File Scan Warning: Large amounts of files added.

I also want to add that usually if these large amounts of files are added one or two days later they are being removed and vice versa.

Is there any error reported in the Apache (assuming Apache) error_log file ?

Is the site hosted on a Windows platform ?

• This reply was modified 6 years ago by nlpro.

Hello nlpro,

I am not sure what you mean by Apache? is that a special type of file? It says that the file “error_log_ was changed though!

Module File Change
Type Warning
Description 8345 Added, 0 Removed, 1 Changed
Timestamp 2018-11-12 07:44:27
User
URL WP-Cron Scheduled Task
Changed error_log

And then it follows with a list of over 8000 files that were added.

The site is hosted with bluehost.

Do you want me to copy and paste the information from the “raw data” tab?

I have also received a couple “fatal errors” from the file change detection. I dont know if that indicates anything.

Is there a way for me to send you a screenshot so you can see what my Log is showing?

Thanks so much for the help.

• This reply was modified 6 years ago by maxlwie.

It’s probably best to contact your hosting provider (BlueHost). They will be able to have a look at and possibly resolve any errors in the Apache error_log.

So I talked to my hosting provider and they did not see anything wrong on their end. What else could be causing these file changes? Could it be that the Ithemes Security Plug-In is not working properly?

Thanks

I have also received a couple “fatal errors” from the file change detection.

Could it be that the Ithemes Security Plug-In is not working properly?

The File Change “Fatal Error” entries in the Logs page indeed indicate troubles. It’s very well possible the File Change Detection feature is not working properly. Its scanning engine (php) code has totally been rewritten fairly recently. So there may very well be a few issues in the new code that still need to be ironed out.
Unfortunately the “Fatal Error” entries don’t provide much info.

I’ve got a single “Fatal Error” entry in my log and I noticed the timestamp of the entry coincides with 2 preceeding entries (type Debug) with a description of “Recovery Failed: First Loop” and “Attempting Recovery” (in that order). Is this similar to what you see in your log ?
(Click on the “All Events” link at the top and filter for “File Change” log entries in order to get the right data on your screen).

Oh I almost forgot to mention you should make sure to be running the latest iTSec plugin release (7.2.0).

• This reply was modified 6 years ago by nlpro.

Hey nlpro!

please excuse my late reply. So the adding and removing of large amounts of files had stopped for awhile. Now for the last two weeks ITSec is showing me that it is happening again. I have the new version 7.2.0. All my FATAL ERRORS have description SCAN FAILED. I noticed that on all of them the URL is different though. One has my website URL “www.theyearofplenty.com”, another one has “https://theyearofplenty.com/robots.txt” and another says “WP-Cron Scheduled Task”. I dont know if this is important information though. So it is always a similar amount that is being removed and then added again. When this was happening earlier I had my website host scan for malware and they couldnt find anything. Any other idea what could be causing these File Change Warnings?

Thanks for the help.

No worries ??

The 7.2.0 plugin was released Oct 10 2018. However there have been several Pro plugin releases since. Below one of the new Pro changelog entries related to the File Change feature which could be interesting:

Tweak: Improve File Change locking to help prevent failing scans on sites with inconsistent cron scheduling.

So that tweak is not yet included in the free 7.2.0 plugin.

Anyway this seems to confirm that the rewritten file change scanner code is still being refined/tweaked …

Based on your input of “different URL” which points to “inconsistent cron scheduling” the tweak may very well fix your issue.

So hopefully there will be a new free plugin release shortly.

Would really appreciate your feedback once a new free plugin is released ??

This has recently happened to me.
On 2/14/ I received a File Change Warning Email that 6,197 files were added.
I went into file manager at my webhost and indeed the files were there but the dates were old, not current.
On 2/16 I received a File Change Warning Email that 1,354 files were removed.
On 2/16 I received a File Change Warning Email1309 were added.

I also had 3 FATAL ERRORS with the description SCAN FAILED.
I am using the latest version 7.3.0

From reading above I was hoping this would work itself out. I would sure like to get rid of those extra files. By the way a malware scan turned up nothing. Any suggestions?

Hey abc77 and nlpro,

it is still happening to me. All files are removed and then they are all added back in! But this time more files. The last malware scan I did didnt turn anything up either. Did you ever figure out a way to fix this? Would really appreciate your help.

I still have not been able to get a clear picture why this is happening.
It’s seriously complex and hard to debug.

There was a php 7.3 incompatibility bug reported in this topic.
However I’m not sure whether it impacts this specific issue. Anyway if you are not using php 7.3 that bug is irrelevant.

If your hosting is Windows based that may be an issue. I’m certain there are at least 2 Windows specific bugs in the File Change Detection feature. It would not surprise me if there are more.

If not already present you could add the line below to the wp-config.php file:

define( 'ITSEC_USE_CRON', true );

It will force the iTSec plugin to run scheduled tasks using WP Cron only. It’s the default scheduler type but due to a bug the iTSec plugin may unexpectedly switch to using the page scheduler. Randomly switching between the 2 scheduler types may contribute to this issue.

Another option could be to reset the scheduler. For this you need to activate the debug page. If not already present add the line below to the wp-config.php file:

define( 'ITSEC_DEBUG', true );

If added properly a new Debug submenu option will show up under the Security menu option. On the Debug page under the Scheduler section you’ll find a Reset button.

Finally as always you should be using the latest plugin release (7.3.1). The fix I mentioned in an earlier post is now included in the free plugin.
Hope this helps a bit.

Hey nlpro,

thanks for the fast reply. I am not really a coder so I don’t want to mess with the website files, but maybe I can find someone to do it. So you think this is just a bug? I will have to find out if my host uses windows.

Last night I had another file change warning that modified my ERROR_LOG, now I looked at the details and it was a Scheduled WP Cron? Could you elaborate on what this means? Is this something my hosting provider has scheduled to do? The IP address under the details tab was that of my hosting provider aswell.

Thanks for the great support. I appreciate your time.

Still happening to me as well. Very frustrating. Recent update did not fix it. I was going to delete the plugin, but then I’m stuck with all these excess files. Any idea how to get rid of all these excess files?

No idea.

Please let me know if you find a solution!