Security log email alerts every hour

[Jaiji]

Since 2am UK time I’ve started receiving security log emails every hour, each approx 50kb, no particularly unusual entries, no massive increases.

Since around the same time there’s a repeated PHP error (16 instances):

[04-Apr-2018 13:22:49 UTC] PHP Warning: copy(/home/xxxxxxxx/public_html/wp-content/plugins/bulletproof-security/admin/htaccess/http_error_log.txt): failed to open stream: No such file or directory in /home/xxxxxxxx/public_html/wp-content/plugins/bulletproof-security/includes/zip-email-cron-functions.php on line 331

I’ve had a hunt here and can’t find anything related. The only recent change on the site was a WP core auto-update late yesterday. I’ve reset the BPS cron jobs and run the Setup Wizard but it’s still happening. Any ideas?

[AITpro Admin]

The php error means that the BPS Security Log Cron that runs hourly is unable to copy this file: /bulletproof-security/admin/htaccess/http_error_log.txt to this location: /wp-content/bps-backup/logs/http_error_log.txt. It could also be a false indicator of a problem. If your site is currently under a massive attack then the php error could just be some sort of latency issue with BPS keeping up with the massive attack as far as log file zipping, emailing and replacing it goes. I need to know if the log files are the same log file being sent repeatedly or if each email contains a new Security Log zip file. See info below.

If you are receiving a 50KB Security Log zip file every hour then that would mean your website is currently under a massive attack. Nothing to worry about though. Our sites undergo massive attacks from time to time and there are no noticeable website performance issues. Is the Security Log zip file the same zip file being sent repeatedly or are they each new zip files. You can open a couple and look at the time stamps to see if they are new Security Log zip files or the same zip file being sent repeatedly.

[Jaiji]

The logs files are all different, just a few more entries in each. The first at 2am was 43.5kb and the latest at 10.23pm is 45.6kb.

Total 403 GET Request Log Entries went from 776 to 797 over that period, am I right in thinking that would NOT indicate a massive attack?

More PHP errors over the same period, all as above in my original post.

Happy to provide login details if nec.

 

[AITpro Admin]

An average number of 403 GET Requests blocked on this forum site is: 300-400 per day.  During attacks we see 1,000+ 403 GET Requests blocked per hour (not day).  So yes, 776 and 797 403 GET Requests blocked per hour indicates your website/server is being attacked by a large scale attack.  Typically massive attacks last anywhere from a few hours to a few days.

So let’s do this for now > “wait and see” > if this issue/problem is still occurring after the massive attack is over then we will do some more troubleshooting to figure why the php error is occurring.  My gut is telling me the php error is occurring due to massive attack itself and automated processing of the log file during that attack.

[Jaiji]

Sorry, I thought you meant same – as in identical – log file. What I meant was it is the same log file, with a few extra entries in each one over time. So between 2am and 10.23pm there were 21 further 403 GET Requests added to the file. The first entry at 2.11am is the same in each.

[AITpro Admin]

Ok that indicates that the php error is accurate.  Something is interfering with the hourly cron functionality that zips, emails and replaces (copies a new blank log file) the old log file.  Zipping and emailing appear to be working, but not “copy”.  Do these steps below and let me know if the problem starts again.

1. Use FTP or your web host control panel file manager and navigate to this BPS folder:  /wp-content/bps-backup/logs/.
2. Delete the http_error_log.txt log file and delete any security-log.zip files that you see in the /logs/ folder.

Another possibility could be that the File Owner and Script Owner are different for the /plugins/bulletproof-security/htaccess/ folder and the /wp-content/bps-backup/logs/ folder.  You can check the Owner of a folder by using FTP.  Both folders should have the same Owner (might be a name or a number).

[Jaiji]

I’ve deleted the http_error_log.txt from bps-backup/logs, there were no security-log/zip files there.

/plugins/bulletproof-security/admin/htaccess/ and /wp-content/bps-backup/logs/ both have permissions set to 0755.

No more security log emails since 11.25am today (the file was deleted around noon). Nothing in the PHP Error log since then either.

That seems to be it. Many thanks, excellent support as ever.

[AITpro Admin]

Ok now you want to check that a new /wp-content/bps-backup/logs/http_error_log.txt was automatically created.

[Jaiji]

No it hasn’t been, I just ran the setup wizards and one entry is flagged in red:

Error: Unable to create or update File /home/knockeng/public_html/wp-content/bps-backup/logs/http_error_log.txt

Shall I do a manual reinstall?

[AITpro Admin]

You need to check Folder Ownership (not Permissions) for these folders:  /plugins/bulletproof-security/admin/htaccess/ folder and the /wp-content/bps-backup/logs/ folder.  You can do that with an FTP application like FileZilla or WinSCP (awesome and free download here > https://winscp.net/eng/download.php).  The Folder Owner MUST be the same for both of these folders otherwise the PHP Copy function will not be allowed to copy the Security Log file to the /logs/ folder and you will see the exact php error message that you posted.

[Jaiji]

OK, ownership is fine, all files and folders in the installation are the same – it would have been strange if it was otherwise as this site has been running for several years more or less without issue. I ran the wizards again and responded to a BPS prompt to Reset Last Modified Time In DB, it took a couple of attempts but there is now an http_error_log.txt file (in /wp-content/bps-backup/logs/) and it’s writable. I think that’s really it this time, no? Many thanks.

[AITpro Admin]

Yep, mission completed.  Well done.

[Jaiji]

Aaaaaand it’s back. Been getting these today:

PHP Warning:  copy(/home/********/public_html/wp-content/plugins/bulletproof-security/admin/htaccess/http_error_log.txt): failed to open stream: No such file or directory in /home/********/public_html/wp-content/plugins/bulletproof-security/includes/zip-email-cron-functions.php on line 331

The http_error_log.txt file is not present in bulletproof-security/admin/htaccess/

I’ve run the setup wizards a couple of times, nothing flagged in red.

[AITpro Admin]

If the http_error_log.txt file is not present in bulletproof-security/admin/htaccess/ folder then that is the problem.  Why that file is not there I have no idea.  Create a .txt file on your computer using Notepad or Notepad++.  Do not use Word or Wordpad.  Copy this text below into the .txt file that you create, save the file with this name > http_error_log.txt and upload it to the /bulletproof-security/admin/htaccess/ folder.

BPS PRO SECURITY LOG
=====================
=====================

[Jaiji]

All good, thank you. No idea why it was missing either, very strange.

[Author]

Posts