File Change Detection keeps detecing changes to a "session" file.

  • Resolved terryclothdoll

    (@terrycloth-doll)


    10 years, 7 months ago

    In what seemed at the time like a moment of virtuous paranoia, I decided to activate the File Change Detection feature of the iThemes Security WP plugin. Since then, I’ve gotten daily notices about changes to a file called session_mm_cgi-fcgi535.sem. I have two small self-hosted WordPress sites with the iThemes Security plugin, which both detect changes to identically named files.

    What is this? Should I be concerned?

    I thought at first, based on the name having “session,” that it had something to do with keeping track of my log-in sessions, but I don’t log in to my sites nearly as often as I’m getting these “change detected” email notices. I then wondered if this was a sign of a break-in, but again, it’s happening every single day, and there don’t appear to be any other signs of a break-in.

    I’m running WordPress v3.9.1, with iThemes Security v4.2.15, on a shared web hosting plan which uses PHP v5.5.0 and MySQL v5.5.34 on CentOS 6.

    https://www.ads-software.com/plugins/better-wp-security/

Viewing 6 replies - 1 through 6 (of 6 total)

  • Hey Terry-cloth-doll,

    In what directory is this file located? Are you by chance using a WordPress backup solution?

    Thanks,

    Gerroald

    Thread Starter terryclothdoll

    (@terrycloth-doll)

    Thanks for taking a look at this with me.

    I did a search in all the directories of my web hosting account, and strangely, I can’t find the session files anywhere. It’s funny, actually looking at the file seems like an obvious step in figuring out what it is, but for some reason I never thought of that, even after googling it for a while. The fact I can’t actually find the session files makes this even stranger.

    The File Change Detection emails normally specify a directory, but don’t in this case, so I guess that means it’s supposed to be in the root of the websites’ folders? — but there’s definitely no session files there or in any subdirectories (except the wp-session files, but I don’t usually get file change notifications about those). Weirder still, File Change Detection always lists the session_mm_cgi-fcgi535.sem files as “modified” instead of “added” or “deleted.”

    I only backup by mirroring with a local folder, over sftp, I don’t use a plugin or third-party solution.

    Hey Terry-cloth-doll,

    I spoke with the developer and he believes that this may be some type of server configuration that generating the file. He doesn’t believe that there’s any reason for concern and suggested that you ignore that file type to avoid the notifications.

    Thanks,

    Gerroald

    Thread Starter terryclothdoll

    (@terrycloth-doll)

    I talked to support at my web host, and they say it’s not from them. I just sent them a reply-email to get a second opinion to double-check.

    If it’s not the web host server, and it’s not iThemes Security, then this seems a little more troubling again. I do have other plugins installed, but it seems unlikely that they would be responsible…

    Thread Starter terryclothdoll

    (@terrycloth-doll)

    Okay, it seems you guys were right. Here’s the followup message from my web host’s support team.

    I did a little bit of investigating. This appears to be a PHP version 5.2 specific (possibly earlier too) issue. There are more details about it here if you are interested: https://bugs.php.net/bug.php?id=49503 I believe you can prevent it from occurring by explicitly setting a session save path in your php.ini file. There is no vulnerability or security threat to my knowledge after reading the bug report.

    I feel pretty resolved now.

    Thanks.

    Hey Terry-cloth-doll,

    Thanks for the update! I’m happy to hear they were able to confirm our suspicions.

    Thanks,

    Gerroald

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘File Change Detection keeps detecing changes to a "session" file.’ is closed to new replies.