Scan won't complete

More info:

Wordfence has detected issues in the partial scans that have in fact run. I resolved some by deleting unused themes and plugins, ignoring some known theme changes (yeah, I didn’t modify them in the proper way myself). I also deleted two suspicious files.

But as far as I can tell the Pharma Hack also involves database entries, and I haven’t seen anything about cleaning those in any Wordfence scanning so far.

I have also looked through documentation about using Google’s Webmaster tools, and while under Security it says “Currently, we haven’t detected any security issues with your site’s content” it does seem like some pages still contain Pharma Hack junk when fetched in the right way.

…and I’m now at the limit of my understanding of what to do and how to do it.

Site is https://www.nomadicfrog.com, so if you search Google for site:nomadicfrog.com you’ll see some of the “Amoxicillin for Sale” and “Ketoconazole Cream For Sale” stuff.

[ No bumping please. ]

• This reply was modified 8 years, 3 months ago by Jan Dembowski.

So, I did in fact read the “read this before posting” post, and did my best to comply with these two slightly contradictory requests:

“Please keep your posts as short as possible.”

“Make sure and post all relevant details. Hosting environment (Windows, Linux?), error messages, last thing you did right before the site blew up, etc. are all good things to include.”

Obviously my original post isn’t “short”, although much of the length is from including some debug log entries as I have seen WF reps requesting. In short, I tried to include my environment what I’ve done to try and help myself, and anticipate questions, keeping it as brief and clear as possible. Even tried to be helpful and maybe ID a place where the documentation could be clarified.

“We do read every post that appears here and we make every effort to give you a timely response. We value our free community as much as our paid customers.”

I see dozens of responses from the community and WF representatives in recent hours – even many resolved issues – but my original post from nearly two days ago gets nothing?

I’m really not sure why I’m bothering with this, but I’ll keep adding what I’m doing to try and help myself.

So, I’ve also now tried enabling “High Sensitivity” scanning, not that that would fix the problem, but at least I’ll be extra thorough if and when I actually manage to complete a scan.

I tried disabling config caching at the bottom of the Diagnostics page…but now I don’t even see that checkbox at all. Not sure where it went, but I unchecked it after reading this page.

Happened to see that a new version was, coincidentally, released today doing away with config caching. Nice timing to help me think I was really losing my mind. I mean, I’m already talking to myself.

Hi nomadicfrog,
I’m sorry for this late reply, when any thread got replied it goes to the top of the list in the forum, so posting many replies will keep pushing it away, that’s why WP forum moderators recommend “No_Bumping“.

Regarding your question, could you please disable all your other plugins -temporarily- then make sure “Enable debugging mode” is turned on, and run a new scan? paste any error message you may get here to check.

This message “Scan process ended after forking” -mostly- is there because either one of your plugins is blocking access to wp-admin folder, or some codes in .htaccess is doing the same thing, you may need to check if your web host left some codes there doing that.

Let me know how it goes,
Thanks.

I wasn’t aware that I was bumping – I don’t post much in these forums, and I was trying hard to follow the rules. In any event I didn’t, apparently, bump for 24 hours after my first inquiry with no responses. Anyhow, sorry that I caused a problem, and thank you for chiming in.

I just deleted 4 inactive plugins and then disabled all (13) plugins other than Wordfence. I ran a scan with debugging turned on.

It still seems to hang on scanning for infections and vulnerabilities and Googles Safe Browsing List. The last log entry was, at the time I’m typing this, about 25 minutes ago (everything in the log for the current scan happened within 3 minutes).

I’m not 100% sure what all are error messages, but here are some things that don’t sound good. (I’ve included a few log file lines before and after the error. Let me know if there is a better way to format them here (code? b-quote?)

[ Moderator note: code fixed. Please wrap code in the backtick character or use the code button. This includes log data. ]

[Aug 26 12:10:22:1472227822.227509:4:info] Scanning contents: wp-content/uploads/2008/05/MG_1261.jpg (Size:105506B Mem:34.8M)
[Aug 26 12:10:22:1472227822.215027:4:info] <strong>Scan process ended after forking.</strong>
[Aug 26 12:10:22:1472227822.107055:4:info] Scanning contents: wp-content/uploads/2008/05/MG_1261-590x393.jpg (Size:58831B Mem:34.8M)
.
.
.
[Aug 26 12:10:05:1472227805.610781:2:info] Starting scan of file contents
[Aug 26 12:10:05:1472227805.225725:4:info] Calling Wordfence API v2.23:https://noc1.wordfence.com/v2.23/?v=4.6&s=http%3A%2F%2Fwww.nomadicfrog.com%2Fjournal&k=c793ee73ae51f1b08d90ba13bb2085eb5759c245db9f153222d3ad57407f6c998051abbf710fd3c3e40d10127e09052a05bc03fc1d10e6a1ccd4cc9d3845e6142f33a0e3474181a1d2168dc3d79e8f90&openssl=9469999&phpv=5.2.17&betaFeed=0&cacheType=0&action=get_patterns
[Aug 26 12:10:05:1472227805.220186:10:info] SUM_START:Scanning files for URLs in Google's Safe Browsing List
[Aug 26 12:10:05:1472227805.217446:10:info] SUM_START:Scanning file contents for infections and vulnerabilities
[Aug 26 12:10:05:1472227805.210819:10:info] SUM_ENDOK:Check for publicly accessible configuration files, backup files and logs
[Aug 26 12:10:05:1472227805.199602:10:info] SUM_START:Check for publicly accessible configuration files, backup files and logs
[Aug 26 12:10:05:1472227805.154319:10:info] SUM_ENDOK:Scanning for known malware files
[Aug 26 12:10:05:1472227805.151715:10:info] SUM_ENDOK:Scanning for unknown files in wp-admin and wp-includes
[Aug 26 12:10:05:1472227805.149285:10:info] SUM_ENDOK:Comparing plugins against www.remarpro.com originals
[Aug 26 12:10:05:1472227805.146811:10:info] <strong>SUM_ENDBAD</strong>:Comparing open source themes against www.remarpro.com originals
[Aug 26 12:10:05:1472227805.143694:10:info] SUM_ENDOK:Comparing core WordPress files against originals in repository
[Aug 26 12:10:05:1472227805.142417:2:info] Analyzed 5438 files containing 340.61 MB of data.
[Aug 26 12:10:05:1472227805.128621:4:info] Scanning: /home/content/t/o/r/torchbone/html/journal/xmlrpc.php (Mem:41.8M)
.
.
.
[Aug 26 12:09:55:1472227795.750540:4:info] Scanning: /home/content/t/o/r/torchbone/html/journal/wp-includes/js/jquery/ui/position.min.js (Mem:41.8M)
[Aug 26 12:09:55:1472227795.745240:4:info] <strong>Scan process ended after forking.</strong>
[Aug 26 12:09:55:1472227795.738623:4:info] Scanning: /home/content/t/o/r/torchbone/html/journal/wp-includes/js/jquery/ui/mouse.min.js (Mem:41.8M)
.
.
.
[Aug 26 12:09:29:1472227769.502749:4:info] Scanning: /home/content/t/o/r/torchbone/html/journal/wp-content/uploads/2015/03/IMG_0722-310x150.jpg (Mem:41.8M)
[Aug 26 12:09:29:1472227769.495055:4:info] <strong>Scan process ended after forking.</strong>
[Aug 26 12:09:29:1472227769.275608:4:info] Scanning: /home/content/t/o/r/torchbone/html/journal/wp-content/uploads/2015/02/MG_8618.jpg (Mem:41.8M)
.
.
.
[Aug 26 12:09:02:1472227742.975689:4:info] Scanning: /home/content/t/o/r/torchbone/html/journal/wp-content/uploads/2014/05/neal_parent_003_crop-310x150.jpg (Mem:41.8M)
[Aug 26 12:09:02:1472227742.965567:4:info] <strong>Scan process ended after forking.</strong>
[Aug 26 12:09:02:1472227742.942900:4:info] Scanning: /home/content/t/o/r/torchbone/html/journal/wp-content/uploads/2014/05/neal_parent_003.jpg (Mem:41.8M)
.
.
.
[Aug 26 12:08:34:1472227714.612388:4:info] Scanning: /home/content/t/o/r/torchbone/html/journal/wp-content/uploads/2013/04/dawson_fractured_002-310x150.jpg (Mem:42.2M)
[Aug 26 12:08:34:1472227714.602776:4:info] <strong>Scan process ended after forking.</strong>
[Aug 26 12:08:34:1472227714.596034:4:info] Scanning: /home/content/t/o/r/torchbone/html/journal/wp-content/uploads/2013/04/dawson_fractured_002-213x300.jpg (Mem:42.2M)

As for .htaccess file(s) – I am currently trying to delete 6GB of other non-Wordpress stuff from my server, which is taking forever, and when it’s done I’ll search for all .htaccess files.

• This reply was modified 8 years, 3 months ago by Jan Dembowski. Reason: Fixing formatting

At the risk of bumping, here’s more info about .htaccess files. I think there are five of them within the WordPress installation folder (which back then I named “journal”)

/journal
/journal/wp-content/plugins/akismet
/journal/wp-content/plugins/wordfence/lib
/journal/wp-content/plugins/wordfence/tmp
/journal/wp-content/wflogs

I don’t know much about these files. Can I safely delete them? Do you want the contents of them here to see if there is a problem? I don’t know what to do, if anything.

Should I also be checking outside of the WordPress installation?

No, please do not delete these files, they are simply an extra layer of configuration to your Apache server, WordPress adds some codes there to get permalinks working properly on your website.

Please send the content of “/journal/.htaccess” file to “alaa [at] wordfence [dot] com”, also go to (Wordfence > Diagnostics) then scroll down the page and click on “Send Report by Email” to the same email address. (make sure to include your forum username).

So -just to confirm- you did not manage to get a completed scan till now? may I ask which step does the scan stuck at? because I can see the scan keeps going after “Scan process ended after forking” message?

It might be helpful in this case if you try these tips about “My scans don’t finish. What would cause that?“.

P.S. You can use this website to paste long text then share the link here in the forum.

Thanks.

I will send the .htaccess file and the Report to you in a second (thank you!)

No, I have not ever gotten a scan to complete. As far as I can see on the scan page it hangs on “Scanning for infections and vulnerabilities” and “Googles Safe Browsing List”.

I have been through the My Scans Don’t Finish page seriously 10 or more times, and I think I’ve tried everything on it, plus several other forum posts and info I can find on the web. (I think I’ve described the steps I took to follow those suggestions in this thread, too, for reference.)

Just fyi, I’m heading out into the wilderness for a few days, so I may not be able to do anything on Wordfence while I’m gone. I was hoping to have this resolved first, and I will pick it back as soon as I return, but just so you know, if I don’t respond quickly it’s not for lack of urgency on my part.

Hi nomadicfrog,
After checking the diagnostic report, I can see you are running an old version of PHP 5.2.17, the recommended PHP version by WordPress is 5.6, and Wordfence requires PHP version 5.4 or newer, so please make sure to update PHP to 5.6 as recommended by WordPress, you can ask your web host about that.

Also, try any of these methods to increase the WP_MEMORY_LIMIT to something like 128MB.

Keep me updated -whenever possible- and enjoy your outing!
Thanks.

Hi again nomadicfrog,
I got your reply notification via email -not sure why I can’t find it here though!- actually, once the scan is completed, you will be able to check the scan result and start fixing issues that might appear, so you can do that on the new server after migration, no problem.

I want to emphasize again on the WP_MEMORY_LIMIT value, you may need to gradually increase it till 256MB and re-scan again, hopefully you may get it working fine and fix all the issues before migration (or at least make sure everything has been already fixed).

Thanks.

• This reply was modified 8 years, 3 months ago by wfalaa.

I posted my last reply and then found out that the WordPress forums were down for maintenance – my reply must have disappeared into the ether.

What a drama since then. I actually signed up with Bluehost, paid for the migration, then found out that they don’t support a little email feature that I need (enabling a catchall account – long unrelated story). So I canceled that and signed up with InMotion.

They should migrate my site…eventually, and I’ll get back to cleaning up the hack then – with PHP 5.6 and increasing the memory limit.

I’ll report back whenever they get done with the migration!

Ok, so I seem to be up and running on InMotion’s servers now. (InMotion, btw, seems to be amazing – tech support, migration, everything has been super fast and very friendly.)

Pretty sure I am now using PHP 5.6.24.

I did the first step in the WP_MEMORY_LIMIT documentation you sent me, and added the line to wp-config.php. When I look at the Diagnostics page the WP_MEMORY_LIMIT went from 40M to 256M, so I assume it worked?

As for steps 2 and 3 on that page, not sure I’m supposed to mess with those if making that change to wp-config.php accomplished the goal. Right?

And, I just ran a scan. It seemed to take 21 minutes, and it says “Scan complete. Congratulations, no problems found. Scan Complete.”

I just used Google’s webmaster tools to Fetch and Render as Google on a known problem and the Pharma Hack still appears. Not sure what to do next.

I tried working through these suggestions and found and deleted some database entries.

When I go to “Fetch and Render as Google” I now get different – slightly better? – results. For “How Googlebot sees the page” I no longer see Amoxicillin garbage, but for “How a visitor would see the page” it is still there. (Before deleting the database items both sides looked the same.)

I’m fried, gotta go to bed. Let me know if log files, diagnostic reports, screenshots of Google’s fetching, etc. would be useful and I can send them in the morning.

Congratulations for completing the scan successfully, seems like upgrading the PHP version along with increasing the memory limit worked as a treat.

The scan didn’t catch any files with malicious code or something -which is a good news- also you cleaned the database from these spammy entries you found, so I guess all you need to do now is forcing Google to re-crawl your website, check “Use Fetch as Google” and “Ask Google to re-crawl your URLs” and watch for the results.

Thanks.