Title: Security Issue with debug log
Last modified: December 6, 2020
---
# Security Issue with debug log
* Resolved [mathieg2](https://wordpress.org/support/users/mathieg2/)
* (@mathieg2)
* [5 years, 5 months ago](https://wordpress.org/support/topic/security-issue-with-debug-log/)
* I’ve just found a hacker using the easy smtp debug log as part of a scheme to
reset the admin password on one of my sites. How do I contact the developer to
ask them to update an .htaccess file to prevent this from happening? Luckily
I had 2FA switched on to prevent them from getting any further.
* I’ve fixed my own site, but something tells me that these attacks are not random
and other users might be affected.
* Graeme
Viewing 15 replies - 1 through 15 (of 24 total)
1 [2](https://wordpress.org/support/topic/security-issue-with-debug-log/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/security-issue-with-debug-log/page/2/?output_format=md)
* [Joshua Knapp](https://wordpress.org/support/users/shadowdao/)
* (@shadowdao)
* [5 years, 5 months ago](https://wordpress.org/support/topic/security-issue-with-debug-log/#post-13752018)
* We are seeing it as well. We have a rule to disable access to the debug log server
wide.
* I tried to use the for form on their website but it was not loading.
* [mbrsolution](https://wordpress.org/support/users/mbrsolution/)
* (@mbrsolution)
* [5 years, 5 months ago](https://wordpress.org/support/topic/security-issue-with-debug-log/#post-13752166)
* Hi, I have submitted a message to the developers to investigate further your
findings.
* Thank you
* [wp.insider](https://wordpress.org/support/users/wpinsider-1/)
* (@wpinsider-1)
* [5 years, 5 months ago](https://wordpress.org/support/topic/security-issue-with-debug-log/#post-13752236)
* Hi, The log of this plugin can only be viewed by an admin user. It can’t be accessed
unless you are logged into the site as an admin user. You can copy the log URL
into the browser where you are not logged into the site and you will see what
I mean. So I am not sure how someone random can see the content of the log file
to begin with. Maybe you have another plugin on this site which also has log
file and that one is visible?
* I would like to investigate this so I have better idea of what is happening.
Can you please give more details as to how it is being used so I can investigate
this?
* Thread Starter [mathieg2](https://wordpress.org/support/users/mathieg2/)
* (@mathieg2)
* [5 years, 5 months ago](https://wordpress.org/support/topic/security-issue-with-debug-log/#post-13752307)
* I found an additional issue on my server – it was missing Option -Indexes. Now
fixed. But once the user knew the URL of the debug log they could download it
directly. i.e. [https://mysite.com/wp-content/plugins/easy…/debugAGHHfT.txt](https://mysite.com/wp-content/plugins/easy…/debugAGHHfT.txt)
* The exact url is different but you get the picture.
* Graeme
* [burkingman](https://wordpress.org/support/users/burkingman/)
* (@burkingman)
* [5 years, 5 months ago](https://wordpress.org/support/topic/security-issue-with-debug-log/#post-13752329)
* I just encountered the same problem. As far as I can tell, the very first thing
the hacker/bot did was access the Easy WP SMTP plugin. Then they seemed to know
the exact filename for the debug log — and I checked: I can access that txt file
directly from any browser without first logging into my WordPress admin account.
* They then tried to find out my username using a couple of tricks which don’t
work on my site (I’ve made the necessary modifications to counter those tricks
a while back).
* After that, they issued what looks like a “reset password” command using my WordPress
username and a very specific 20-character key (not sure yet where the key came
from), followed by a few attempts on the same URL but without the key or username.
Then they came back and it looks like they managed to 1) enter the WordPress
admin interface, 2) upload a malware plugin to my site (“Three column screen
layout”, in a folder with a random-looking name), 3) execute it and 4) access
the Easy WP SMTP settings page.
* This all came from different IP addresses, but note the user agent string with
the same spelling mistakes in it (“Mozlila”, etc.).
* Here are the relevant entries from my access log (I’ve used curly braces to indicate
information I’ve removed):
* 212.227.174.234 – – [06/Dec/2020:06:55:42 -0800] “GET {Easy WP SMTP plugin folder}
HTTP/1.1” 200 4531 “google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/
NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107
Moblie Safari/537.36”
41.230.236.11 – – [06/Dec/2020:10:25:40 -0800] “GET {Easy
WP SMTP plugin folder with a couple of request parameters — I can email them
to you} HTTP/1.1” 200 4714 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0;
SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0
Chrome/60.0.3112.107 Moblie Safari/537.36” 41.230.236.11 – – [06/Dec/2020:10:
26:15 -0800] “GET /wp-json/wp/v2/users/1 HTTP/1.1” 404 4901 “www.google.com” “
Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36(
KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36” 41.230.236.11––[
06/Dec/2020:10:26:51 -0800] “GET /?author=1 HTTP/1.1” 301 4432 “www.google.com”“
Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36(
KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36” 41.230.236.11––[
06/Dec/2020:10:27:22 -0800] “GET {precise URL of the Easy WP SMTP debug log}
HTTP/1.1” 200 35009 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A
Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107
Moblie Safari/537.36” 41.230.236.11 – – [06/Dec/2020:10:28:04 -0800] “POST /wp-
login.php?action=lostpassword HTTP/1.1” 302 4538 “www.google.com” “Mozlila/5.0(
Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like
Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36” 41.230.236.11 ––[
06/Dec/2020:10:28:47 -0800] “GET /wp-login.php?action=lostpassword HTTP/1.1”
200 5705 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M;
wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie
Safari/537.36” 41.230.236.11 – – [06/Dec/2020:10:29:20 -0800] “GET {precise URL
of the Easy WP SMTP debug log} HTTP/1.1” 200 35299 “www.google.com” “Mozlila/
5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML,
like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36” 41.230.236.11––[
06/Dec/2020:11:01:34 -0800] “GET /wp-login.php?action=rp&key={20-character key}&
login={my WordPress username}%0D HTTP/1.1” 302 4657 “www.google.com” “Mozlila/
5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML,
like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36” 41.230.236.11––[
06/Dec/2020:11:01:36 -0800] “GET /wp-login.php?action=rp HTTP/1.1” 200 3423 “
www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv)
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie
Safari/537.36”
* {some redundant lines here}
* 20.62.40.13 – – [06/Dec/2020:12:38:44 -0800] “GET /wp-admin/plugin-install.php?
tab=upload HTTP/1.1” 200 13209 “www.google.com” “Mozlila/5.0 (Linux; Android
7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/
4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
20.62.40.13 – – [06/Dec/2020:
12:38:47 -0800] “POST /wp-admin/update.php?action=upload-plugin HTTP/1.1” 200
8948 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M;
wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie
Safari/537.36” 20.62.40.13 – – [06/Dec/2020:12:38:49 -0800] “POST /wp-admin/update.
php?action=upload-plugin HTTP/1.1” 403 3173 “www.google.com” “Mozlila/5.0 (Linux;
Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko)
Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36” 20.62.40.13 – – [06/Dec/
2020:12:38:50 -0800] “GET /wp-content/plugins/qbfchs/mini.php?x=ooo HTTP/1.1”
200 4125 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M;
wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie
Safari/537.36” 20.62.40.13 – – [06/Dec/2020:12:38:51 -0800] “GET {URL of Easy
WP SMTP settings page} HTTP/1.1” 200 13402 “www.google.com” “Mozlila/5.0 (Linux;
Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko)
Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36” 20.62.40.13 – – [06/Dec/
2020:12:38:51 -0800] “POST {URL of Easy WP SMTP settings page} HTTP/1.1” 200
1523 “www.google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M;
wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie
Safari/537.36” 20.62.40.13 – – [06/Dec/2020:13:10:03 -0800] “GET {Easy WP SMTP
plugin folder with the same request parameters as before}” 200 4483 “www.google.
com” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/
537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
- This reply was modified 5 years, 5 months ago by [burkingman](https://wordpress.org/support/users/burkingman/).
* Thread Starter [mathieg2](https://wordpress.org/support/users/mathieg2/)
* (@mathieg2)
* [5 years, 5 months ago](https://wordpress.org/support/topic/security-issue-with-debug-log/#post-13752350)
* I just checked my logs: 212.227.174.234 is also the same ip address that is accessing
my site.
* It look like you have the same issue as me with your server config as the user
got a 200 return code:
* 212.227.174.234 – – [06/Dec/2020:06:55:42 -0800] “GET /wp-content/plugins/easy-
wp-smtp/ HTTP/1.1” 200 4531 “google.com” “Mozlila/5.0 (Linux; Android 7.0; SM-
G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/
60.0.3112.107 Moblie Safari/537.36”
* if you update the .htaccess in the root of your site to add a line:
* Options -Indexes
* then that will stop them from getting a directory of the plugin folder – which
tells them the exact name of the debug file unfortunately.
* Thread Starter [mathieg2](https://wordpress.org/support/users/mathieg2/)
* (@mathieg2)
* [5 years, 5 months ago](https://wordpress.org/support/topic/security-issue-with-debug-log/#post-13752357)
* This is what they are getting from my site now:
* [Mon Dec 07 00:37:24.677270 2020] [autoindex:error] [pid 2138265] [client 212.227.174.234:
61985] AH01276: Cannot serve directory /var/www/xxxxxx/wp-content/plugins/easy-
wp-smtp/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,
index.xhtml,index.htm) found, and server-generated directory index forbidden
by Options directive, referer: [http://www.google.com](http://www.google.com)
* [wp.insider](https://wordpress.org/support/users/wpinsider-1/)
* (@wpinsider-1)
* [5 years, 5 months ago](https://wordpress.org/support/topic/security-issue-with-debug-log/#post-13752397)
* Thank you. We are going to investigate this more but right now we have added
empty “index.html” files to the folders of this plugin to make sure someone cannot
browse to the folder to view the files (even if options indexes is missing).
Please upgrade to v1.4.3.
* [burkingman](https://wordpress.org/support/users/burkingman/)
* (@burkingman)
* [5 years, 5 months ago](https://wordpress.org/support/topic/security-issue-with-debug-log/#post-13752755)
* Thanks a lot to [@mathieg2](https://wordpress.org/support/users/mathieg2/) for
that .htaccess Options trick. Feels like I should have known that already; still,
better late than never.
* Thanks also to [@wpinsider-1](https://wordpress.org/support/users/wpinsider-1/)
for providing a security upgrade so quickly. I’m keeping my debug log deactivated
for now: I noticed if I reactivate it, it gets created under the same filename
as before, so the hacker could access it again since they already know the URL.
As a workaround, I may modify the log filename in the WordPress database, but
I wonder: could it be helpful, in future versions of the plugin, if a new log
filename was generated whenever the debug log is reactivated? I hadn’t realized
how much sensitive information goes through that log (since my first post, I
figured out how precisely how the hacker managed to take over my account)…
* [Alexander C.](https://wordpress.org/support/users/alexanderfoxc/)
* (@alexanderfoxc)
* [5 years, 5 months ago](https://wordpress.org/support/topic/security-issue-with-debug-log/#post-13753951)
* Hi [@mathieg2](https://wordpress.org/support/users/mathieg2/) and [@burkingman](https://wordpress.org/support/users/burkingman/).
* Does your SMTP server shows your email password in plugin’s debug log file? For
example, my SMTP server displays credentials in the log like this:
* ```
CLIENT -> SERVER: AUTH LOGIN
CLIENT -> SERVER: [credentials hidden]CLIENT -> SERVER: [credentials hidden]
```
* These `[credentials hidden]` parts weren’t replaced by me just now, this is how
the server actually sends those to debug log.
* What about your logs?
* Thread Starter [mathieg2](https://wordpress.org/support/users/mathieg2/)
* (@mathieg2)
* [5 years, 5 months ago](https://wordpress.org/support/topic/security-issue-with-debug-log/#post-13754313)
* Ok – now that the index.html files are in place. I will explain the hack.
* There is one additional file I’d like you to deploy in plugin directory:
* .htaccess:
*
Require all denied
* What the hacker was doing was finding all the users who have your plugin installed
via some sort of search engine – or perhaps just all the users who have wordpress.
* They were then navigating to your plugin directory and getting a list of the
files in that directory – one of which was the debug file.
* Somehow they worked out the username of one of the admin accounts on the site
and performed a password reset on that account through the user interface.
* They then downloaded the debug file and used the link from that the password
reset email to reset the admin password on the site.
* Luckily I have 2FA on my account so the user was prevented from logging in –
even with the reset password – but it could have been much worse – and for a
few users, I would imagine they have a bit of a clean up operation ahead of them.
* Graeme
* Thread Starter [mathieg2](https://wordpress.org/support/users/mathieg2/)
* (@mathieg2)
* [5 years, 5 months ago](https://wordpress.org/support/topic/security-issue-with-debug-log/#post-13754331)
* EHLO mydomain.co.uk
CLIENT -> SERVER: AUTH LOGIN CLIENT -> SERVER: [credentials
hidden]CLIENT -> SERVER: [credentials hidden]CLIENT -> SERVER: MAIL FROM:
* [Alexander C.](https://wordpress.org/support/users/alexanderfoxc/)
* (@alexanderfoxc)
* [5 years, 5 months ago](https://wordpress.org/support/topic/security-issue-with-debug-log/#post-13754360)
* Thank you for your detailed explanation, Graeme!
* So, in fact, the reason how they found debug log file is that directory listing
was allowed by your server config, correct? If this is the case, I don’t think
the plugin is the one to blame here, as it just does its job. Debug log is disabled
by default, so if you instructed it to enable it, it just did it. If you had
directory listing disabled, hackers would had very difficult times trying to
access your debug log.
* We will discuss this with our team and think what could be done here from our
side, but personally I don’t see this being plugin’s fault. It does SMTP-related
stuff, not server config-related stuff.
* Once again, thank you for your report and detailed explanations!
* Thread Starter [mathieg2](https://wordpress.org/support/users/mathieg2/)
* (@mathieg2)
* [5 years, 5 months ago](https://wordpress.org/support/topic/security-issue-with-debug-log/#post-13754412)
* Hi Alexander,
* I’d still recommend including this in the plugin’s zip, as every time I update
your plugin, this file is being deleted. Also if someone else’s plugin goes rogue
and exposes the directory listing, this .htaccess file would give some level
of protection.
* I’m not worried about myself – I make mistakes sometimes and know how to fix
them. I’m more worried about your other users that might hit this issue and not
know what to do about it. I don’t know if its possible to include .htaccess files
in a plugin so please tell me if I’m getting it wrong so I can read up on how
to do this in the apache configuration files.
* .htaccess:
*
Require all denied
- This reply was modified 5 years, 5 months ago by [mathieg2](https://wordpress.org/support/users/mathieg2/).
* [Alexander C.](https://wordpress.org/support/users/alexanderfoxc/)
* (@alexanderfoxc)
* [5 years, 5 months ago](https://wordpress.org/support/topic/security-issue-with-debug-log/#post-13754541)
* Ah, that is very good suggestion! At first I assumed you offered to change WP’s.
htaccess file. But shipping .htaccess file that would only be working in plugin’s
directory is much better idea! Though some server configs might disallow per-
directory .htaccess usage (and some servers like Nginx don’t process .htaccess
files at all), this is still better than nothing.
* We will definitely add this to the upcoming add-on release. Thank you!
Viewing 15 replies - 1 through 15 (of 24 total)
1 [2](https://wordpress.org/support/topic/security-issue-with-debug-log/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/security-issue-with-debug-log/page/2/?output_format=md)
The topic ‘Security Issue with debug log’ is closed to new replies.
* 
* [Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more](https://wordpress.org/plugins/easy-wp-smtp/)
* [Frequently Asked Questions](https://wordpress.org/plugins/easy-wp-smtp/#faq)
* [Support Threads](https://wordpress.org/support/plugin/easy-wp-smtp/)
* [Active Topics](https://wordpress.org/support/plugin/easy-wp-smtp/active/)
* [Unresolved Topics](https://wordpress.org/support/plugin/easy-wp-smtp/unresolved/)
* [Reviews](https://wordpress.org/support/plugin/easy-wp-smtp/reviews/)
* 24 replies
* 7 participants
* Last reply from: [mathieg2](https://wordpress.org/support/users/mathieg2/)
* Last activity: [5 years, 4 months ago](https://wordpress.org/support/topic/security-issue-with-debug-log/page/2/#post-13786432)
* Status: resolved