User enumeration scan under DEBUG_ON

  • Resolved liquidmind

    (@liquidmind)


    1 year, 11 months ago

    I am running full WAF under Debug mode = yes, and found the following two log entries:

    29/Dec/22 20:48:21 #0000000 DEBUG_ON - 34.217.43.218 GET /index.php - User enumeration scan (author archives) - [author=1] - quantiux.com
    29/Dec/22 20:48:21 #0000000 DEBUG_ON - 34.217.43.218 GET /index.php - User enumeration scan (WP REST API) - [/wp-json/wp/v2/users/] - quantiux.com

    I do not understand the inner workings of debug mode that well (yet), so my question is: does this mean that the perp succeeded in their attempt at guessing the username?

    Thanks in advance.

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author nintechnet

    (@nintechnet)

    When the debug mode is enabled, nothing is blocked: the two user enumeration scans were successful. The firewall writes to the log what it would have blocked *if* the debug mode option was turned off.

    Thread Starter liquidmind

    (@liquidmind)

    I guessed as much, and turned debug mode off right after posting this question. Now I’ll change my username, and go through the entire log to see what else they managed to do (found a bunch of “Forbidden direct access to PHP script”, “Blocked file upload attempt” and “WP backdoor” already). I have also turned file monitoring on and scanned everything with NinjaScanner, found nothing suspicious so far.

    Thanks again.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘User enumeration scan under DEBUG_ON’ is closed to new replies.