Security Issue with debug log

We are seeing it as well. We have a rule to disable access to the debug log server wide.

I tried to use the for form on their website but it was not loading.

Hi, I have submitted a message to the developers to investigate further your findings.

Thank you

Hi, The log of this plugin can only be viewed by an admin user. It can’t be accessed unless you are logged into the site as an admin user. You can copy the log URL into the browser where you are not logged into the site and you will see what I mean. So I am not sure how someone random can see the content of the log file to begin with. Maybe you have another plugin on this site which also has log file and that one is visible?

I would like to investigate this so I have better idea of what is happening. Can you please give more details as to how it is being used so I can investigate this?

I found an additional issue on my server – it was missing Option -Indexes. Now fixed. But once the user knew the URL of the debug log they could download it directly. i.e. https://mysite.com/wp-content/plugins/easy…/debugAGHHfT.txt

The exact url is different but you get the picture.

Graeme

I just encountered the same problem. As far as I can tell, the very first thing the hacker/bot did was access the Easy WP SMTP plugin. Then they seemed to know the exact filename for the debug log — and I checked: I can access that txt file directly from any browser without first logging into my WordPress admin account.

They then tried to find out my username using a couple of tricks which don’t work on my site (I’ve made the necessary modifications to counter those tricks a while back).

After that, they issued what looks like a “reset password” command using my WordPress username and a very specific 20-character key (not sure yet where the key came from), followed by a few attempts on the same URL but without the key or username. Then they came back and it looks like they managed to 1) enter the WordPress admin interface, 2) upload a malware plugin to my site (“Three column screen layout”, in a folder with a random-looking name), 3) execute it and 4) access the Easy WP SMTP settings page.

This all came from different IP addresses, but note the user agent string with the same spelling mistakes in it (“Mozlila”, etc.).

Here are the relevant entries from my access log (I’ve used curly braces to indicate information I’ve removed):

212.227.174.234 – – [06/Dec/2020:06:55:42 -0800] “GET {Easy WP SMTP plugin folder} HTTP/1.1” 200 4531 “google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
41.230.236.11 – – [06/Dec/2020:10:25:40 -0800] “GET {Easy WP SMTP plugin folder with a couple of request parameters — I can email them to you} HTTP/1.1” 200 4714 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
41.230.236.11 – – [06/Dec/2020:10:26:15 -0800] “GET /wp-json/wp/v2/users/1 HTTP/1.1” 404 4901 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
41.230.236.11 – – [06/Dec/2020:10:26:51 -0800] “GET /?author=1 HTTP/1.1” 301 4432 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
41.230.236.11 – – [06/Dec/2020:10:27:22 -0800] “GET {precise URL of the Easy WP SMTP debug log} HTTP/1.1” 200 35009 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
41.230.236.11 – – [06/Dec/2020:10:28:04 -0800] “POST /wp-login.php?action=lostpassword HTTP/1.1” 302 4538 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
41.230.236.11 – – [06/Dec/2020:10:28:47 -0800] “GET /wp-login.php?action=lostpassword HTTP/1.1” 200 5705 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
41.230.236.11 – – [06/Dec/2020:10:29:20 -0800] “GET {precise URL of the Easy WP SMTP debug log} HTTP/1.1” 200 35299 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
41.230.236.11 – – [06/Dec/2020:11:01:34 -0800] “GET /wp-login.php?action=rp&key={20-character key}&login={my WordPress username}%0D HTTP/1.1” 302 4657 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
41.230.236.11 – – [06/Dec/2020:11:01:36 -0800] “GET /wp-login.php?action=rp HTTP/1.1” 200 3423 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”

{some redundant lines here}

20.62.40.13 – – [06/Dec/2020:12:38:44 -0800] “GET /wp-admin/plugin-install.php?tab=upload HTTP/1.1” 200 13209 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
20.62.40.13 – – [06/Dec/2020:12:38:47 -0800] “POST /wp-admin/update.php?action=upload-plugin HTTP/1.1” 200 8948 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
20.62.40.13 – – [06/Dec/2020:12:38:49 -0800] “POST /wp-admin/update.php?action=upload-plugin HTTP/1.1” 403 3173 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
20.62.40.13 – – [06/Dec/2020:12:38:50 -0800] “GET /wp-content/plugins/qbfchs/mini.php?x=ooo HTTP/1.1” 200 4125 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
20.62.40.13 – – [06/Dec/2020:12:38:51 -0800] “GET {URL of Easy WP SMTP settings page} HTTP/1.1” 200 13402 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
20.62.40.13 – – [06/Dec/2020:12:38:51 -0800] “POST {URL of Easy WP SMTP settings page} HTTP/1.1” 200 1523 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
20.62.40.13 – – [06/Dec/2020:13:10:03 -0800] “GET {Easy WP SMTP plugin folder with the same request parameters as before}” 200 4483 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”

• This reply was modified 3 years, 11 months ago by burkingman.

I just checked my logs: 212.227.174.234 is also the same ip address that is accessing my site.

It look like you have the same issue as me with your server config as the user got a 200 return code:

212.227.174.234 – – [06/Dec/2020:06:55:42 -0800] “GET /wp-content/plugins/easy-wp-smtp/ HTTP/1.1” 200 4531 “google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”

if you update the .htaccess in the root of your site to add a line:

Options -Indexes

then that will stop them from getting a directory of the plugin folder – which tells them the exact name of the debug file unfortunately.

This is what they are getting from my site now:

[Mon Dec 07 00:37:24.677270 2020] [autoindex:error] [pid 2138265] [client 212.227.174.234:61985] AH01276: Cannot serve directory /var/www/xxxxxx/wp-content/plugins/easy-wp-smtp/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive, referer: https://www.google.com

Thank you. We are going to investigate this more but right now we have added empty “index.html” files to the folders of this plugin to make sure someone cannot browse to the folder to view the files (even if options indexes is missing). Please upgrade to v1.4.3.

Thanks a lot to @mathieg2 for that .htaccess Options trick. Feels like I should have known that already; still, better late than never.

Thanks also to @wpinsider-1 for providing a security upgrade so quickly. I’m keeping my debug log deactivated for now: I noticed if I reactivate it, it gets created under the same filename as before, so the hacker could access it again since they already know the URL. As a workaround, I may modify the log filename in the WordPress database, but I wonder: could it be helpful, in future versions of the plugin, if a new log filename was generated whenever the debug log is reactivated? I hadn’t realized how much sensitive information goes through that log (since my first post, I figured out how precisely how the hacker managed to take over my account)…

Hi @mathieg2 and @burkingman.

Does your SMTP server shows your email password in plugin’s debug log file? For example, my SMTP server displays credentials in the log like this:

CLIENT -> SERVER: AUTH LOGIN
CLIENT -> SERVER: [credentials hidden]CLIENT -> SERVER: [credentials hidden]

These [credentials hidden] parts weren’t replaced by me just now, this is how the server actually sends those to debug log.

What about your logs?

Ok – now that the index.html files are in place. I will explain the hack.

There is one additional file I’d like you to deploy in plugin directory:

.htaccess:

<Files “*.txt”>
Require all denied
</Files>

What the hacker was doing was finding all the users who have your plugin installed via some sort of search engine – or perhaps just all the users who have wordpress.

They were then navigating to your plugin directory and getting a list of the files in that directory – one of which was the debug file.

Somehow they worked out the username of one of the admin accounts on the site and performed a password reset on that account through the user interface.

They then downloaded the debug file and used the link from that the password reset email to reset the admin password on the site.

Luckily I have 2FA on my account so the user was prevented from logging in – even with the reset password – but it could have been much worse – and for a few users, I would imagine they have a bit of a clean up operation ahead of them.

Graeme

EHLO mydomain.co.uk
CLIENT -> SERVER: AUTH LOGIN
CLIENT -> SERVER: [credentials hidden]CLIENT -> SERVER: [credentials hidden]CLIENT -> SERVER: MAIL FROM:

Thank you for your detailed explanation, Graeme!

So, in fact, the reason how they found debug log file is that directory listing was allowed by your server config, correct? If this is the case, I don’t think the plugin is the one to blame here, as it just does its job. Debug log is disabled by default, so if you instructed it to enable it, it just did it. If you had directory listing disabled, hackers would had very difficult times trying to access your debug log.

We will discuss this with our team and think what could be done here from our side, but personally I don’t see this being plugin’s fault. It does SMTP-related stuff, not server config-related stuff.

Once again, thank you for your report and detailed explanations!

Hi Alexander,

I’d still recommend including this in the plugin’s zip, as every time I update your plugin, this file is being deleted. Also if someone else’s plugin goes rogue and exposes the directory listing, this .htaccess file would give some level of protection.

I’m not worried about myself – I make mistakes sometimes and know how to fix them. I’m more worried about your other users that might hit this issue and not know what to do about it. I don’t know if its possible to include .htaccess files in a plugin so please tell me if I’m getting it wrong so I can read up on how to do this in the apache configuration files.

.htaccess:

<Files “*.txt”>
Require all denied
</Files>

• This reply was modified 3 years, 11 months ago by mathieg2.

Ah, that is very good suggestion! At first I assumed you offered to change WP’s .htaccess file. But shipping .htaccess file that would only be working in plugin’s directory is much better idea! Though some server configs might disallow per-directory .htaccess usage (and some servers like Nginx don’t process .htaccess files at all), this is still better than nothing.

We will definitely add this to the upcoming add-on release. Thank you!