Hi,
You can try enabling these scan options on the Wordfence options page and do another scan:
Scan files outside your WordPress installation
Scan image files as if they were executable
Enable HIGH SENSITIVITY scanning. May give false positives.
Thread Starter
Serva
(@serva)
May I say it’s great to get feed back quickly, thank you so much.
I have set these up and they are scanning as I type. I will be back with results.
But thank you once again. D
OK, let me know what you see.
Regards,
Mark.
Thread Starter
Serva
(@serva)
Hi Mark
Nothing yet although it’s still working on:
[Feb 19 06:51:14] Comparing core WordPress files against originals in repository
and
[Feb 19 06:51:14] Scanning for known malware files
It says:
[Feb 19 06:51:12] Fetching core, theme and plugin file signatures from Wordfence Success.
and
[Feb 19 06:51:13] Fetching list of known malware files from Wordfence Success.
So we’re just waiting, lol
Thanks D
Hi,
The scans should happen fairly quickly, you shouldn’t have to wait. Sounds like it may have hung. You can try changing the max execution time at the bottom of Wordfence options page to 10, save and kill the scan and start again.
Regards,
Mark.
Thread Starter
Serva
(@serva)
Hi Mark
Thanks for your post, I have been in a meeting and have just made the changes and set the scan in motion again now. Fingers crossed.
Thanks again D
Thread Starter
Serva
(@serva)
Hi Mark
Help please, it still isn’t giving the info, it must ba hanging as you said, all day, all night and still nothing. Are there some other settings I can do?
Thanks again D
Hi,
Did you resolve this? This looks identical to my issue: I have Wordfence installed and it picked up nothing. I am currently running a check on
- image files as executable,
- public facing site vulnerabilities
- files outside the installation, and
- high sensitivity.
Further info – the rogue code will not be apparent by looking at your on website’s code in the browser (via View Page Source), it can only be seen by something like a ‘Fetch as Google’ from the Google Webmasters Tools. The code seems to add in snippets. Here is a section of the load:
{...} <style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style>
<div id="5e7hni"><!--googleoff: snippet-->Players interested in playing lottery sort of games should visit <a href="http://robertocavalliblog.com/?p=best-online-casinos" title="best online casinos">best online casinos</a> to
[..]
<!--googleon: snippet-->
`
The scan is going slowly for me also. Will let you know if anything is reported with these WF config settings.
C
Check your website error log. It will probably show why your scans aren’t completing.
Regards,
Mark.
Hi,
The scan – without ‘scan images’ option enabled – completes in a few minutes.
The scan now running (with scan images) has taken an hour so far and appears to have slowed to a stop. The error logs don’t show any problem today. Last Detailed Activity is:
[Feb 23 11:40:48] Scanned contents of 3564 additional files at 3.66 per second
[Feb 23 11:40:56] Scanned contents of 3570 additional files at 3.63 per second
My host’s memory config check is:
--Starting test--
Current maximum memory configured in php.ini: 256M
Current memory usage: 44.75M
Setting max memory to 90M.
Starting memory benchmark. Seeing an error after this line is not unusual. Read the error carefully
to determine how much memory your host allows. We have requested 90 megabytes.
Completing test after benchmarking up to 80.25 megabytes.
--Test complete.--
C
It eventually completed, on a third try and… I found the rogue code residing in a PNG file!
The slowdown/stop of Wordfence is a separate issue, I guess. But in the meantime, well done Wordfence!
Thread Starter
Serva
(@serva)
Hi Guys
I’m still not getting anywhere here, the scans don’t finish so I don’t get any way to fix it and the I’ve got some unhappy people looking at the site using google that see this. Please any suggestions D
I am spam-free now, but my scan is back to not completing again IF I have the ‘scan images as executable’ option checked.
If it’s the same strain of issue as mine — and you are a little technically minded — you could check your plugins folder for an image file (JPG or PNG) whose contents include the string ‘PHP’. Another indicator of the issue could be deemed by downloading the image files from your install. The rogue file may not have a thumbnail preview in your Windows Explorer.
Also though, the wp_options table in your WordPress database will contain a key called “WP_OPTION_KEY” with the option_value field of that record containing a ‘data {…..} entry. That should be deleted.
Backup the database first.
Again, Wordfence DID get it eventually on the attempt where the image scan enabled scan completed. I had to look through the code of the rogue PNG file to find out that it had added entries to the WordPress db. WF did not remove that db entry.
To the author: does the image scan option cause higher memory use than other scan options?
C
Additional info:
This affected image file will be called in an include statement by one of your PHP files (again odds-on it will be in the plugins folder). The call will look like:
<?php include ('img/theroguefile.png'); ?>
and will probably have been added on to the end of an existing PHP file. Again, if you search your installation PHP files for the filename string of the infected image file you found, you’ll locate this file more quickly.
—
With no other malware plugin appearing to detect this, my next action if I hadn’t have resolved this would have been to delete my site and do a complete reinstall.
C
Only replying to Serve because this is their thread to avoid confusion. Please see the note at the top of the forums.
Serva can you tell me where your scans stop?
Thanks.
