Vakantie Ameland

No blocked packets and somehow the scan works now with iptables firewall enabled… nothing has been changed. Well, glad it’s working, tnx!

In another installation I had to activate the Advanced Access Manager plugin ( https://www.ads-software.com/plugins/advanced-access-manager/ ) to make the scan work.

I can only scan with the sigs.sig in the nfwlog/sigs folder.

When I disable this plugin the scan gives 404’s

The nginx-overflow rule was the blocking rule.

In the installation where the wordpress folder itself was renamed the scan does not work, even if there is no firewall loaded.

On the same server with one working wordpress there is another wordpress installation where this setup does not work.

The main difference is that on the working installation the directory to be scanned is /var/www/name/wordpress and on the non-working installation the directory to be scanned is /var/www/name where the name part is the renamed wordpress directory.

Well I have tried the new ninjafirewall.php script on several installations. with or without define('ALTERNATE_WP_CRON', true); On every installation the 404 errors keep coming.

Now on one server installation I have found the culprit there. Fail2ban firewall ( https://www.fail2ban.org/wiki/index.php/Main_Page ) blocks the internal cron spawn from ninjafirewall script.

When I completely disable fail2ban, use fresh page load and then scan for malware the scan performs well. So I have to find a way to make a working fail2ban rule for letting the ninjafirewall script work.

But on the other installations I do not use fail2ban, strange….

Ok, is there another way avoiding the cron spawn?

Ok tnx, wait for that. I really do not know how to make sure the cron spawn works as for some reason this does not work anymore on several wordpress installations on different servers

I have a question about using cron in your code.
Why do you need it to execute the scan?

I really do not know why the cronjob is not working. I have defined the alternate cron in wp-config.php

define('ALTERNATE_WP_CRON', true);

Now the

"POST /wp-cron.php?doing_wp_cron=xxxxxxx HTTP/1.1"

is running.

But still the same error in running the scan

No wp-cron job there. I did not disable cron in wp-config file.

Changed it, but no difference, same output

The /ninjafirewall/lib/share/sigs.txt certainly exists.

Selecting the Linux Malware Detect + NinjaFirewall signature and then pressed the Scan button:

inotifywait -mre access,open .../wordpress/wp-content/plugins/ninjafirewall/
Setting up watches.  Beware: since -r was given, this may take a while!
Watches established.
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN ninjafirewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN nfw_misc.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN,ISDIR
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN uninstall.php
.../wordpress/wp-content/plugins/ninjafirewall/ ACCESS uninstall.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN ninjafirewall.php
.../wordpress/wp-content/plugins/ninjafirewall/ ACCESS ninjafirewall.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN install.php
.../wordpress/wp-content/plugins/ninjafirewall/ ACCESS install.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN help.php
.../wordpress/wp-content/plugins/ninjafirewall/ ACCESS help.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN ninjafirewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN nfw_misc.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN,ISDIR
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN uninstall.php
.../wordpress/wp-content/plugins/ninjafirewall/ ACCESS uninstall.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN ninjafirewall.php
.../wordpress/wp-content/plugins/ninjafirewall/ ACCESS ninjafirewall.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN install.php
.../wordpress/wp-content/plugins/ninjafirewall/ ACCESS install.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN help.php
.../wordpress/wp-content/plugins/ninjafirewall/ ACCESS help.php

Setting up watches.
Watches established.
wordpress/wp-content/nfwlog/cache/ ACCESS nfdbhash.1.php

And for the ../lib/share folder nothing happens

Setting up watches.
Watches established.

Setting up watches.
Watches established.

Nothing happens

I completely control the servers.

In the /nfwlog/cache folder are the following files

nfdbhash.1.php
index.html
livelog.php

When I run the livelog this file is added

livelogrun.php and results show in the livelog window

Ok about the firewall and files in the cache folder.

The /nfwlog/ and /nfwlog/cache are both owned by the web user and fully writable, so there’s no problem.