Wordefence failing to scan (Website infected)

  • Resolved dainhumain

    (@dainhumain)


    3 months ago

    Hi,

    I have been having problems with security on my website (lost access twice, and random pop ups and re directs to dangerous places) and getting a virus pop up and friends reporting re directs to random websites.

    https://ibb.co/g9TDksr

    Now wordfence keeps failing to scan despite following the recommended scan performance options on here. It did catch one thing before failing on the first scan which I removed via ftp, and this stopped one virus pop up coming up, but I’d like to have a full clean of my site and it to be protected properly.

    Log added. I’ve added to my google drive space here: (I cannot add it to the post or paste the text)
    https://drive.google.com/file/d/1-4wIJ62rsQWyqWQcfZ_roASZN9V-5OFh/view?usp=sharing

    Thanks in advance.

    • This topic was modified 3 months ago by dainhumain.
    • This topic was modified 3 months ago by dainhumain.
    • This topic was modified 3 months ago by dainhumain.

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter dainhumain

    (@dainhumain)

    I cant seem to add the log, and the text is too long….

    Thread Starter dainhumain

    (@dainhumain)

    Dec 09 17:56:02:1733763362.602336:4:error] Wordfence could not find a saved cron key to start the scan so assuming it started and exiting.
    [Dec 09 17:56:02:1733763362.601963:4:info] Checking cronkey: 18ff87e60dcce62170d8d38c489c9f79 (expecting [none])
    [Dec 09 17:56:02:1733763362.601479:4:info] Fetching stored cronkey for comparison.
    [Dec 09 17:56:02:1733763362.601089:4:info] Verifying start request signature.
    [Dec 09 17:56:02:1733763362.600643:4:info] Scan engine received request.
    [Dec 09 17:56:00:1733763360.009302:4:info] Entered fork()
    [Dec 09 17:56:00:1733763360.008834:4:info] Calling fork() from wordfenceHash with maxExecTime: 20
    [Dec 09 17:55:59:1733763359.997507:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/webfonts/fa-brands-400.eot (Mem:136.5M)
    [Dec 09 17:55:59:1733763359.994672:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/migration/mapping.js (Mem:136.5M)
    [Dec 09 17:55:59:1733763359.981165:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/json/solid.json (Mem:136.5M)
    [Dec 09 17:55:59:1733763359.977220:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/json/regular.json (Mem:136.5M)
    [Dec 09 17:55:59:1733763359.968152:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/json/brands.json (Mem:136.5M)
    [Dec 09 17:55:59:1733763359.967312:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/js/v4-shims.min.js (Mem:136.5M)
    [Dec 09 17:55:59:1733763359.966141:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/js/v4-shims.js (Mem:136.5M)
    [Dec 09 17:55:59:1733763359.964678:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/js/solid.js (Mem:136.5M)
    [Dec 09 17:55:59:1733763359.963775:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/js/regular.js (Mem:136.5M)
    [Dec 09 17:55:59:1733763359.962559:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/js/brands.js (Mem:136.5M)
    [Dec 09 17:55:59:1733763359.959666:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/fonts/fontawesome-webfont.woff2 (Mem:136.5M)
    [Dec 09 17:55:59:1733763359.956266:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/fonts/fontawesome-webfont.woff (Mem:136.5M)
    [Dec 09 17:55:59:1733763359.952020:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/fonts/fontawesome-webfont.ttf (Mem:136.5M)
    [Dec 09 17:55:59:1733763359.941378:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/fonts/fontawesome-webfont.svg (Mem:136.5M)
    [Dec 09 17:55:59:1733763359.936912:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/fonts/fontawesome-webfont.eot (Mem:136.5M)
    [Dec 09 17:55:59:1733763359.932700:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/fonts/FontAwesome.otf (Mem:136.5M)
    [Dec 09 17:55:59:1733763359.931127:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/css/v4-shims.min.css (Mem:136.5M)
    [Dec 09 17:55:59:1733763359.928873:4:info] Scanning: /var/www/wptbox/wp-content/plugins/elementor/assets/lib/font-awesome/css/v4-shims.css (Mem:136.5M)
    Plugin Support wfpeter

    (@wfpeter)

    Hi @dainhumain, thanks for providing the log and background of what you’re seeing!

    I have seen “Wordfence could not find a saved cron key to start the scan” reported before, although scan or communication issues can be caused by the presence of malware or other malicious action on your site. I do think the pop-ups and redirects should be dealt with first as the priority because the scans may resume as normal on a cleaned site.

    Unfortunately we can’t walk customers through a site cleaning here on the forums but we do have resources that can assist you. You should try the following checklist:
    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.

    Make sure all of your plugins and themes are up-to-date and that WordPress core is on the latest suitable version. As a rule, any time someone thinks their site has been compromized, they should update their passwords for hosting control panel, FTP, WordPress admin users, and database in order to cover the key access points where somebody could change or upload things on your site. Make sure to do this!

    Check for administrative users you don’t recognize in WordPress > Users > All Users, just in case there is anything suspicious there. Delete any that you know shouldn’t have this kind of access.

    If you find anything that you’re suspicious of but unsure what to do next, you can send files/code to samples @ wordfence . com. If you do, just make sure to remove any database credentials or keys/salts in any files you do send over. Our team can help advise next steps from there.

    Before attempting a site cleaning, we always recommend that you make a?full backup of the site beforehand.

    Let us know how you get on,
    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.