File change notification – mail

To investigate this properly we’ll need some extra info.

First of all how are all of your File Scan Detection settings set ?
Did you change any or are the settings default ?

Are you using the latest free iTSec plugin release (4.6.13) ?

Have you been using the iTSec plugin for a while (>6 months) ?

Did you enable Permalinks in WP ?

Is this a multisite WP install ?

Do I understand correctly that a scheduled scan always results in
a large number of Files Added while a manual scan does not (0) ?

Has it ever worked properly or did you just start using this feature
and it has never worked properly from the start ?

Please provide us with the info from the Server Information and PHP Information parts of the System Information section on the iTSec plugin Dashboard page.

Do you have a test WP environment, or would it be possible to set up a test WP environment, on the same server\hosting provider ?
(Doesn’t need to be a copy of an entire website, just WP + iTSec plugin will do).

How important is it for you to get to the bottom of this issue and how committed are you in providing assistance while troubleshooting this issue ?

dwinden

First of all how are all of your File Scan Detection settings set ?
Did you change any or are the settings default ?

I think it’s not the default setting ( I try somethings to resolve this issues ).
Checked :
Enable File Change detection
Email file change notifications
Display file change admin warning

Unchecked :
Split file checking into chunks.

Are you using the latest free iTSec plugin release (4.6.13) ?

Yes

Have you been using the iTSec plugin for a while (>6 months) ?

No, it’s a new install ( ~1 month ), but I’ve got the mail each 2 days with all files added.

Did you enable Permalinks in WP ?

Yes : /%postname%/

Is this a multisite WP install ?

No

Do I understand correctly that a scheduled scan always results in a large number of Files Added while a manual scan does not (0) ?

Exactly. The sheduled scan always says all files are added.

Has it ever worked properly or did you just start using this feature and it has never worked properly from the start ?

This feature never worked properly for me ( on different website with the same configuration ).

Please provide us with the info from the Server Information and PHP Information parts of the System Information section on the iTSec plugin Dashboard page.

Server Information
Server / Website IP Address: 178.33.103.67
Server Type: Apache
Operating System: Linux
Browser Compression Supported: gzip, deflate
PHP Process User (UID:GID): cabinetdj (94360:100)

PHP Information

PHP Version: 5.3.29
PHP Memory Usage: 47.07 MB
PHP Memory Limit: 256M
PHP Max Upload Size: 64M
PHP Max Post Size: 64M
PHP Safe Mode: Off
PHP Allow URL fopen: On
PHP Allow URL Include: Off
PHP Display Errors: On
PHP Display Startup Errors: Off
PHP Expose PHP: On
PHP Register Globals: Off
PHP Max Script Execution Time: 120 Seconds
PHP Magic Quotes GPC: On
PHP open_basedir: Off
PHP XML Support: Yes
PHP IPTC Support: Yes
PHP Exif Support: Yes ( V1.4 )
Disabled PHP Functions: (none)

Do you have a test WP environment, or would it be possible to set up a test WP environment, on the same server\hosting provider ?

I can, but the issue appear on multiple site which are not on the same hosting/server.
But I can install a test WP on one of this.

How important is it for you to get to the bottom of this issue and how committed are you in providing assistance while troubleshooting this issue ?

This issue is important for me to check if my websites are not infected by malwares ( One of my website are under attacks ).

Thanks a lot

Ok, thank you for the feedback.

Please note that the iTSec plugin “File Change Detection” feature is not a malware scanner …
It only detects changes to your website files compared to the previous scan.

To scan for malware use the iTSec plugin Malware Scanning feature.
(It’s only a manual scan. The iTSec Pro premium plugin includes the Schedule Malware Scan feature).

If you still wish to use the File Change Detection feature let me know and we will continue troubleshooting your issue.

dwinden

I just want the File Change Detection feature to check the new file on the server, I know it’s not malware scan.

Please continue for those troubleshooting.

Thanks.

Ok, before I provide you with a test file, containing an isolated piece of File Change Detection code for debugging purposes, there is 1 more thing to check.

In WP Dashboard goto the WP Settings (General) menu option.

Is WordPress Address (URL) = Site Address (URL) ?

If not, what are the values specified ?
If not, is this site an exception or does this apply for all the other problematic websites as well ?

(In your answer you can substitute the true domain names with fake ones to protect the real domain names. Just make the values similar so I can see the structural differences).

dwinden

Is WordPress Address (URL) = Site Address (URL) ?

Yes, the two addresses are the same.
https://[mydomain].com ( without www. )

Thanks

Ok, so here we go.

Download this test script.

I’ve isolated the File Scan Detection code that builds the site current list of files from the iTSec plugin and copy\pasted it into a single test file. File Scan Detection uses a recursive function to do this. It’s included in the script.

Simply copy the file into the WP install folder while renaming the extension of the file from .zip to .php (It’s a fake .zip file to facilitate the download) The WP install folder is the location where the .htaccess and wp-config.php reside (amongst other files).

Run the test script once using a similar url like this:

https://www.yourdomain.com/filescan.php

The filescan.php script will run completely outside the WP framework. I’ve tested the script and I believe it should work fine. It will have no impact whatsoever on the WP env (apart from a bit of temporary memory usage and CPU load on the server). The script does NOT connect to the database.

Note that building the current file list of the site seems to be working for scheduled scans in your env. However it does not seem to work for manual scans.
That’s why I decided to run this particular test first.

The advantage of running the isolated code is that we don’t (yet) need to install a seperate WP test env.

As a result of running the script you will see an array of site files with their dates + MD5 hash. At the top of the array it will show the total # of files the scan was able to find for this site.

What I’m hoping for is that running the script will actually show us some PHP warning(s) or fatal error(s).
But don’t be surprised if it runs without any errors … and simply displays the expected output.

dwinden

Hello,

The scan work well :
# files: 7036

Do you need anything else ?

Thanks a lot

Ok.
Please update the topic with an excerpt from the Logs page.
First select File Change History from the Select Filter: dropdown listbox.
Copy\paste the most recent 10 log entries using the format below:

2015-05-28 14:57:57 2661 0 0 4.73MB Details

If possible specify which of those are the result of a manual scan.

dwinden

Hello,

When I make a manual scan from the Logs page the log is empty.

It’s tell me there are no files modified, added or deleted

Yes, I know. You said that before.
Still interested in the requested log entries …

dwinden

I’m so sorry I don’t understand what you want exactly.

Here the result when I filter the logs with “File Change history”:

View post on imgur.com

Ok, no problem.
I see from the screenshot that your “File Change History” log is totally empty … which is not good. Every File Change Detection (scheduled or manual) scan should add a log entry …
But this may be a clue why the manual scan it not working.
(Assuming you have not cleared the logs).

Please check the contents of the wp-content/uploads/ithemes-security folder. If a folder named file_change.lock exists delete it.

Only after manually deleting a file_change.lock folder, retry doing a manual File Change Detection scan.
If it now runs correctly a “File Change History” log entry should be added.

If the problem is not solved by deleting a file_change.lock folder I have a new debug script for you to run. If necessary I will include it my next post. First I’ll wait for your feedback related to the file_change.lock folder.

dwinden

First of all, I don’t clearing the log ( I have a lot of 404 error in the log ).

I don’t have any folder called file_change.lock on the ithemes-security folder ( only logs and backups folder ).

Thanks a lot

Ok.
So let’s run a full debug of a manual scan.

You will need to download the following 2 files:

itsec_scan.zip
class-itsec-file-change.zip (4.6.13)

Copy the itsec_scan.zip file into the WP install folder while renaming the extension of the file from .zip to .php (It’s a fake .zip file to facilitate the download).

Rename the existing wp-content/plugins/better-wp-security/modules/free/file-change/class-itsec-file-change.php file to class-itsec-file-change_.php

Copy the class-itsec-file-change.zip file into the wp-content/plugins/better-wp-security/modules/free/file-change folder while renaming the extension of the file from .zip to .php (It’s a fake .zip file to facilitate the download).

Run the debug script using a similar url like this:

https://www.yourdomain.com/itsec_scan.php

If it runs without any problems it should produce output similar to this:

File lock file_change.lock created.
# logged_files: 2066
# current_files: 2066

Array
(
[filescan.php] => Array
(
[d] => 1433404871
[h] => 7a60e824ab717848a65d045f69ea6417
)

[wp-settings.php] => Array
(
[d] => 1431153525
[h] => 891420b0ac987228906c327d2bee1dba
)

[wp-config-sample.php] => Array
(
[d] => 1431153524
[h] => 6f224d13e4a270c2e671e6fe24761942
)

…

[wp-includes/class-wp-customize-setting.php] => Array
(
[d] => 1431153524
[h] => d33d741c92f1240b51f2a38ffcbac849
)

[wp-blog-header.php] => Array
(
[d] => 1431153524
[h] => 5f81e56e3ac8ebf59ee135c253b835d8
)

)

*****************************************************************************************************************

Array
(
[wp-settings.php] => Array
(
[d] => 1431153525
[h] => 891420b0ac987228906c327d2bee1dba
)

[wp-config-sample.php] => Array
(
[d] => 1431153524
[h] => 6f224d13e4a270c2e671e6fe24761942
)

…

[wp-includes/class-wp-customize-setting.php] => Array
(
[d] => 1431153524
[h] => d33d741c92f1240b51f2a38ffcbac849
)

[wp-blog-header.php] => Array
(
[d] => 1431153524
[h] => 5f81e56e3ac8ebf59ee135c253b835d8
)

)

File lock file_change.lock released.
Successfully updated the itsec_local_file_list database option.
# Added: 1
# Deleted: 1
# Changed: 1

Array
(
[added] => Array
(
[itsec_scan.php] => Array
(
[d] => 1433442958
[h] => ee4eff6e691f0e7ac66db64a664c9c7c
)

)

[removed] => Array
(
[filescan.php] => Array
(
[d] => 1433404871
[h] => 7a60e824ab717848a65d045f69ea6417
)

)

[changed] => Array
(
[wp-content/plugins/better-wp-security/modules/free/file-change/class-itsec-file-change.php] => Array
(
[h] => 43441104cffc9d02496964a4c3ecbd14
[d] => 1433443090
)

)

[memory] => 8.36
)

Start logging scan …
Scan logged.
Return: true

I have used … chars to truncate the output since there is no point to list all 2066 files. You can do the same when you post your debug output in this topic.
You can run the script as many times as you like.
It does exactly the same thing as the (manual) Scan Files Now button in the iTSec plugin interface.
Once you stop debugging, restore the original class-itsec-file-change.php file. Don’t forget !
Hopefully the debug output will help us find where the problem is.
Any questions, just let me know ??

Good luck !

dwinden