Title: API action=get_pattern not returning full list
Last modified: October 5, 2022

---

# API action=get_pattern not returning full list

 *  Resolved [stegough](https://wordpress.org/support/users/stegough/)
 * (@stegough)
 * [3 years, 8 months ago](https://wordpress.org/support/topic/api-actionget_pattern-not-returning-full-list/)
 * I’ve set wordfence up on a new development site and all morning the scan has 
   been failing after scanning files – after scouring these forums and online looking
   for a fix to the problem, I can’t see a client side solution, it appears that
   the API is only returning the first 39 lines, then cutting off abruptly.
 *     ```
       {
       	"rules": [
       			[4, 1458883265, "<\\?php[\\x00-\\x1f\\s]if\\(\\!isset\\(\\$GLOBALS\\[\\\"\\\\x", "Suspicious code pattern checking for obfuscated global variable", "both", 0, "Suspicious", "Suspicious:PHP\/issetobfuglobal.4", [0]],
       			[12, 1458883265, "\\$l____l_\\(\\);", "A backdoor known as LunderL", "both", 0, "Backdoor", "Backdoor:PHP\/f726_LunderL.12", []],
       			[14, 1458883265, "\"b\"\\.\"\"\\.\"\"\\.\"\"\\.\"as\"\\.\"\"\\.\"\"\\.\"\"\\.\"e\"\\.\"\"\\.\"\"\\.\"6\"\\.\"\"\\.\"\"\\.\"4\"\\.\"_\"\\.\"\"\\.\"\"\\.\"\"\\.\"de\"\\.\"\"\\.\"c\"\\.\"o\"\\.\"\"\\.\"\"\\.\"\"\\.\"\"\\.\"\"\\.\"d\"\\.\"\"\\.\"\"\\.\"\"\\.\"e\"", "Suspicious code pattern obfuscating a PHP function name", "both", 0, "Suspicious", "Suspicious:PHP\/strconcatb64.14", []],
       			[16, 1458883265, "onfr64_qrpbqr", "A backdoor known as onfr64", "both", 0, "Backdoor", "Backdoor:PHP\/onfr64.16", []],
       			[24, 1458883265, "\\$this_file\\?op=phpinfo", "A backdoor known as aZRaiLPhp", "both", 0, "Backdoor", "Backdoor:PHP\/aZRaiLPhp.24", []],
       			[26, 1458883265, "1Aqapkrv", "Backdoor used to remotely control a server", "both", 0, "Backdoor", "Backdoor:TXT\/supp1.26", []],
       			[28, 1458883265, "visitorTracker_isMob[\\x00-\\x1f\\s]*\\(", "A backdoor known as isMob", "both", 0, "Backdoor", "Backdoor:PHP\/isMob.28", []],
       			[29, 1458883265, "base64_decode\\(['\"]?PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIGlkPSJpZF", "A backdoor known as phnj", "both", 0, "Backdoor", "Backdoor:PHP\/phnj.29", [1]],
       			[37, 1458883265, "Dim szCMD, szTempFile", "A backdoor known as CmdAsp.asp", "both", 0, "Backdoor", "Backdoor:ASP\/CmdAsp.37", []],
       			[38, 1458883265, "Open base dir: \\$hopenbasedir", "A backdoor known as Crystal_shell", "both", 0, "Backdoor", "Backdoor:PHP\/Crystal_shell.38", []],
       			[48, 1458883265, "WebShell::Configuration", "Backdoor used to remotely control a server", "both", 0, "Backdoor", "Backdoor:PL\/gammawebshell.48", []],
       			[52, 1458883265, "open\\(FILEHANDLE,\\s*['\"]cd\\s+\\$param\\{dir\\}", "A backdoor known as go-shell", "both", 0, "Backdoor", "Backdoor:PL\/go-shell.52", []],
       			[54, 1458883265, "\\$cmd 1> \\\/tmp\\\/cmdtemp 2>\\&1\\; cat", "A backdoor known as h4ntu", "both", 0, "Backdoor", "Backdoor:PHP\/h4ntu.54", []],
       			[57, 1458883265, "proc\\s*=\\s*runtime\\.exec\\(\\s*cmd\\s*\\)", "A backdoor known as JSP_Web_Shell", "both", 0, "Backdoor", "Backdoor:PHP\/JSP_Web_Shell.57", []],
       			[59, 1458883265, "if\\(\\(\\$_POST\\['exe'\\]\\) == \"Execute\"", "Backdoor used to remotely control a server", "both", 0, "Backdoor", "Backdoor:PHP\/lamashell.59", []],
       			[60, 1458883265, "cat \\\/etc\\\/passwd", "Theft of server password information. Also sometimes seen in a backdoor known as Liz0ziM", "both", 0, "Backdoor", "Backdoor:SH\/passwdaccess.60", []],
       			[64, 1458883265, "if[\\x00-\\x1f\\s]*\\(isset[\\x00-\\x1f\\s]*\\(\\$_POST\\)\\)[\\x00-\\x1f\\s]*walkArray\\([\\x00-\\x1f\\s]*\\$_POST", "A backdoor known as MPP.B", "both", 0, "Backdoor", "Backdoor:PHP\/MPP.B.64", []],
       			[65, 1458883265, "define\\(\\s*[\"']PHPSHELL_VERSION['\"]\\s*,\\s*['\"]\\d+", "Code seen in various shells, especially a backdoor known as Matamu", "both", 0, "Backdoor", "Backdoor:PHP\/generic_shell.65", []],
       			[67, 1458883265, "\\$MyShellVersion", "A backdoor known as MShell", "both", 0, "Backdoor", "Backdoor:PHP\/MShell.67", []],
       			[68, 1458883265, "function viewSchema", "A backdoor known as Mysql_interface", "both", 0, "Backdoor", "Backdoor:PHP\/Mysql_interface.68", []],
       			[69, 1458883265, "global \\$HTTP_GET_VARS, \\$HTTP_COOKIE_VARS, \\$password", "A backdoor known as mysql_tool", "both", 0, "Backdoor", "Backdoor:PHP\/mysql_tool.69", []],
       			[70, 1458883265, "\\$file[\\x00-\\x1f\\s]*=[\\x00-\\x1f\\s]*['\"]\\\/etc\\\/passwd['\"];", "A backdoor known as mysql_reaper", "both", 0, "Backdoor", "Backdoor:PHP\/mysql_reaper.70", []],
       			[72, 1458883265, "passthru\\s*\\(\\s*getenv\\s*\\(\\s*\"HTTP_ACCEPT_LANGUAGE", "A backdoor known as passthru_bd", "both", 0, "Backdoor", "Backdoor:PHP\/passthru_bd.72", []],
       			[79, 1458883265, "function mvcp\\(\\$from", "A backdoor known as Webcommander", "both", 0, "Backdoor", "Backdoor:PHP\/Webcommander.79", []],
       			[82, 1458883265, "find \\\/ \\-type f \\-perm \\-04000", "A backdoor known as nsTView", "both", 0, "Backdoor", "Backdoor:PHP\/nsTView.82", []],
       			[83, 1458883265, "runcommand\\s*\\(['\"]etcpasswdfile", "A backdoor known as Ajax_PHP_Command_Shell", "both", 0, "Backdoor", "Backdoor:PHP\/Ajax_PHP_Command_Shell.83", []],
       			[95, 1458883265, "str_rot13\\([^\\r\\n<]+eval\\(", "A suspicious code known as rot13_of_eval", "both", 0, "Suspicious", "Suspicious:PHP\/rot13_of_eval.95", [2]],
       			[109, 1458883265, "\\$[a-z0-9]{5,20}=\"(?:\\\\[x0-9][a-f0-9]{1,3})+\"\\;\\@eval\\(\\$[0-9a-z]+\\(", "A backdoor known as FOPO.A", "both", 0, "Backdoor", "Backdoor:PHP\/FOPO.A.109", [2]],
       			[110, 1458883265, "\\\\x65\\\\x76\\\\x61\\\\x6C\\\\x28", "A backdoor known as 561C", "both", 0, "Backdoor", "Backdoor:PHP\/561C.110", []],
       			[117, 1458883265, "include\\([\\\"'][a-zA-Z0-9\\-\\\/\\_\\~]*social\\.png['\\\"]", "Backdoor known as CryptoPHP", "both", 0, "Backdoor", "Backdoor:PHP\/CryptoPHP_shell.117", [3]],
       			[122, 1458883265, "edoced_46esab\\(", "A backdoor known as t5194", "both", 0, "Backdoor", "Backdoor:PHP\/t5194.122", []],
       			[127, 1475771749, "datesfinder\\w+\\.ru", "A spam link known as datesfinder", "both", 0, "Spam", "Spam:HTML\/datesfinder.127", [4]],
       			[133, 1475771749, "<\\?php[\\x00-\\x1f\\s]*if[\\x00-\\x1f\\s]*\\([\\x00-\\x1f\\s]*\\$mode[\\x00-\\x1f\\s]*==[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*upload[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\)[\\x00-\\x1f\\s]*\\{[\\x00-\\x1f\\s]*if[\\x00-\\x1f\\s]*\\([\\x00-\\x1f\\s]*is_uploaded_file[\\x00-\\x1f\\s]*\\([\\x00-\\x1f\\s]*\\$_FILES[\\x00-\\x1f\\s]*\\[[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*filename[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\][\\x00-\\x1f\\s]*\\[[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*tmp_name[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\][\\x00-\\x1f\\s]*\\)[\\x00-\\x1f\\s]*\\)[\\x00-\\x1f\\s]*\\{[\\x00-\\x1f\\s]*move_uploaded_file[\\x00-\\x1f\\s]*\\([\\x00-\\x1f\\s]*\\$_FILES[\\x00-\\x1f\\s]*\\[[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*filename[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\][\\x00-\\x1f\\s]*\\[[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*tmp_name[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\][\\x00-\\x1f\\s]*,[\\x00-\\x1f\\s]*\\$_FILES[\\x00-\\x1f\\s]*\\[[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*filename[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\][\\x00-\\x1f\\s]*\\[[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*name[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\][\\x00-\\x1f\\s]*\\)[\\x00-\\x1f\\s]*;[\\x00-\\x1f\\s]*echo[\\x00-\\x1f\\s]*\\$_FILES[\\x00-\\x1f\\s]*\\[[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*filename[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\][\\x00-\\x1f\\s]*\\[[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*name[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\][\\x00-\\x1f\\s]*;", "A malicious file uploader known as basic_uploader", "server", 0, "Backdoor", "Backdoor:PHP\/basic_uploader.133", [0]],
       			[135, 1475285337, "\\$\\w+[\\x00-\\x1f\\s]*?=[\\x00-\\x1f\\s]*?['\"][\\x00-\\x1f\\s]*?[\\w\\\/+=]{500,}?[\\x00-\\x1f\\s]*?['\"][\\x00-\\x1f\\s]*?;[\\x00-\\x1f\\s]*?echo[\\x00-\\x1f\\s]*?base64_decode[\\x00-\\x1f\\s]*?\\([\\x00-\\x1f\\s]*?\\$\\w+[\\x00-\\x1f\\s]*?\\)[\\x00-\\x1f\\s]*?;", "A backdoor known as PGRpd", "server", 0, "Backdoor", "Backdoor:PHP\/PGRpd.135", [5]],
       			[137, 1475771749, "my[\\x00-\\x1f\\s]*\\$\\w+[\\x00-\\x1f\\s]*=[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\\/usr\\\/sbin\\\/httpd[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*;[\\x00-\\x1f\\s]*\\$SIG[\\x00-\\x1f\\s]*{[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*INT[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*}[\\x00-\\x1f\\s]*=[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*IGNORE[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*;[\\x00-\\x1f\\s]*\\$SIG{[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*HUP[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*}[\\x00-\\x1f\\s]*=[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*IGNORE[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*;[\\x00-\\x1f\\s]*\\$SIG{[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*TERM[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*}[\\x00-\\x1f\\s]*=[\\x00-\\x1f\\s]*\"IGNORE\"[\\x00-\\x1f\\s]*;[\\x00-\\x1f\\s]*\\$SIG{[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*CHLD[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*}[\\x00-\\x1f\\s]*=[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*IGNORE[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*;[\\x00-\\x1f\\s]*\\$SIG{[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*PS[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*}[\\x00-\\x1f\\s]*=[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*IGNORE[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*;", "A backdoor known as processo", "server", 0, "Backdoor", "Backdoor:PL\/processo.137", []],
       			[138, 1476460013, "<\\?php[\\x00-\\x1f\\s]*?\\$\\w+[\\x00-\\x1f\\s]*?=[\\x00-\\x1f\\s]*?<<", "A malicious file uploader known as a1777", "server", 0, "Backdoor", "Backdoor:PHP\/a1777.163", [1]],
       			[164, 1475771749, "echo[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*
       ```
   
 * This is where it cuts off.
 * Is there anything I can do to make the server return the full pattern so I can
   continue scanning the site?
 * Cheers
 * Ste

Viewing 7 replies - 1 through 7 (of 7 total)

 *  Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/)
 * (@wfpeter)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/api-actionget_pattern-not-returning-full-list/#post-16076102)
 * Hi [@stegough](https://wordpress.org/support/users/stegough/), thanks for reaching
   out to us.
 * On some environments such as Litespeed `noabort` code needs to be added to stop
   communication stopping abruptly in this way, usually during scans: [https://www.wordfence.com/help/advanced/system-requirements/litespeed/](https://www.wordfence.com/help/advanced/system-requirements/litespeed/)
 * If that doesn’t help as you’re not running on Litespeed, can you send a diagnostic
   report to **wftest @ wordfence . com**? You can find the link to do so at the
   top of the **Wordfence > Tools > Diagnostics** page. Then click on **“Send Report
   by Email”**. Please add your forum username where indicated and _respond here
   after you have sent it._
 * **NOTE:** It should look as follows – Screenshot of [Tools > Diagnostic > Send by Email](https://www.wordfence.com/wp-content/uploads/2021/09/diagnosticsendbyemail.png)
 * Thanks,
 * Peter.
 *  Thread Starter [stegough](https://wordpress.org/support/users/stegough/)
 * (@stegough)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/api-actionget_pattern-not-returning-full-list/#post-16078140)
 * Thanks, I’ve submitted this report.
 *  Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/)
 * (@wfpeter)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/api-actionget_pattern-not-returning-full-list/#post-16088252)
 * Hi [@stegough](https://wordpress.org/support/users/stegough/),
 * I’ve not received the diagnostic with your username attached to our inbox. The
   Wordfence diagnostic can be exported as a txt file on the **Wordfence > Tools
   > Diagnostics** page, which could be sent directly to the **wftest @ wordfence.
   com** email address from your personal/work email. _Remember to put your forum
   username in the email’s subject line and let me know here you’ve sent it so I
   can try finding it there instead and I’ll take a look._
 * Thanks,
 * Peter.
 *  Thread Starter [stegough](https://wordpress.org/support/users/stegough/)
 * (@stegough)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/api-actionget_pattern-not-returning-full-list/#post-16088586)
 * Thanks Peter, I have exported and responded.
    Subject: SteGough [@stegough](https://wordpress.org/support/users/stegough/)–
   Forum Response
 * Cheers
 *  Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/)
 * (@wfpeter)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/api-actionget_pattern-not-returning-full-list/#post-16091992)
 * Thanks for sending that over [@stegough](https://wordpress.org/support/users/stegough/),
 * Naturally, I can’t reach your domain myself but the site not having a public 
   DNS server doesn’t seem to be an issue with communication in and out, so I assume
   it’s mapped locally for testing.
 * It seems like the site can reach itself, along with our noc1 server as any scan
   signatures at all being obtained shows this. The cut off patterns may just be
   a limit on how the output is being logged. There is a chance that there’s a transparent
   proxy or a firewall breaking the response, but that would be quite unusual.
 * I’d enable PHP error logging with `WP_DEBUG` and `WP_DEBUG_LOG`, then try to 
   run a scan again. Send us the whole scan log and error logs to the email you 
   sent the diagnostics to (again, with your username in the subject line – telling
   us here if/when you have) should anything end up in there.
 * Thanks,
 * Peter.
 *  Thread Starter [stegough](https://wordpress.org/support/users/stegough/)
 * (@stegough)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/api-actionget_pattern-not-returning-full-list/#post-16109640)
 * Hi Peter,
 * apologies on the delay on this.
 * In light of being able to scan thoroughly with this tool we took the approach
   of building the development site again from scratch on a new server – we would
   however like the site to be protected by wordfence, so on a new install, on a
   new server (within the same host) we tried to set up Wordfence as a plugin on
   the new install (the reason the domain was not accessible to you is that it’s
   a placeholder, but the development is available via an IP Address/subfolder.
 * We have run into exactly the same issue on a new install, new address, new IP.
 * The tool runs to the point it gets patterns, and then returns upto half way through
   the 39th line – this is viewing the URL reported by diagnostics including the
   API key for get_patterns action.
    This JSON returning malformed leads me to believe
   this is where the error lies. Not being able to return the full patterns via 
   a browser makes me think there is an issue with the service returning this. Using
   a new development and providing a new API key makes me wonder if theres an underlying
   issue within the system on your end that is providing the patterns.
 * I’d like to provide the link here for you to test the API Key / Security but 
   that seems counterintuitive from a security of the site standpoint.
 * Is there anything going on from your end to stop the patterns being returned 
   fully? is there something that would stop me from viewing the URL and getting
   the entire pattern returned in the browser?
 * Look forward to your response.
 * Kind Regards,
 * Ste
 *  Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/)
 * (@wfpeter)
 * [3 years, 6 months ago](https://wordpress.org/support/topic/api-actionget_pattern-not-returning-full-list/#post-16200433)
 * Hi [@stegough](https://wordpress.org/support/users/stegough/),
 * I was informed by our development team that the cutoff is likely to be an output
   issue when logging rather than where the communication actually stops. We say
   this as there would be a huge influx of this if our entire customer-base was 
   affected by broken rules. It is interesting that it’s happened with a second 
   site installation attempt, but some settings or the environment itself could 
   be closely configured to the first.
 * If you can include your username in the subject line of an email (for ease of
   finding) to **wftest @ wordfence . com**, you can send us the sensitive information
   that you think is relevant there. Make sure to remove any keys/salts/credentials
   from anything you do send.
 * Thanks again,
 * Peter.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘API action=get_pattern not returning full list’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

## Tags

 * [api](https://wordpress.org/support/topic-tag/api/)
 * [rules](https://wordpress.org/support/topic-tag/rules/)
 * [stopped working](https://wordpress.org/support/topic-tag/stopped-working/)

 * 7 replies
 * 2 participants
 * Last reply from: [wfpeter](https://wordpress.org/support/users/wfpeter/)
 * Last activity: [3 years, 6 months ago](https://wordpress.org/support/topic/api-actionget_pattern-not-returning-full-list/#post-16200433)
 * Status: resolved