Duplicated and repeated file change warning

  • Hi!

    I’ve updated iThemes Security from version 7.5.0 to 7.6.1 in January 15 and since then I’m getting duplicated daily warning about added, removed and changed files.

    In the same day I’ve updated other six plugins so the first warning about file changing was: 1174 Added, 59 Removed, 421 Changed.

    The usual report is daily changes in like 3-5 files.

    Since then, the warnings are like following:

    File Change 	Warning 	1156 Added, 41 Removed, 372 Changed 	2020-01-21 13:17:48
File Change 	Warning 	1156 Added, 41 Removed, 375 Changed 	2020-01-21 13:03:11
File Change 	Warning 	1156 Added, 41 Removed, 372 Changed 	2020-01-20 13:18:22
File Change 	Warning 	1156 Added, 41 Removed, 377 Changed 	2020-01-20 13:01:24
File Change 	Warning 	1156 Added, 41 Removed, 372 Changed 	2020-01-19 13:32:13
File Change 	Warning 	1156 Added, 41 Removed, 373 Changed 	2020-01-19 13:09:31
File Change 	Warning 	1156 Added, 41 Removed, 372 Changed 	2020-01-18 13:36:41
File Change 	Warning 	1156 Added, 41 Removed, 374 Changed 	2020-01-18 13:06:04
File Change 	Warning 	1156 Added, 41 Removed, 372 Changed 	2020-01-17 13:27:31
File Change 	Warning 	1156 Added, 41 Removed, 376 Changed 	2020-01-17 13:06:48
File Change 	Warning 	1156 Added, 41 Removed, 372 Changed 	2020-01-16 13:33:32
File Change 	Warning 	1156 Added, 41 Removed, 376 Changed 	2020-01-16 13:05:07
File Change 	Warning 	1156 Added, 41 Removed, 372 Changed 	2020-01-15 13:14:56
File Change 	Warning 	1174 Added, 59 Removed, 421 Changed 	2020-01-15 12:59:08
File Change 	Warning 	0 Added, 0 Removed, 3 Changed 	2020-01-14 13:00:23
File Change 	Warning 	0 Added, 0 Removed, 5 Changed 	2020-01-13 12:59:10

    Note that since the day I’ve updated, I get two warnings per day.

    Via SFTP I can check that the files were not updated since Jan 15, so they shouldn’t be in the warning.

    I’ve also compared the files and they are the same. The only difference in changed files are the 3-5 usual ones.

    My WordPress version is: 4.9.8

    Is anyone experiencing this problem too?

Viewing 5 replies - 1 through 5 (of 5 total)

  • Hi,

    If you updated 6 plugins getting a lot of file changes is not necessarily surprising. It is possible that the plugin might have had a hiccup and sent the notification multiple times by mistake.

    Are you still getting multiple emails a day, or did they stop after the initial day?

    Do you recognize files being changed in the notifications?

    Thanks,

    Matt

    Looks like the data from the previous scan is not persisted in the database. Normally subsequent scans will compare with data collected during the previous scan.

    In other words any new scan is now comparing with the same stored file list/hashes over and over again … that may indicate a database issue.

    So check for any errors in the database log.

    • This reply was modified 5 years, 2 months ago by nlpro.

    @lfreitas,

    iThemes Security is a great plugin; however, I recommend disabling “File Change Notification” module. We did and our website runs a lot faster.

    In addition, the “File Change Notification” module does not provide value since it does not provide any decent virus or malicious attack warning based on the file change detection. All you get is “files added” and/or “files deleted.” Many times, a huge stream of data is provided. Data that is hard to decipher or takes a long time to analyze. It’s up to the user to figure out if the file change(s) were the result of a virus or malicious attack.

    When iThemes updates their plugin to detect and provide a meaningful potential attack warning, then it might be beneficial to have the “File Change Notification” module enabled.

    Hope this helps.

    Cheers!

    Hi,

    @beardedginger yes, but the problem is that it’s repeating the same files, without they being changed again. It’s been a week.

    @nlpro you are probably right, thanks for the hint, I’ll look at the database.

    @jetxpert in the sites I manage it helps me and I’ve discovered malicious files with the log the plugin provides – since few people change the files, it’s easy to identify problems.

    Thanks for all the replies.

    I’ll leave this open until I solve it and maybe it could help someone else.

    @lfreitas,

    Interesting.

    (1) Can you provide a couple of examples demonstrating malicious file injections into your website(s).

    (2) Do you know the cause (or point of entry) of these malicious files?

    (3) Did you run Sucuri on your website to confirm the presence of these malicious files?

    Definitely would like to learn from your experience!

    Cheers!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Duplicated and repeated file change warning’ is closed to new replies.