Today the Wordfence team has a big announcement. We are launching Gravityscan.com, a completely free vulnerability and malware scanner. You can use Gravityscan to find out if your website has been hacked and if you have any security problems that may lead to a hack in future.
The full announcement is on the Gravityscan blog.
I would encourage you to run a scan on your website now. Whether you run WordPress, Joomla, Drupal, Magento, vBulletin or any other platform, Gravityscan performs a thorough vulnerability and malware scan on your site in just a few minutes with real-time updates as the scan progresses.
Gravityscan also works seamlessly with Wordfence and is an excellent addition to your suite of security products if you are already using Wordfence or Wordfence Premium to protect your WordPress website. You can read more about how well Gravityscan complements Wordfence on this page.
Mark Maunder – Wordfence Founder & CEO
Hi, just a heads up, I got this error when trying to have it scan my site: https://www.dropbox.com/s/ki1lnycav043kp0/chrome_2017-05-16_08-17-13.png?dl=0
Thanks very much Cliff. Just chatted to the QA team. We did test with .tech .info and a few other gTLD's but we must have an issue with that one. Also just got word that .work appears to be working. So we'll get this fixed asap.
I tried every single verification method and it refuses to verify site ownership for me. Not sure what im doing wrong.
Please contact support using the contact page on Gravity. Thanks.
Great tool! I have an issue: WordPress 2.3-4.7.4 - Host Header Injection in Password Reset
Am I able to block access to the URL in the scan result?
You don't need to. Please see my reply to another commenter here regarding this exploit.
Why is it picking up errors that WF should have detected?
Can you provide more detail?
I went to the site and did a scan of my site via the free scan and it just sat there. It didn't do anything. I know this is a launch and may be some quirky things that will happen, which is natural for a first day launch. Very excited about this new tool and looking forward to using it.
Scratch that... just tried it again and it is working now.
Thanks. Yup, the guys chased off the gremlins and everything is running smoothly now.
Thanks. Yup, we had a few quirks this morning. We had a large number of scans (4 digits) running concurrently and needed to adjust our config to compensate. The results was that for about an hour users may have seen 'waiting for scanner' for a few minutes before scans started.
It's fixed now. Thanks for the feedback.
Any effort to improve web safety is a an effort well made. Thank you very much!
I noticed a double entry on the first 2 entires in scan results, possibly by starting (but not finishing) the scan in guest mode before sign-up and verification?
Also, the WP 0-day reported is worrying. Does (free) Wordfence provide any mitigations for it?
You probably received a duplicate entry because we made a config change this morning which required that we reboot our scan workers. That resulted in your scan job being resubmitted to the queue which can produce duplicate results. It's fixed now and you can just ignore that duplicate.
I've pinged the Wordfence QA team about the 0day and should have an answer shortly.
So this may surprise you but we've made the conscious decision to not release a firewall rule to protect against that particular exploit. The exploit is an edge case and almost impossible to exploit. The firewall rule for this exploit may result in false positives.
This is the proof of concept:
The exploit requires that an attacker cause the password reset email to bounce, and that bounce will return to a malicious address. That means an attacker needs to fill up your email inbox somehow, hope that you are automatically cc'ing the return address (why would you do that?) for password reset emails or that you reply to a password reset email. (Again, why would you ever reply to a password reset email)
So it's a theoretical attack which is low priority and can only be exploited under very specific conditions and in rare cases. I'd challenge anyone to try to fill up a gmail inbox remotely. Gmail spam filtering will just start black-holing your emails.
Hope that helps.
Not working for me. When I hover over the scan button there a little icon appears that and won't let me click.
Thanks. Can you send us a screenshot?
Here is a link to the screen shot.
Actually I tried on, IE, Firefox and Chrome was the same on all three.
Here is an update.
I brought up the java console on Chrome via ctrl + shirt J and did not see any errors, however after I did that the issue resolved itself and I was able to click through on the scan button.
I did the same in IE and that cleared IE as well.
This process did not work in Firefox. Here is the java console report on firefox:
Thank you, I've shared this with the QA team.
I manage sites for about 18 clients, do I need to set up separate GravityScan accounts for each one? I just started with one client and created new login for him, though he has not received confirmation message or any next steps, it's been about 30 minutes.
Also, tried sending copy of report via your email dialog, it said "Sending" for a long time, and then error of Adapter Error showed up on screen.
You can bulk import sites via Google Analytics which should make things much easier!
Thanks for the bug report about sending the report copy. I'm filing that now.
Just an observation on friction from someone who just arrived to the site and wanted a quick test.
Both urls I entered just say "This domain must be verified before starting a scan." and nothing else happens. This is terrible FTUE and will likely result in many people dropping off right away at that point.
Why even offer a url box if you need to verify first as if you can scan any site by just going to the page? At least without any instructions about how to verify, what to do next, etc.
I realize you probably need to sign up, verify each site, then run scans, but I'm just trying to help you view this situation through the eyes of a first-time visitor.
Thanks Artem. Your site receives higher traffic than normal. We have identified sites like that and have set gravityscan up so that you have to prove you own those sites before you can scan them. This is protect you from someone who could use gravityscan to scan your sites for security holes.
Most people who use gravityscan don't get that experience. They can simply run a scan. So I've filed a bug to make that message more helpful. Thanks.
Hi again, Mark,
I wanted to whitelist Gravityscan in Cloudflare, as per your instructions here https://www.gravityscan.com/help/scan-settings/whitelisting-gravityscan/, but CF doesn't support /27 that you list in the post:
"Only an IPv4 range (CIDR) value of /16 or /24 is allowed for Access Rules"
I think our docs actually say that and suggest to use a /24. I'll check that.
Just replace the /27 with /24. You will whitelist a few extra IP addresses. Unfortunately this is a problem with Cloudflare so I'd suggest contacting them if you would like them to change that.
Looks like your docs here https://www.gravityscan.com/help/scan-settings/scanning-with-cloud-waf/ do specify that, but not here https://www.gravityscan.com/help/scan-settings/whitelisting-gravityscan/.
Thanks Artem, fixing that now.
Great again! Thank you very much.
Just some feedback for the current Wordfence version:
I had to whitelist Gravityscan in Wordfence to make it work ( 68.64.48.[0-31] ).
Wordfence then found the gravityscan agent file and suggested to check it as it is not a WP file and might contain malicious executable code.
Just tested my site and had a few critical issues referring to directories, not files. Directories such as wp-includes/js wp-includes/css and wp-content/uploads . Not useful to pinpoint issues nor could I find issues myself there myself. Perhaps a file like GeoIP.dat set off the alarm in uploads, not sure. Inside wp-includes I did not see anything malicious at all. Perhaps old version JS and CSS files triggered things as my WordPress site has been around for ages. But will check things some more at a later stage to be sure. It also found http://bit.ly/getsizebug1 inside my WP Rocket cached js file , and stated it was malicious and it isn't . It refers to Firefox bug in a Github repo.
Thanks, have logged these with the team. This is the second report we've received of gravityscan pointing to dirs instead of files.
Hi, so gravityscan says my IP is blacklisted on JustSpam.org.
I wonder how trustworthy this blacklist is. It looks like thise website is not being maintained. The copyright in the footer says 2011, there is no contact information to be found and when I try to unlist it there, I get this:
Your IP xxx.xxx.xxx.xxx is not listed by other well-known blacklists.
To remove it from dnsbl.justspam.org fill the captcha to get your delistinglink.
Couldn't connect to server
So it doesn't display a captcha and I can't unlist and since there is not contact info I can't report it to them.
I tried to send an email to info@JustSpam.org + to the registrants e-mail address (which is a yahoo address) and both are bounced.
So is JustSpam.org a real blacklist that is still in use?
Also, is it an idea to not having to install the accelerator when the website already runs WordFence?
We removed JustSpam John, based on user feedback. It has no removal process so we yanked them. Thanks for your feedback. Problem solved.
Thanks! What about the idea to not having to install the accelerator when the website already runs WordFence?
We may implement something like that in future. Either provide the ability to install Accelerator via the Wordfence UI, or build Accelerator into Wordfence.
1) It looks like the scan is checking my entire multisite (as you might expect). Would you advise scanning every domain still in case there is a problem with a file that isn't common?
2) I couldn't authorise with GA yesterday. PHP file was fine though.
Also got a weird issue with Elegant Themes - Bloom:
It's giving three errors for the plugin saying update it. These weren't there yesterday. Strange thing is the suggested upgrade versions are all different (1.2.4, 1.2.7 and 2.6.4) and the plugin is up to date?
Thanks, have passed this on.
The recommneded plugin version numbers reflect the version numbers of Divi/Extra/another ET plugin at the time of the security problem found 2 years ago or whenever it was.
Thanks Dave. Gravity doesn't work that well with Multi-site currently although it does provide basic scanning. We're working on that.
GA error messages will be more descriptive after a release later today. That will help you diagnose the issue.
Great tool! Quick question though, it keeps returning several errors on my site that says something like this:
Title: WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API
Description: Vulnerability found in WordPress. Upgrade to at least version 4.7.2.
However, we're on the most current version of Wordpress, but it keeps pointing to my /readme.html file. I'm a little confused on why it's saying we're on a lower version of Wordpress when we're really not on the most current?
Thanks Chris, passing this on.
I applaud your intentions and release of Gravity scan. Thank you.
Having said this, I have had three problems in using it.
a) it (incorrectly) recognises my Engage themes plugins as being out of date, and vulnerable to Privilege escalation. They are the latest version.
b) even when cloudflare has your IPs whitelisted, it still says blocked.
c) even when I have successfully uploaded the verify php file and checked it, verify says there is an error.
Finally I communicated all of this to your guys through the gravity contact page and have received no response or even acknowledgement - so I am trying here.
My guess is that this is just teething for a new product, but not sorting these things out will not help. Can you help?
Thanks Mark. We very much appreciate you using the contact page. That has created a ticket. Our CS team is prioritizing fixes and making sure they happen. We're aware of the issues you've raised and they're in the queue. We aren't able to respond to all tickets immediately so my apologies for that.
I scanned my site yesterday at 5:50 pm EST and it came up with 4 critical issues all involving the following FILES:
It turns out these are really DIRECTORIES - based on a comment above as well as checking with another source ... are these things that are really critical and I need to check out and how? I'm not sure where to go from here and/or if there is any issue at all.
This has been fixed. It was a bug. The fix now makes it clear we are pointing out that your site is allowing directory listing. Please try your scan again.
Many thanks for you help and work!
Thanks for all you do to keep our websites safe! How is this different from Wordfence? I'm currently using the free version. Does Gravityscan offer additional service? Thanks again.
Please see: https://www.gravityscan.com/help/general-help-topics/gravityscan-complements-wordfence/
So is GravityScan different that the scan with the plugin? Or is GravityScan now incorporated in the plugin daily scan?
Gravityscan is a separate product. When you perform a Wordfence scan it does not include a scan by Gravityscan.
Wordfence is reporting that the Gravityscan Accelerator file may contain malicious executable code: gravityscan-agent-XXXXXXXXXXXXXX.php when HIGH SENSITIVITY scanning is enabled.
Your dev team might want to add these as safe files to the WF filter otherwise website owners might think there is an issue with it.
"This file is a PHP executable file and contains the word 'eval' (without quotes) and the word 'base64_decode(' (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans. This file was detected because you have enabled HIGH SENSITIVITY scanning. This option is more aggressive than the usual scans, and may cause false positives."
I know I can ignore it within my own website, however many other users of both Wordfence and Gravityscan could be seeing the same warnings and if managed by several people, it could get deleted by accident, or people think they have been hacked.
Thanks Ian. We're aware of this issue and it will be fixed this week.
GravityScan noted that my "sites" have been blacklisted by McAfee, SpamHaus, abuseat, etc, due to the overall IP's being . So when I got more info, I contacted my hosting provider since it is ANOTHER domain that is causing the problem and asked them to correct the issue per the report. My hosting provider states that they are "not responsible for content on hosted websites" and are not obligated to fix the problem. Great. So the rest of us get "blacklisted" via the overall IP/server that we are sharing hosting together on...not great. Or maybe it doesn't matter if my sites are blacklisted? My sites are hobby sites anyway so don't need fancy $$$ hosting, but do need secure hosting which, silly me, I was expecting already. Not sure what Wordfence/GravityScan can do to help since my sites (domains) are not the ones spewing spam. And yes, Wordfence is installed on my sites.