unfortunately, the problem in @nnikolov is not necessarily the same as the problem in @adz1111 website. As I said before, a “500 Internal Server Error” is ambiguous by nature, it’s impossible for me —someone without access to the server— to investigate or offer a solution because there’s a myriad of explanations for the error.
What I can tell you is, Scriptaculous is not part of any regular WordPress installation. For some reason, your website contains a folder with either an “.htaccess” or something similar that’s redirecting the traffic to a file with errors, that’s why your server is returning a 500 instead of a 404. And it’s not just the JavaScript file that our scanner is reporting, any file inside that folder is returning the 500, here are some examples:
- http://proba1.web4o.com/wp-includes/js/scriptaculous/foo.txt
- http://proba1.web4o.com/wp-includes/js/scriptaculous/lorem.html
- http://proba1.web4o.com/wp-includes/js/scriptaculous/nothing.css
- http://proba1.web4o.com/wp-includes/js/scriptaculous/broken.py
- http://proba1.web4o.com/wp-includes/js/scriptaculous/README
- etc…
Go to your server (via SSH, SFTP, FTP, or using a file manager) and check every single file inside this directory [2]. If the folder doesn’t exists, then scan the entire server for anything called “scriptaculous” and you’ll find the origin of the problem.
[1] https://api.wordpress.org/core/checksums/1.0/?version=5.1.1&locale=en_US
[2]/public_html/wp-includes/js/scriptaculous/It should not say that the site is not clean, just because there is an 500 error.
Because “500 Internal Server Errors” are ambiguous by nature, there is no guarantee that your website is clean or not. Better to display a warning so the website owner can investigate. If we do not display a warning after finding a 500 status code in one or more of your web pages, then you will never know about a possible infection.
Hello @austinblu
There’s a confusion with the flag colours, I should have documented this better.
Take a look at this image: https://i.imgur.com/JnMkFSo.png
Here you can see the three (3) different colours that the WordPress Integrity tool shows. Green means a file that is not part of a standard WordPress installation has been added and may be deleted if you don’t need it. Red means a file that is part of a standard WordPress installation has been deleted and needs to be restored. Purple means a file that is part of a standard WordPress installation and must be restored as soon as possible.
In your case, you see red, which means the file should exist, but it was deleted. You can use the actions at the bottom of the table to “Restore” the original content of the file.
Marking as resolved, let me know if you need more information.
I suspect that this is a WP core file that is missing, and this is why you are showing this error. Is this correct?
No, that is incorrect.
If the file is part of a regular WordPress installation but has been deleted, the plugin will print the filename inside a table below the “WordPress Integrity Check” panel. The plugin will also provide an option to restore the content of the file in that case.
If the error is “Site Not Clean”, it means the URL is returning suspicious code.
Unfortunately, you didn’t provide the real URL so I cannot confirm this for you. I can only tell you that there is a type of malware that hides itself from the website administrators by checking if the User-Agent in the HTTP request matches one of the popular web crawlers, for example, Googlebot [1]. When the User-Agent is different, the malware returns a “404 Not Found” response, consequently confusing the user.
Please keep in mind that even if the file doesn’t exist, the malware could still be deceiving you. Please check the access control file (also known as .htaccess) for suspicious redirection rules.
Marking as resolved, let me know if you need more information.
[1] https://support.google.com/webmasters/answer/1061943?hl=en
This is not a PHP error, as you were calling it.
A PHP error looks like this: https://i.imgur.com/lqkAIXL.jpg
What you are looking at, is a “Controlled Warning” triggered by the Sucuri plugin after detecting that one or more of the files that power WordPress in your website has been modified or deleted. Unfortunately, it’s impossible to see the list of corrupt files from the screenshot you posted so I cannot help much at the moment.
You can scroll down the table and find some options to fix those files, you can either restore them (if they have been modified), mark them as fixed (if you think the warning is a false positive), or delete them (if they are not part of a normal WordPress installation).
Marking as resolved, let me know if you need more information.
Can you share what’s the error or the website so I can tell you how to fix it?
Hello @bella2011
And there are no redirects. It’s a dev site on SSL.
This statement here makes me think there is a redirect.
When you configure SSL, you are supposed to access the website using HTTPS, right? But if your installation was done with HTTP, then the “site_url” setting is already broken. The website will try to go from HTTP to HTTPS, and then back to HTTP, and so on forever. The malware scanner stops trying after a few attempts, and throws this error message.
Send a HEAD request to the home page and see what you get.
I am marking this ticket as resolved, since the problem that you are facing is already explained by that error message. We do not have access to check your website and continue the investigation, so I will leave the rest to you.
Let me know if you need more information.
Hello @imagimedia
Please open the dev tools in your web browser [1][2].
Then reload the plugin dashboard and check if any of the Ajax requests (marked as XHR in the Network panel) returns an HTTP status code different than 200. If yes, then click it and inspect the response, you may find an error message explaining the failure.
Other than that, I cannot do much from here to help you because the code clearly works, otherwise much more people would be reporting the same issue. There is something in your website that is only specific to you, that is affecting the load of the malware scan.
Let me know if you need more information.
[1] https://developers.google.com/web/tools/chrome-devtools/
[2] https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_are_browser_developer_toolsHello @7thcircle ,
Thank you for the bug report.
The code seems to be failing here [1] while trying to report a change in the status of a post. WordPress doesn’t seems to be sending the correct data to this function, instead of a WP_Post object, it is sending Null. The PHP function “ property_exists” is expecting something different than a Null, and that’s why it logs the error.
I think @ycampo may have an insight on this bug, there were a lot of changes in the code in the last update, but I didn’t have the opportunity to test them all, only the ones I submitted. There’s also the possibility that the latest version of the code is not compatible with your version of WordPress.
[1] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/111363e/src/hook.lib.php#L673-L675
Hello @halohtlo
The Sucuri plugin doesn’t communicates with the database at all.
It detects successful and failed logins via WordPress hooks [1][2].
It doesn’t matter how you named the users table, if your users are logging in using one of the user authentication methods supported by WordPress, then the Sucuri plugin will detect the operation.
Let me know if you need more information.
Thank you for supporting our work.
[1] hookLoginSuccess() via wp_login
[2] hookLoginFailure() via wp_login_failedHello @shaunmesh
Please increase both “memory_limit” and “max_execution_time” to 1024M and -1 respectively. This will give WordPress enough resources and time to allocate whatever is triggering the server error. You can revert the settings back to their normal values once you find the bottleneck.
Settings “max_input_time” and “post_max_size” are not necessary because you are not sending anything to the server, you are just trying to load the admin dashboard, right? You can leave these two untouched, as increasing them will not make any difference in your investigation.
At this point, I would start using Xdebug Profiler, do you have it installed?
Hello @jarrodwhitley0518
Thank you for your concern.
Disclaimer: I wrote every line of code in that file.
First of all “escapeshellarg” is not dangerous. It is used to escape a string to be used as a shell argument. You can read more about it here: http://php.net/manual/en/function.escapeshellarg.php .
However, there is another function in that file that is actually considered dangerous: exec. Below are the details of how I am using this function, and how unlikely it is to be used to attack your website.
—
All the code in that file is used to power one single feature in the plugin called “WordPress Integrity Diff Utility” that’s disabled by default. The button that allows you to enable it contains a warning with an explanation of the consequences of turning this tool on. The code is used to enable the execution of the Unix “diff” command to allow an admin to inspect corrupt WordPress files found during a malware scan.
The plugin firsts checks if the “diff” command exists executing this:
command -v diff 1>/dev/null
This command doesn’t accepts any user input, so it is 100% safe.
Then, for every corrupt file, it executes this command:
diff -u -- FOO BAR 2> /dev/null
Where “FOO” and “BAR” are two files generated like this:
$a = tempnam(sys_get_temp_dir(), SUCURISCAN . '-integrity-'); $b = tempnam(sys_get_temp_dir(), SUCURISCAN . '-integrity-');
The user cannot tamper these files paths, so it is 100% safe.
Possible Attack Vectors
Here is a step-by-step of how to attack your website with this code:
- The hacker tricks you (or any other admin user) to enable the “WordPress Integrity Diff Utility”
- The hacker adds, modifies, or deletes —using a different exploit— one of the WordPress core files
- The hacker injects malicious code into WordPress’ official GitHub or Subversion repository
- The hacker tricks you to click the corrupt file from the “WordPress Integrity” page in the Sucuri plugin
- The plugin creates safe temporary files, as explained above, using PHP “tempnam” function
- The plugin downloads the malicious file from WordPress’ GitHub or Subversion repository into “FOO”
- The plugin copies the —possibly infected— file (created in step #2) into “BAR”
- The hacker replaces the “diff” binary with a malicious program, without alerting your hosting provider
- The rogue “diff” program takes “FOO” and “BAR” and spits malformed text
- The plugin prints the malformed text into the Sucuri Dashboard page
- The malformed text, somehow, bypasses all WordPress HTML escape functions
- The admin user who’s currently in the page gets pwned!
All of this is necessary in order to use the “command.lib.php” file maliciously. As you can see, some of these steps are very difficult to accomplish, and at some points it doesn’t makes sense to continue because, for example, if the hacker is able to compromise WordPress’ official GitHub/Subversion repository, why would they bother with your website? They can do more harm by continue the attack against Automatic instead.
In the unlikely scenario where the hacker has a grudge against you, they need to trick You, WordPress, and your Hosting Provider multiple times in order to use, maliciously, the code that I wrote inside that file.
This attack vector is almost impossible to happen.
I appreciate you taking the time to audit the Sucuri plugin’s code.
Please let me know if you have other concerns.
