MScan – Troubleshooting, questions, problems and code posting

Home Forums BulletProof Security Pro MScan – Troubleshooting, questions, problems and code posting

Viewing 15 posts - 31 through 45 (of 64 total)
  • Author
    Posts
  • #37106
    Henrik
    Participant

    I’m having problems running it and can se its making af PHP error when using the download_url() function in wordpress. php 7.3:

    [20-Apr-2019 17:10:28 UTC] PHP Fatal error: Uncaught Error: Call to undefined function download_url() in /home/madkalen/public_html/wp-content/plugins/bulletproof-security/includes/mscan-ajax-functions.php:650
    Stack trace:
    #0 /home/madkalen/public_html/wp-content/plugins/bulletproof-security/includes/mscan-ajax-functions.php(129): bpsPro_wp_zip_download('300')
    #1 /home/madkalen/public_html/wp-includes/class-wp-hook.php(286): bpsPro_scheduled_mscan_scan()
    #2 /home/madkalen/public_html/wp-includes/class-wp-hook.php(310): WP_Hook->apply_filters('', Array)
    #3 /home/madkalen/public_html/wp-includes/plugin.php(531): WP_Hook->do_action(Array)
    #4 /home/madkalen/public_html/wp-cron.php(133): do_action_ref_array('bpsPro_MScan_ch...', Array)
    #5 {main}
    thrown in /home/madkalen/public_html/wp-content/plugins/bulletproof-security/includes/mscan-ajax-functions.php on line 650

    And the scan log ending with DOWNLOAD:
    —-
    [MScan Scan Start: 20. april 2019 19:10]
    Scan Time Calculation: Start Count total files to scan.
    Scan Time Calculation: Max File Size Limit to Scan: 400 KB
    Scan Time Calculation: Total Website Files: 18663
    Scan Time Calculation: Total Skipped Files (larger than 400 KB): 12
    Scan Time Calculation: Total WP Core Files to Scan: 1494
    Scan Time Calculation: Total non-Image Files to Scan: 2956
    Scan Time Calculation: Total Image Files to Scan: 0
    Scan Time Calculation: Total Files to Scan (WP Core + non-Image + Image): 4450
    Scan Time Calculation: Hosting Account Root Folders to Scan: wp-admin, wp-content, wp-includes
    Scan Time Calculation: WP Hash Time Estimate: +30 Seconds
    Scan Time Calculation: WP Core Files Time Estimate: +4 Seconds
    Scan Time Calculation: non-Image Files Time Estimate: +109 Seconds
    Scan Time Calculation: Image Files Time Estimate: +0 Seconds
    Scan Time Calculation: DB Size Time Estimate: +8 Seconds
    Scan Time Calculation: Scan Time Estimate: 151 Seconds
    Scan Time Calculation Completion Time: 00:00:15
    WP Zip File Download: Start wordpress-5.1.1.zip zip file download.

    Why is downloading failing?

    #37108
    AITpro Admin
    Keymaster

    The problem appears to be that WordPress is not loading in time for the download_url() function to be seen as defined in the BPS mscan-ajax-functions.php file. This problem is specific to your host server/website.

    The download_url() function is a standard built-in WordPress function and is defined in WordPress itself when WordPress loads > https://developer.wordpress.org/reference/functions/download_url/

    Do you have a standard/normal installation of WordPress? Are you using WP CLI or ClassicPress or something else that is different than a standard/normal installation of WordPress? Are you caching WordPress at the server level with a server caching mechanism? Are you using a Load Balancer/Proxy?

    #37109
    Henrik
    Participant

    It’s a standard installation but running Litespeed cache.

    #37110
    AITpro Admin
    Keymaster

    This is a similar issue, but not the exact issue you are having > https://wordpress.stackexchange.com/questions/17805/php-fatal-error-call-to-undefined-function-download-url. The similarity is that the same PHP error is occurring. What is not similar is that since wp-load.php and admin.php should already be loaded an “include” is not needed since the BPS plugin file is an internal script that is processed after WordPress loads and is not an external script that requires including the WordPress “loading” files.

    The only logical things I can think of is something is interfering with either the BPS MScan include file or something about your WordPress installation is different/unusual or you there is something fubar about your host server. Check with your web host support folks and see if they know why this is happening on your server. Or maybe they can shed some more clues about what is different about your host server that could cause this type of problem.

    #37183
    Jeff
    Participant

    Hi,

    Having exactly the same problem.

    MScan – Time Estimation never ends.

    In the heads up at the top of the screen there is a question mark symbol next to MSCAN. Says ‘MSCAN has not been run yet.’

    When I go to Mscan page and click on ‘Scan Time Estimate Tool’ the progress bar never ends, nor does a scan. I have refreshed the page many time to check.

    I have limited the folders down to 1 wp-includes which is tiny. Default settings otherwise. Same problem.

    I am getting a log – seems to stop where it’s fetching wordpress core files.

    [MScan Scan Start: May 2, 2019 8:32 pm]
    Scan Time Calculation: Start Count total files to scan.
    Scan Time Calculation: Max File Size Limit to Scan: 400 KB
    Scan Time Calculation: Total Website Files: 976
    Scan Time Calculation: Total Skipped Files (larger than 400 KB): 0
    Scan Time Calculation: Total WP Core Files to Scan: 971
    Scan Time Calculation: Total non-Image Files to Scan: 4
    Scan Time Calculation: Total Image Files to Scan: 0
    Scan Time Calculation: Total Files to Scan (WP Core + non-Image + Image): 975
    Scan Time Calculation: Hosting Account Root Folders to Scan: wp-includes
    Scan Time Calculation: WP Hash Time Estimate: +30 Seconds
    Scan Time Calculation: WP Core Files Time Estimate: +2 Seconds
    Scan Time Calculation: non-Image Files Time Estimate: +0 Seconds
    Scan Time Calculation: Image Files Time Estimate: +0 Seconds
    Scan Time Calculation: DB Size Time Estimate: +1 Seconds
    Scan Time Calculation: Scan Time Estimate: 33 Seconds
    Scan Time Calculation Completion Time: 00:00:00
    WP Zip File Download: Start wordpress-5.1.1.zip zip file download.

    Then it stops.

    Was any solution found?

    #37184
    AITpro Admin
    Keymaster

    @ Jeff – BPS 3.4 and BPS Pro 13.9 have the new code that gets the zip file download from wordpress.org.  So the BPS/BPS Pro zip download code itself cannot be the problem.  If you tried to use MScan in the last version of BPS or BPS Pro and the allow_url_fopen php.ini directive is disabled on your host server then a blank zip file will be here:  /wp-content/bps-backup/wp-hashes/.  Delete any zip files that you see in the /wp-hashes/ folder.  If that is not the problem then something else is preventing the zip file download on your website/server.  Could be something like you are out of hosting disk space or something else on your host server that does not allow zip files or zip file downloads.

    #37185
    Jeff
    Participant

    OK,

    I can confirm that allow_url_fopen is on in php.ini.

    Looking in the /wp-content/bps-backup/wp-hashes/ folder, I have 1 file ‘wp-hashes.php’.  This file contains a hash entry for each core file.  eg.

    <?php
    // WordPress 5.1.1 Hashes
    $wp_hashes = array(
    'wp-trackback.php' => 'd74b02cd709360ef78dc226cdbabce91',
    'wp-blog-header.php' => 'f3f43bcb755e7599abfd0cb56b710e81',
    'wp-settings.php' => '140b1e301fb4b33674ed035c000b032a',
    'readme.html' => '8bab7518f58bde0cb9eaee02872d8a3f',
    'license.txt' => '40fc2f39d472a1bb52f4ebe59702e0c2',
    'xmlrpc.php' => 'ec0319c65e8096c460fe78feee8b2288',
    'wp-activate.php' => '5c88f9b1e75f5db710c2dcfcdeab1d24',
    'wp-config-sample.php' => '3e42b983e0b6999d40027bada5f512e7',
    'wp-cron.php' => '0f31e7fef84445fe4f4bf7c092ec6c10',
    'wp-links-opml.php' => 'e5afa38ed5c796d43f301825975ab547',
    'index.php' => 'b9142a5f513a565bcb15430f4982000e',
    'wp-load.php' => 'b133347f6df56277b32a5405153bacb4',
    'wp-comments-post.php' => '4a98c020baeb9e82f5f577e737234f56',
    'wp-login.php' => 'ffe0a663423dad2484f6d6130c1b6cdd',
    'wp-signup.php' => 'b7deb3dbd61d082b99db157ae02a5280',
    'wp-mail.php' => 'c25ef6fbf40fbc76be342d490c0e874b',
    'wp-content/plugins/akismet/readme.txt' => 'f81aaacfc6db44deb73023bda30bd0ea',
    'wp-content/plugins/akismet/_inc/form.js' => '270f0cd7341bce6c2afacf2682e7690e',
    ...
    

    That’s the only file – no WP zip file.

    I’ll check with the hosting provider in regards to download of zip files.

    Thanks.

    #37186
    AITpro Admin
    Keymaster

    @ Jeff – MScan is just a malware scanner.  Is there a particular reason you want to use MScan?  BPS Pro comes with AutoRestore|Quarantine, which is far superior than any malware scanners > https://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/.

    Actually it looks like the zip file was successfully downloaded, extracted and the new wp-hashes.php file was successfully created for WordPress 5.1.1. The WP version indicator text in the wp-hashes.php file is > WordPress 5.1.1 Hashes.

    If you want I can login to this site and see if I can figure out the problem, but if the problem has to do with something on your host server then I would need to see host server log entries to figure out what the problem might be.

    #37187
    Jeff
    Participant

    OK.  That’s good news.

    The site was previously hacked.  I replaced all core files manually and did manual checking, but thought it good to pass it through MSCAN too just to check if I’d missed anything.

    Latest news

    MSCAN is working.  I’ve updated the settings to scan all site root folders and not just wp-includes.  Will see how it goes.

    Thanks.

    #39598
    BHA
    Participant

    The “bulk” Ignore checkbox doesn’t seem to be working. I have a lot of stuff showing up in there from the WP installs and CMS’s I have. Is there some way to either reset the Mscan DB to zero and start from scratch? Or maybe have some CLI way to mark them all as ignore?

    #39600
    AITpro Admin
    Keymaster

    @ BHA – To reset MScan click the Delete Scan Status Tool button and the Delete DB Scan Data Tool button.

    Delete Scan Status Tool
    This tool allows you to delete all of the MScan Status option values. The Scan Completed timestamp, Total Scan Time, Total Files Scanned, Skipped Files, Suspicious Files and Suspicious DB Entries status values will be deleted and will either display blank or 0.

    Delete DB Scan Data Tool
    This tool allows you to delete/reset all of the database scan data in the View|Ignore|Delete Suspicious Files and View|Ignore Suspicious DB Entries Forms. Note: Any/all changes you have made and saved in these Forms will be deleted. You may want to use BPS DB Backup and do a database backup before using this tool.

    #39981
    Living Miracles
    Participant

    Hello,

    We were testing out MScan on a few different websites earlier today for the first time in a few years and there are a couple of things that we would initially like to ask about from what we noticed:

    • When we used the “Scan Time Estimate Tool” on those sites before actually doing a scan, we got the following result for one of the sites (the other sites had similar results): Total Scan Time: 00:02:54 : Total Files Scanned: 6027. But when we actually ran the scan on those sites afterward for the first time, we got the following result for the same site (again the other sites had similar results): Total Scan Time: 00:00:10 : Total Files Scanned: 6027. Does the incredible speed at which it completed the scan compared to the estimate make sense? As far as I can tell from the MScan Log, it successfully completed the scan on each site. It is great if it’s supposed to go this fast but I just want to make sure I didn’t miss anything and that nothing is wrong with it. I read through everything in the “Read Me” button on the MScan page and the MScan Malware Scanner Guide.
    • You had previously mentioned to us that “Most likely all of the suspicious code detected by MScan are false positives” and “It is very unlikely that any suspicious code detected in any plugin files is actually malicious code. So you can ignore all of those files.” However, we would ideally like to be extra cautious but efficient in making sure that the many suspicious files and DB entries the MScan caught on these sites and will catch in the future are indeed false positives. We’re not that experienced with looking at this, so is there an easy and quick way that you can share with us on how to confidently determine what are actually harmful files or malicious code (in files and database entries)?
      • At least for files that MScan finds to be suspicious, if we bulk downloaded the files to our computer and, for example, scanned them with a security application on our computer (e.g., Malwarebytes) or uploaded them to virustotal.com, would that be good enough to see if they’re malicious (and should be deleted) or benign (and should be ignored)? Or is the best way really to post all the results here every time? We are thinking about using a daily MScan on our 40+ WordPress sites, in addition to of course continuing to use BPS Pro ARQ IDPS, so this will probably be a lot of forum post replies…

    Getting answers to these questions will lead to the next questions I want to ask after you respond. Thank you for your time!

    #39984
    AITpro Admin
    Keymaster

    @ Living Miracles – I am currently doing a complete rebuild of MScan, which is about 40% completed.  The new MScan rebuild, which will be in BPS Pro 15.3, will achieve these things:  Completely user friendly, very simple and easy to use, will be very accurate with a minimum number of false positives (ie 1-5 max vs 100’s), etc., etc., etc.

    Originally I added MScan as a gimmick since most people believe website malware scanners are a good website security tool.  So I did not put a whole lot of effort into MScan since I already had created something far superior to MScan or any/all other malware scanners >>> BPS Pro AutoRestore|Quarantine (ARQ IDPS) many years prior to adding MScan.

    So anyway I decided to make MScan useful instead of painful to use.  It will actually be a beneficial tool in other words.  So at this point do not use/test MScan until it is rebuilt in BPS Pro 15.3.  And of course since BPS Pro comes with ARQ IDPS then the only time you would want to use MScan is occasionally to check a website/hosting account or when cleaning up a known or suspected hacked website/hosting account.  ARQ IDPS is of course far superior to any/all malware scanners.  So in the end MScan may be renamed to something like:  MScan Hack Cleanup tool.  😉

    #39986
    Living Miracles
    Participant

    That’s amazing to hear and great timing for us! We’re really appreciating all the helpful improvements you’re making to this already great security plugin. 🙏🏼

    That being said, I still feel it would be helpful to ask the follow-up questions we had in mind. For our WordPress sites hosted on our SiteGround Cloud server, we’ve always purchased and used their SG SiteScanner service in addition to having and using the BPS Pro plugin on each site. This service from SiteGround is powered by Sucuri and performs comprehensive daily scans to detect domain blacklisting and malware, and they state that their “malware database is constantly updated, enabling the SiteScanner to detect even the latest threats.” However, now that we’ve rediscovered MScan within BPS Pro and SG SiteScanner is getting more expensive for us as it is per site and we keep making more WordPress sites, we’re considering discontinuing all our SG SiteScanner services.

    You’ve stated that “MScan is a very sensitive scanner that will detect hacker’s code and files that other WordPress malware scanners will not detect” and that ARQ IDPS is “much more advanced, automated and superior to all/any malware scanners including MScan” since it is “a real-time security prevention feature that automatically autorestores files that have been tampered with and quarantines any malicious files that are uploaded to a website.” As I mentioned before, we like to be extra cautious with our security, so it feels supportive to us to be running some sort of daily malware scan as an additional security measure.

    So with that, here are the follow-up questions we want to ask at this point:

    • Can you tell us if there is anything that SG SiteScanner offers that MScan can’t/doesn’t which would be essential for us not to lose? Or can you confirm that <b>MScan</b>, and of course ARQ IDPS, has everything we essentially need for the ongoing security/protection of our WordPress sites?
    • There is one feature that SG SiteScanner offers that I believe MScan doesn’t, which is that it checks for domain blacklisting during its daily scans. Can you confirm whether we need this security feature? Whether we truly need this feature or not ultimately, is this something that you would be able and willing to add to the MScan tool?
    • Is there any ETA at this point on the release of BPS Pro version 15.3, which will include the new MScan rebuild?

    Thank you and looking forward to your response!

    #39987
    AITpro Admin
    Keymaster

    ARQ IDPS is not a malware scanner.  It is basically a file monitor on steroids.  MScan currently automatically downloads the WordPress zip file for whatever WP version you have installed, unzips the zip file, creates a new file with the hashes for that WP version and then uses those WP file hashes to compare to your live site WP file hashes.  For everything else I was doing the typical defunct malware scanning of all other files using pattern matching (yeah old school defunct) for known hacker code patterns.  The problem with using that archaic and defunct pattern matching method is that hacker’s are constantly changing (obfuscating) known hacker code to hide it from being detected by any malware scanners.  This is kiddy stuff that any amateur hacker can do.  Long story short – scanning using the conventional malware scanning methods is archaic and defunct.

    So what I am doing in the MScan rebuild is doing the same thing that I was already doing with WP files.  ie download all plugin and theme zip files, unzip them, create file hashes and use those hashes to compare against your live plugin and theme files.  That may sound resource intensive or that it would take a lot of time to do.  Not so.  You can download 100 plugins simultaneously, unzip them and create hash files in under 30 seconds.

    Since you have ARQ IDPS you don’t need an additional scanner at all including MScan.  If any of your files are changed then they will be autorestored and quarantined by ARQ IDPS.

    MScan does not offer a blacklisting website check and honestly I would never consider adding anything like that.  You would have to be really out of touch with your website to need something like that.  Ie if you create set and forget websites that you are rarely ever going to access then yeah a blacklisting website checking feature would be useful.

    ETA on BPS Pro 15.3 release is anywhere between 14 – 28 days from now.

Viewing 15 posts - 31 through 45 (of 64 total)
  • You must be logged in to reply to this topic.