Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Announcing Gravityscan

This entry was posted in General Security on May 16, 2017 by Mark Maunder   58 Replies

Today the Wordfence team has a big announcement. We are launching Gravityscan.com, a completely free vulnerability and malware scanner. You can use Gravityscan to find out if your website has been hacked and if you have any security problems that may lead to a hack in future.

The full announcement is on the Gravityscan blog.

I would encourage you to run a scan on your website now. Whether you run WordPress, Joomla, Drupal, Magento, vBulletin or any other platform, Gravityscan performs a thorough vulnerability and malware scan on your site in just a few minutes with real-time updates as the scan progresses.

Gravityscan also works seamlessly with Wordfence and is an excellent addition to your suite of security products if you are already using Wordfence or Wordfence Premium to protect your WordPress website. You can read more about how well Gravityscan complements Wordfence on this page.

Mark Maunder – Wordfence Founder & CEO

Did you enjoy this post? Share it!


4.50 (18 votes) Your rating:

58 Comments on "Announcing Gravityscan"

Cliff DesPeaux May 16, 2017 at 8:19 am • Reply

Hi, just a heads up, I got this error when trying to have it scan my site: https://www.dropbox.com/s/ki1lnycav043kp0/chrome_2017-05-16_08-17-13.png?dl=0

Mark Maunder May 16, 2017 at 8:22 am • Reply

Thanks very much Cliff. Just chatted to the QA team. We did test with .tech .info and a few other gTLD's but we must have an issue with that one. Also just got word that .work appears to be working. So we'll get this fixed asap.

Mark.

daniel May 16, 2017 at 10:35 am • Reply

I tried every single verification method and it refuses to verify site ownership for me. Not sure what im doing wrong.

Mark Maunder May 16, 2017 at 12:00 pm • Reply

Hi Daniel,

Please contact support using the contact page on Gravity. Thanks.

dave.curtis@1hq.co.uk May 16, 2017 at 10:41 am • Reply

Great tool! I have an issue: WordPress 2.3-4.7.4 - Host Header Injection in Password Reset

Am I able to block access to the URL in the scan result?

Mark Maunder May 16, 2017 at 12:27 pm • Reply

You don't need to. Please see my reply to another commenter here regarding this exploit.

Dave May 17, 2017 at 6:48 am • Reply

Great, thanks.

Iain May 16, 2017 at 10:44 am • Reply

Why is it picking up errors that WF should have detected?

Mark Maunder May 16, 2017 at 11:55 am • Reply

Hi Iain,

Can you provide more detail?

Thanks.

SirBarratt May 16, 2017 at 11:02 am • Reply

Hey Mark,

I went to the site and did a scan of my site via the free scan and it just sat there. It didn't do anything. I know this is a launch and may be some quirky things that will happen, which is natural for a first day launch. Very excited about this new tool and looking forward to using it.

SirBarratt May 16, 2017 at 11:03 am • Reply

Scratch that... just tried it again and it is working now.

Mark Maunder May 16, 2017 at 11:53 am • Reply

Thanks. Yup, the guys chased off the gremlins and everything is running smoothly now.

Mark Maunder May 16, 2017 at 11:53 am • Reply

Thanks. Yup, we had a few quirks this morning. We had a large number of scans (4 digits) running concurrently and needed to adjust our config to compensate. The results was that for about an hour users may have seen 'waiting for scanner' for a few minutes before scans started.

It's fixed now. Thanks for the feedback.

Tanel May 16, 2017 at 11:44 am • Reply

Any effort to improve web safety is a an effort well made. Thank you very much!

I noticed a double entry on the first 2 entires in scan results, possibly by starting (but not finishing) the scan in guest mode before sign-up and verification?

Also, the WP 0-day reported is worrying. Does (free) Wordfence provide any mitigations for it?

Mark Maunder May 16, 2017 at 11:54 am • Reply

Hi Tanel,

You probably received a duplicate entry because we made a config change this morning which required that we reboot our scan workers. That resulted in your scan job being resubmitted to the queue which can produce duplicate results. It's fixed now and you can just ignore that duplicate.

I've pinged the Wordfence QA team about the 0day and should have an answer shortly.

Mark.

Mark Maunder May 16, 2017 at 12:26 pm • Reply

Hi Tanel,

So this may surprise you but we've made the conscious decision to not release a firewall rule to protect against that particular exploit. The exploit is an edge case and almost impossible to exploit. The firewall rule for this exploit may result in false positives.

This is the proof of concept:

https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html

The exploit requires that an attacker cause the password reset email to bounce, and that bounce will return to a malicious address. That means an attacker needs to fill up your email inbox somehow, hope that you are automatically cc'ing the return address (why would you do that?) for password reset emails or that you reply to a password reset email. (Again, why would you ever reply to a password reset email)

So it's a theoretical attack which is low priority and can only be exploited under very specific conditions and in rare cases. I'd challenge anyone to try to fill up a gmail inbox remotely. Gmail spam filtering will just start black-holing your emails.

Hope that helps.

Mark.

IslandWoman May 16, 2017 at 12:20 pm • Reply

Not working for me. When I hover over the scan button there a little icon appears that and won't let me click.

Mark Maunder May 16, 2017 at 12:29 pm • Reply

Thanks. Can you send us a screenshot?

IslandWoman May 19, 2017 at 9:40 am • Reply

Here is a link to the screen shot.
http://irockproperties.com/wp-content/uploads/2017/05/gravity-scan-e1495211906817.jpg

Mark Maunder May 16, 2017 at 12:36 pm • Reply

Hi,

I chatted to our devs. It's likely you're getting a javascript error. If you use Chrome, please click on View > Developer > Javascript Console. Send us any error that appears in there.

Thanks.

Mark.

IslandWoman May 19, 2017 at 9:41 am • Reply

Actually I tried on, IE, Firefox and Chrome was the same on all three.

IslandWoman May 19, 2017 at 10:08 am • Reply

Hi Mark,
Here is an update.

I brought up the java console on Chrome via ctrl + shirt J and did not see any errors, however after I did that the issue resolved itself and I was able to click through on the scan button.

I did the same in IE and that cleared IE as well.

This process did not work in Firefox. Here is the java console report on firefox:
http://irockproperties.com/wp-content/uploads/2017/05/gravity-scan-jconsole-firefox.jpg

Mark Maunder May 22, 2017 at 9:24 pm • Reply

Thank you, I've shared this with the QA team.

Liz Schneider May 16, 2017 at 12:44 pm • Reply

I manage sites for about 18 clients, do I need to set up separate GravityScan accounts for each one? I just started with one client and created new login for him, though he has not received confirmation message or any next steps, it's been about 30 minutes.

Also, tried sending copy of report via your email dialog, it said "Sending" for a long time, and then error of Adapter Error showed up on screen.

Mark Maunder May 16, 2017 at 12:46 pm • Reply

Hi Liz,

You can bulk import sites via Google Analytics which should make things much easier!

Thanks for the bug report about sending the report copy. I'm filing that now.

Mark.

Artem Russakovskii May 16, 2017 at 1:10 pm • Reply

Hi Mark,

Just an observation on friction from someone who just arrived to the site and wanted a quick test.

Both urls I entered just say "This domain must be verified before starting a scan." and nothing else happens. This is terrible FTUE and will likely result in many people dropping off right away at that point.

Why even offer a url box if you need to verify first as if you can scan any site by just going to the page? At least without any instructions about how to verify, what to do next, etc.

I realize you probably need to sign up, verify each site, then run scans, but I'm just trying to help you view this situation through the eyes of a first-time visitor.

Mark Maunder May 16, 2017 at 11:00 pm • Reply

Thanks Artem. Your site receives higher traffic than normal. We have identified sites like that and have set gravityscan up so that you have to prove you own those sites before you can scan them. This is protect you from someone who could use gravityscan to scan your sites for security holes.

Most people who use gravityscan don't get that experience. They can simply run a scan. So I've filed a bug to make that message more helpful. Thanks.

Artem Russakovskii May 16, 2017 at 1:15 pm • Reply

Hi again, Mark,

I wanted to whitelist Gravityscan in Cloudflare, as per your instructions here https://www.gravityscan.com/help/scan-settings/whitelisting-gravityscan/, but CF doesn't support /27 that you list in the post:

"68.64.48.0/27"
"Only an IPv4 range (CIDR) value of /16 or /24 is allowed for Access Rules"

http://i.imgur.com/h8WKslE.png

Mark Maunder May 16, 2017 at 1:21 pm • Reply

I think our docs actually say that and suggest to use a /24. I'll check that.

Just replace the /27 with /24. You will whitelist a few extra IP addresses. Unfortunately this is a problem with Cloudflare so I'd suggest contacting them if you would like them to change that.

Mark.

Artem Russakovskii May 16, 2017 at 1:24 pm • Reply

Looks like your docs here https://www.gravityscan.com/help/scan-settings/scanning-with-cloud-waf/ do specify that, but not here https://www.gravityscan.com/help/scan-settings/whitelisting-gravityscan/.

Mark Maunder May 16, 2017 at 10:53 pm • Reply

Thanks Artem, fixing that now.

Oliver May 16, 2017 at 6:01 pm • Reply

Great again! Thank you very much.

Just some feedback for the current Wordfence version:

I had to whitelist Gravityscan in Wordfence to make it work ( 68.64.48.[0-31] ).

Wordfence then found the gravityscan agent file and suggested to check it as it is not a WP file and might contain malicious executable code.

Mark Maunder May 16, 2017 at 10:53 pm • Reply

Thanks Oliver.

Jasper Frumau May 16, 2017 at 9:35 pm • Reply

Just tested my site and had a few critical issues referring to directories, not files. Directories such as wp-includes/js wp-includes/css and wp-content/uploads . Not useful to pinpoint issues nor could I find issues myself there myself. Perhaps a file like GeoIP.dat set off the alarm in uploads, not sure. Inside wp-includes I did not see anything malicious at all. Perhaps old version JS and CSS files triggered things as my WordPress site has been around for ages. But will check things some more at a later stage to be sure. It also found http://bit.ly/getsizebug1 inside my WP Rocket cached js file , and stated it was malicious and it isn't . It refers to Firefox bug in a Github repo.

Mark Maunder May 16, 2017 at 10:52 pm • Reply

Thanks, have logged these with the team. This is the second report we've received of gravityscan pointing to dirs instead of files.

John-Pierre Cornelissen May 17, 2017 at 4:47 am • Reply

Hi, so gravityscan says my IP is blacklisted on JustSpam.org.

I wonder how trustworthy this blacklist is. It looks like thise website is not being maintained. The copyright in the footer says 2011, there is no contact information to be found and when I try to unlist it there, I get this:

Your IP xxx.xxx.xxx.xxx is not listed by other well-known blacklists.
To remove it from dnsbl.justspam.org fill the captcha to get your delistinglink.
Couldn't connect to server

So it doesn't display a captcha and I can't unlist and since there is not contact info I can't report it to them.

I tried to send an email to info@JustSpam.org + to the registrants e-mail address (which is a yahoo address) and both are bounced.

So is JustSpam.org a real blacklist that is still in use?

Also, is it an idea to not having to install the accelerator when the website already runs WordFence?

Thanks
John-Pierre

Mark Maunder May 17, 2017 at 9:53 am • Reply

We removed JustSpam John, based on user feedback. It has no removal process so we yanked them. Thanks for your feedback. Problem solved.

John-Pierre Cornelissen May 17, 2017 at 12:12 pm • Reply

Thanks! What about the idea to not having to install the accelerator when the website already runs WordFence?

Mark Maunder May 17, 2017 at 2:10 pm • Reply

We may implement something like that in future. Either provide the ability to install Accelerator via the Wordfence UI, or build Accelerator into Wordfence.

Dave May 17, 2017 at 6:50 am • Reply

Me again!

Two things....

1) It looks like the scan is checking my entire multisite (as you might expect). Would you advise scanning every domain still in case there is a problem with a file that isn't common?

2) I couldn't authorise with GA yesterday. PHP file was fine though.

Thanks

Dave May 17, 2017 at 6:56 am • Reply

Also got a weird issue with Elegant Themes - Bloom:

https://www.dropbox.com/s/amgmf737ltgxdjb/bloom.png?dl=0

It's giving three errors for the plugin saying update it. These weren't there yesterday. Strange thing is the suggested upgrade versions are all different (1.2.4, 1.2.7 and 2.6.4) and the plugin is up to date?

Any ideas?

Mark Maunder May 17, 2017 at 9:50 am • Reply

Thanks, have passed this on.

dave.curtis@1hq.co.uk May 18, 2017 at 1:58 am • Reply

The recommneded plugin version numbers reflect the version numbers of Divi/Extra/another ET plugin at the time of the security problem found 2 years ago or whenever it was.

Mark Maunder May 17, 2017 at 9:51 am • Reply

Thanks Dave. Gravity doesn't work that well with Multi-site currently although it does provide basic scanning. We're working on that.

GA error messages will be more descriptive after a release later today. That will help you diagnose the issue.

Mark.

Chris May 17, 2017 at 7:25 am • Reply

Hello,

Great tool! Quick question though, it keeps returning several errors on my site that says something like this:

Title: WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API
Description: Vulnerability found in WordPress. Upgrade to at least version 4.7.2.

However, we're on the most current version of Wordpress, but it keeps pointing to my /readme.html file. I'm a little confused on why it's saying we're on a lower version of Wordpress when we're really not on the most current?

Thanks,

Chris-

Mark Maunder May 17, 2017 at 9:49 am • Reply

Thanks Chris, passing this on.

Mark Holtom May 17, 2017 at 7:42 am • Reply

I applaud your intentions and release of Gravity scan. Thank you.

Having said this, I have had three problems in using it.
a) it (incorrectly) recognises my Engage themes plugins as being out of date, and vulnerable to Privilege escalation. They are the latest version.
b) even when cloudflare has your IPs whitelisted, it still says blocked.
c) even when I have successfully uploaded the verify php file and checked it, verify says there is an error.

Finally I communicated all of this to your guys through the gravity contact page and have received no response or even acknowledgement - so I am trying here.

My guess is that this is just teething for a new product, but not sorting these things out will not help. Can you help?

Regards,

Mark Holtom

Mark Maunder May 17, 2017 at 9:49 am • Reply

Thanks Mark. We very much appreciate you using the contact page. That has created a ticket. Our CS team is prioritizing fixes and making sure they happen. We're aware of the issues you've raised and they're in the queue. We aren't able to respond to all tickets immediately so my apologies for that.

Mark.

Mary May 18, 2017 at 6:27 am • Reply

I scanned my site yesterday at 5:50 pm EST and it came up with 4 critical issues all involving the following FILES:

/wp-includes/js/
/wp-content/uploads/2016/05/
/wp-content/uploads/
/wp-includes/css

It turns out these are really DIRECTORIES - based on a comment above as well as checking with another source ... are these things that are really critical and I need to check out and how? I'm not sure where to go from here and/or if there is any issue at all.

Mark Maunder May 18, 2017 at 9:49 am • Reply

This has been fixed. It was a bug. The fix now makes it clear we are pointing out that your site is allowing directory listing. Please try your scan again.

Mary May 20, 2017 at 3:56 pm • Reply

Many thanks for you help and work!

Susie May 18, 2017 at 8:26 am • Reply

Thanks for all you do to keep our websites safe! How is this different from Wordfence? I'm currently using the free version. Does Gravityscan offer additional service? Thanks again.

IslandWoman May 19, 2017 at 10:09 am • Reply

So is GravityScan different that the scan with the plugin? Or is GravityScan now incorporated in the plugin daily scan?

Mark Maunder May 22, 2017 at 9:23 pm • Reply

Gravityscan is a separate product. When you perform a Wordfence scan it does not include a scan by Gravityscan.

Mark.

Ian May 23, 2017 at 4:06 pm • Reply

Hi Mark.

Wordfence is reporting that the Gravityscan Accelerator file may contain malicious executable code: gravityscan-agent-XXXXXXXXXXXXXX.php when HIGH SENSITIVITY scanning is enabled.

Your dev team might want to add these as safe files to the WF filter otherwise website owners might think there is an issue with it.

"This file is a PHP executable file and contains the word 'eval' (without quotes) and the word 'base64_decode(' (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans. This file was detected because you have enabled HIGH SENSITIVITY scanning. This option is more aggressive than the usual scans, and may cause false positives."

I know I can ignore it within my own website, however many other users of both Wordfence and Gravityscan could be seeing the same warnings and if managed by several people, it could get deleted by accident, or people think they have been hacked.

Cheers, Ian

Mark Maunder May 23, 2017 at 9:14 pm • Reply

Thanks Ian. We're aware of this issue and it will be fixed this week.

Mark.

LisaLisa June 2, 2017 at 5:04 am • Reply

GravityScan noted that my "sites" have been blacklisted by McAfee, SpamHaus, abuseat, etc, due to the overall IP's being . So when I got more info, I contacted my hosting provider since it is ANOTHER domain that is causing the problem and asked them to correct the issue per the report. My hosting provider states that they are "not responsible for content on hosted websites" and are not obligated to fix the problem. Great. So the rest of us get "blacklisted" via the overall IP/server that we are sharing hosting together on...not great. Or maybe it doesn't matter if my sites are blacklisted? My sites are hobby sites anyway so don't need fancy $$$ hosting, but do need secure hosting which, silly me, I was expecting already. Not sure what Wordfence/GravityScan can do to help since my sites (domains) are not the ones spewing spam. And yes, Wordfence is installed on my sites.

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.