Security Issue with debug log

  • Resolved mathieg2

    (@mathieg2)


    3 years, 11 months ago

    I’ve just found a hacker using the easy smtp debug log as part of a scheme to reset the admin password on one of my sites. How do I contact the developer to ask them to update an .htaccess file to prevent this from happening? Luckily I had 2FA switched on to prevent them from getting any further.

    I’ve fixed my own site, but something tells me that these attacks are not random and other users might be affected.

    Graeme

Viewing 9 replies - 16 through 24 (of 24 total)

  • Another option would be to store the log file as a hidden file (dot file), then use a php script that reads the file and confirms that the user is logged in before displaying the file. This has the added advantage of working with most default nginx installs.

    Thank you for your input, Joshua. This indeed would prevent the file from showing among other files when directory listing is enabled in server config (at least with default settings). It won’t prevent direct access to the file though (when the file name is already known).

    @alexanderfoxc: To answer your question… I’m not sure what my debug log looked like. I updated the plugin immediately after noticing the hack and lost the old log. I tested afterwards and did see “[credentials hidden]” in the log. That’s probably how it was in the old log. Fortunately, I’d updated all my plugins not that long ago so I was running a fairly recent version.

    Glad to know how the hack happened. Obviously, a combination of factors were involved. A default WordPress install isn’t that secure and a number of users probably don’t do much to harden their site: with that in mind, anything that can be done to make the plugin more secure will certainly be helpful. Glad to see some good ideas being brought up, and a quick response from the devs.

    Gentlemen, here’s what we came to after discussion with our team:

    1. Move debug log to logs folder. The folder will have .htaccess file that prevents access to *.txt files. This should prevent direct log file access via browser.

    2. Debug log will be reset on plugin activation and deactivation. New file name would be generated as well during the above events (also during plugin update).

    3. Debug log file name will start with . (to make it hidden on Linux-like systems). This is additional method to prevent it from displaying in folder when directory listing is not disallowed in server config.

    I have put up testing version with above changes. You can download it here: https://github.com/Arsenal21/easy-wp-smtp/releases/download/1.4.4t1/easy-wp-smtp_1.4.4t1.zip

    Please let me know if there are any issues with it.

    The new version has been released with the changes mentioned above.

    • This reply was modified 3 years, 11 months ago by wp.insider.

    Hi all,
    hope everyone’s good with the solutions now.
    My server was reacting very slowly so I checked the access logs which pointed me to the same issue with said plugin.
    Since my wordpress is offline for some years now, I just backed everything up and deleted all wp files from my server. I just use my ftp for data transfer.

    Just wanted to ask if I should be fine now, by deleting the files or should I change passwords as well?
    Thanks for your advise and sharing.

    Just resetting the log file should be good enough (if you were using it). Change the password also for complete peace of mind.

    ok. thanks for the fast reply.

    Thread Starter mathieg2

    (@mathieg2)

    If the hacker has got into your control panel, they may have made changes to the data in WordPress database. So if you have a database backup that you can go back to, it would be safer to revert that too.

Viewing 9 replies - 16 through 24 (of 24 total)
  • The topic ‘Security Issue with debug log’ is closed to new replies.