mathieg2
Forum Replies Created
-
Depending on your email provider, you might be able to find the emails in your sent items folder if you log into your account directly.
Graeme
If the hacker has got into your control panel, they may have made changes to the data in WordPress database. So if you have a database backup that you can go back to, it would be safer to revert that too.
Hi Alexander,
I’d still recommend including this in the plugin’s zip, as every time I update your plugin, this file is being deleted. Also if someone else’s plugin goes rogue and exposes the directory listing, this .htaccess file would give some level of protection.
I’m not worried about myself – I make mistakes sometimes and know how to fix them. I’m more worried about your other users that might hit this issue and not know what to do about it. I don’t know if its possible to include .htaccess files in a plugin so please tell me if I’m getting it wrong so I can read up on how to do this in the apache configuration files.
.htaccess:
<Files “*.txt”>
Require all denied
</Files>- This reply was modified 3 years, 11 months ago by mathieg2.
EHLO mydomain.co.uk
CLIENT -> SERVER: AUTH LOGIN
CLIENT -> SERVER: [credentials hidden]CLIENT -> SERVER: [credentials hidden]CLIENT -> SERVER: MAIL FROM:Ok – now that the index.html files are in place. I will explain the hack.
There is one additional file I’d like you to deploy in plugin directory:
.htaccess:
<Files “*.txt”>
Require all denied
</Files>What the hacker was doing was finding all the users who have your plugin installed via some sort of search engine – or perhaps just all the users who have wordpress.
They were then navigating to your plugin directory and getting a list of the files in that directory – one of which was the debug file.
Somehow they worked out the username of one of the admin accounts on the site and performed a password reset on that account through the user interface.
They then downloaded the debug file and used the link from that the password reset email to reset the admin password on the site.
Luckily I have 2FA on my account so the user was prevented from logging in – even with the reset password – but it could have been much worse – and for a few users, I would imagine they have a bit of a clean up operation ahead of them.
Graeme
This is what they are getting from my site now:
[Mon Dec 07 00:37:24.677270 2020] [autoindex:error] [pid 2138265] [client 212.227.174.234:61985] AH01276: Cannot serve directory /var/www/xxxxxx/wp-content/plugins/easy-wp-smtp/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive, referer: https://www.google.com
I just checked my logs: 212.227.174.234 is also the same ip address that is accessing my site.
It look like you have the same issue as me with your server config as the user got a 200 return code:
212.227.174.234 – – [06/Dec/2020:06:55:42 -0800] “GET /wp-content/plugins/easy-wp-smtp/ HTTP/1.1” 200 4531 “google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
if you update the .htaccess in the root of your site to add a line:
Options -Indexes
then that will stop them from getting a directory of the plugin folder – which tells them the exact name of the debug file unfortunately.
I found an additional issue on my server – it was missing Option -Indexes. Now fixed. But once the user knew the URL of the debug log they could download it directly. i.e. https://mysite.com/wp-content/plugins/easy…/debugAGHHfT.txt
The exact url is different but you get the picture.
Graeme