[NinjaFirewall] Alert: Database changes detected

Hi,

Is this a multi-site installation? If it is, it looks like this issue:
Ninja spamming administrators of multisite

Can you open the /wp-content/plugins/ninjafirewall/lib/nfw_misc.php script and check line 151 if you have either:

1. Old wrong code:

$nfdbhash = WP_CONTENT_DIR . '/nfwlog/cache/nfdbhash.php';

2. Or, the patched code we released a week ago :

$nfdbhash = WP_CONTENT_DIR . '/nfwlog/cache/nfdbhash.' . $_SERVER['SERVER_NAME'] . '.php';

Hi there,

Thanks for your prompt reply.
It’s a single nite, not multi-site, and I have the latest version of the ninja firewall plugin.
I doubled checked the line 151 on my nfw_misc.php file and it has your patched code released a week ago (as expected).

I think it worthies mentioning that I never got these warnings before. Then about a day ago, I’ve intentionally removed 3 admin users from the system. I got the 3 warnings as expected, but then the messages started.

Hi,

-How did you remove the 3 admin users? From your WordPress admin dashboard or with another application (e.g., phpMyAdmin)?

-When you receive an alert, does it contain any error, for instance, wrong number of admins, or wrong IDs/email/login name etc?

-Do you see any error and warning in NinjaFirewall “Overview” page?

In the meantime, you can temporarily disable the alert (“NinjaFirewall > Event Notifications > Send me an alert whenever an administrator account is created, modified or deleted in the database“).
You could enable it again, as soon as your issue will be fixed.

I must say I’m impressed how you guys handle support on a free product like this. Amazing! Big thanks.

Answering your questions:

– I’ve removed the users thru WP (no direct access to the DB)

– Alerts doesn’t show anything wrong. They only list the same admin users, no changes at all

– Nothing on overview page.

Just so you know, the warnings don’t really bother me. And they are much more sparse now (getting one new warning every 1-2 hours).
What i’m really concerned is not this being ninja firewall repeating messages, but if there is anything cheesy on my WP install making changes to admin accts. I need to track this down to find the source of the changes.

Thanks again

Hi,

I would think it is a bug, although I have no idea yet what can trigger it. We will make some tests this week-end and see if we can reproduce it.

If the content of all alert messages is similar, then it could be a changed password (it is the only element that is not displayed in the alert message) but that seems unlikely if you received so many alerts.

Hi,

I cannot reproduce the problem.
I suggest you patch the firewall so that it will add the admin password hash to the email alert.
It is very easy to do:

You will have to edit the /wp-content/plugins/ninjafirewall/lib/nfw_misc.php script.
Lines 198 and 199:

$message.= '- user_login : ' . $adm->user_login . "\n";
$message.= '- user_nicename : ' . $adm->user_nicename . "\n";

You will simply need to insert one line between them:

$message.= '- user_login : ' . $adm->user_login . "\n";

// Temp patch: add password hash to email alert:
$message.= '- user_pass : ' . $adm->user_pass . "\n";

$message.= '- user_nicename : ' . $adm->user_nicename . "\n";

Then, all you have to do is to wait for the next 2 alerts, and compare them to see whether the hashes match or not.

If they match, it is a bug. If they don’t match, the password was changed.

I just wanted to note that I’m experiencing the same alerts with no details. Our instillation is up to date as well. I’ve implemented the above patch to test for the hash match or not and will let you know the results.

I’ve confirmed that the hashes are the same using the above recommended method. This looks like a bug. Any suggestions on a temporary patch?

Hi,

That looks like a bug indeed.

1. How many admin users do you have?

2. Can you check in your /wp-content/nfwlog/cache/ folder how many nfdbhash*... files you have?
Can you check the size of those files? Is it 32 bytes?

1. How many admin users do you have?

We have 5 admin users.

2. Can you check in your /wp-content/nfwlog/cache/ folder how many nfdbhash*… files you have?

We have 40 files match the nfdbhash*.

Can you check the size of those files? Is it 32 bytes?

The matching files all appear to be 32 bytes.

Hi psimatrix,

I have total 5 nfdbhash files and they are ALL 32 bytes in size.
the strange thing i noticed is, these 5 files are named like this
nfdbhash..php
nfdbhash.mydomain.com.php
nfdbhash.www.mydomain.com.php
nfdbhash.my_server_ip.php
nfdbhash.anotherdomain.com.php

the other domain is another site of us, but i find its strage to be here on this site, isnt it?

have anyone trying removing all files from this folder?

Oh btw, I have 12 admin users

That’s interesting.
NinjaFirewall relies on the $_SERVER[‘SERVER_NAME’] variable to create the file (which must be unique) for the corresponding domain. But it looks like your server configuration may use different SERVER_NAME.

@psimatrix: how many domains are you hosting on that WP install? 40 or less?

@nintechnet how many domains are you hosting on that WP install? 40 or less?

One.

You can email support [at] cagle.com and I’ll gladly send you the log files folder for you to look at.

Please send it to contact -at- nintechnet.com. Thanks.