================================================================================ ALMANAR.COM.LB (Al-Manar TV / Hezbollah) - WordPress debug.log Analysis Source: almanar-debug.log (102,944 bytes, 273 lines) Analyzed: 2026-02-28 ================================================================================ EXECUTIVE SUMMARY ----------------- This debug.log was publicly exposed from almanar.com.lb, the official website of Al-Manar TV (Hezbollah's television station, US-designated Foreign Terrorist Organization media arm). The log covers two time windows and reveals significant server-side intelligence including filesystem structure, hosting account name, WordPress infrastructure details, installed security plugins, custom theme architecture, a MySQL socket failure, and WordPress version fingerprinting. No database credentials, API keys, SMTP configs, email addresses, or IP addresses were directly exposed in this log file. ================================================================================ 1. LOG TIMELINE ================================================================================ First Entry: 13-Apr-2025 06:41:44 UTC (single pageview, ~1 second of errors) Second Entry: 06-Oct-2025 09:25:13 UTC (sustained session, 29 minutes of errors) Last Entry: 06-Oct-2025 09:54:34 UTC Gap: ~6 months between the two logging sessions. This suggests either: - Debug logging was disabled between sessions - The log was rotated/cleared - The server was rebuilt/migrated between April and October 2025 ================================================================================ 2. SERVER FILE PATH DISCLOSURE (CRITICAL) ================================================================================ Document Root / cPanel Home: /home/manarnet/public_html/ This reveals: - Hosting account username: "manarnet" - Standard cPanel/WHM shared hosting structure (/home//public_html/) - NOT a containerized/Docker deployment, NOT a custom server layout - Suggests a commercial shared hosting provider (cPanel-based) Full file paths disclosed: /home/manarnet/public_html/index.php /home/manarnet/public_html/wp-blog-header.php /home/manarnet/public_html/wp-includes/block-editor.php /home/manarnet/public_html/wp-includes/class-wpdb.php /home/manarnet/public_html/wp-includes/class-wp-hook.php /home/manarnet/public_html/wp-includes/functions.php /home/manarnet/public_html/wp-includes/template-loader.php /home/manarnet/public_html/wp-content/plugins/hide_my_wp/admin-settings.php /home/manarnet/public_html/wp-content/themes/ar-manar/single.php /home/manarnet/public_html/wp-content/themes/ar-manar/framework/functions/manar-functions.php /home/manarnet/public_html/wp-content/themes/ar-manar/framework/functions/theme-functions.php ================================================================================ 3. WORDPRESS VERSION ================================================================================ WordPress 6.7.0 or later (confirmed) - The debug-bar translation notice states: "This message was added in version 6.7.0." - The deprecation warnings (float-to-int implicit conversion, false-to-array automatic conversion) are consistent with PHP 8.1+ running on WP 6.7.x - WP 6.7.0 was released November 2024; this server was still running it as of October 2025 (potentially unpatched for ~11 months) ================================================================================ 4. PHP VERSION INFERENCE ================================================================================ PHP 8.1.x (most likely) or PHP 8.2.x Evidence: - "Automatic conversion of false to array is deprecated" = PHP 8.1+ - "Implicit conversion from float to int loses precision" = PHP 8.1+ - "strpos(): Passing null to parameter #1 ($haystack) of type string is deprecated" = PHP 8.1+ - "str_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated" = PHP 8.1+ - These are deprecation notices (not errors), meaning PHP 8.1 or 8.2 (in PHP 9.0 these will become errors) ================================================================================ 5. DATABASE / MySQL INTELLIGENCE ================================================================================ MySQL Socket Error (Line 13): mysqli_real_connect(): (HY000/2002): No such file or directory File: /home/manarnet/public_html/wp-includes/class-wpdb.php on line 1988 Analysis: - Error code HY000/2002 = "Can't connect to local MySQL server through socket" - MySQL was configured to use a Unix socket (not TCP/IP) for the DB connection - The socket file was missing or the MySQL service was down at 09:25:13 UTC - This occurred only ONCE, at the very beginning of the Oct 6 session - MySQL recovered within ~1 minute (subsequent errors are PHP-level, not DB) - This indicates MySQL is on the SAME server (localhost socket connection) - No DB credentials (host, user, password, database name) were leaked in this log Implication: - Database server = localhost (same machine or same hosting account) - Hosting configuration uses socket-based MySQL (common in cPanel) - The DB_HOST in wp-config.php is likely "localhost" (socket mode) ================================================================================ 6. INSTALLED PLUGINS (CONFIRMED) ================================================================================ Plugin 1: hide_my_wp (Hide My WP) Path: /home/manarnet/public_html/wp-content/plugins/hide_my_wp/ File: admin-settings.php (line 11) Error: "Automatic conversion of false to array is deprecated" Occurrences: 69 times in this log Analysis: - "Hide My WP" is a WordPress security-through-obscurity plugin - It hides WP login pages, changes URLs, removes WP fingerprints from headers - The error on line 11 of admin-settings.php suggests the plugin is ACTIVE but running outdated code incompatible with PHP 8.1+ - The fact that they use this plugin confirms security awareness/paranoia - The bug in their security plugin actually WEAKENS their security posture by generating debug log entries that expose the plugin's existence - IRONY: Their "hide WordPress" plugin is the #1 source of debug log noise Plugin 2: debug-bar (Debug Bar) Referenced via: Translation domain "debug-bar" loaded too early Occurrences: 121 references in this log Analysis: - Debug Bar is a WordPress debugging/development plugin - It adds a debug menu to the admin bar showing query/cache/deprecation info - This plugin should NEVER be active on a production website - Its presence suggests either: a) A developer left it active after troubleshooting b) The site is being actively debugged/developed c) Poor deployment hygiene (dev plugins in production) - The "textdomain loaded too early" error means it fires before init hook ================================================================================ 7. CUSTOM THEME INTELLIGENCE ================================================================================ Theme: ar-manar (Arabic Al-Manar) Path: /home/manarnet/public_html/wp-content/themes/ar-manar/ Theme structure (revealed by errors): ar-manar/ single.php (single post template) framework/ functions/ manar-functions.php (custom functions, lines 14, 100) theme-functions.php (theme functions, line 1929) Custom Functions Disclosed: mzw_get_viewable_categories(Array) (called from single.php:22) Analysis: - "mzw_" prefix = developer/agency namespace (possibly "Manar Zone Web" or similar) - The theme is CUSTOM BUILT (not a commercial theme), purpose-built for Al-Manar - theme-functions.php has at least 1,929 lines = substantial custom codebase - The fatal error reveals a logic bug: mzw_get_viewable_categories() is called with an Array but its in_array() check on line 14 receives `false` instead of an array, suggesting a database query failure or missing config - "viewable_categories" implies content access control (certain categories are restricted/hidden from certain users or regions) ================================================================================ 8. STACK TRACE (FULL EXECUTION PATH) ================================================================================ From the April 13 Fatal Error: #0 manar-functions.php(14): in_array(20, false) #1 single.php(22): mzw_get_viewable_categories(Array) #2 template-loader.php(106): include('...') #3 wp-blog-header.php(19): require_once('...') #4 index.php(17): require('...') Flow: index.php -> wp-blog-header.php -> template-loader.php -> single.php -> mzw_get_viewable_categories() -> in_array(20, false) -> FATAL The argument "20" to in_array() is likely a WordPress category ID. The `false` second argument means the function that was supposed to return an array of allowed category IDs returned `false` instead. ================================================================================ 9. ERROR STATISTICS ================================================================================ Total lines: 273 File size: 102,944 bytes (~100 KB) Error Breakdown: PHP Deprecated: 133 occurrences (48.7%) PHP Notice: 121 occurrences (44.3%) PHP Warning: 10 occurrences (3.7%) PHP Fatal Error: 1 occurrence (0.4%) Stack Trace: 1 occurrence By Source: debug-bar plugin: 121 references (translation loading too early) hide_my_wp plugin: 69 references (false-to-array deprecation) class-wp-hook.php: ~40 references (float-to-int precision) functions.php: ~30 references (strpos/str_replace null deprecation) block-editor.php: ~10 references (array offset on true) class-wpdb.php: 1 reference (MySQL socket failure) manar-functions.php: 3 references (fatal + warning) theme-functions.php: 1 reference (undefined array key) ================================================================================ 10. ITEMS NOT FOUND IN THIS LOG ================================================================================ The following were searched for but NOT present: - Database credentials (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) - IP addresses (no IPs appear anywhere in the log) - Email addresses (none found) - API keys or tokens (none found) - SMTP credentials or mail configuration errors (none found) - SQL queries or table names (none found) - URLs to internal services (only developer.wordpress.org reference found) - User login/authentication errors (none found) - wp-cron or scheduled task errors (none found) - REST API errors (none found) - XML-RPC errors (none found) - File upload errors (none found) ================================================================================ 11. SECURITY ASSESSMENT / ACTIONABLE INTELLIGENCE ================================================================================ CONFIRMED FINDINGS: [HIGH] cPanel hosting account username: "manarnet" [HIGH] Full server filesystem paths disclosed [HIGH] WordPress debug mode left ON in production (WP_DEBUG = true) [HIGH] debug.log publicly accessible (no .htaccess protection) [MED] WordPress 6.7.x (potentially 11 months without updates) [MED] PHP 8.1.x/8.2.x with significant deprecation warnings [MED] "Hide My WP" security plugin is buggy and leaking its own presence [MED] Debug Bar plugin active on production (developer tool) [MED] MySQL uses localhost socket (DB on same server) [LOW] Custom theme "ar-manar" with "mzw_" function namespace [LOW] Category-based content access control system revealed [INFO] MySQL had a brief socket failure on Oct 6 (service restart?) ATTACK SURFACE OBSERVATIONS: 1. cPanel username "manarnet" can be used to: - Attempt cPanel login at hostname:2083 - Attempt WHM access at hostname:2087 - Attempt webmail at hostname:2096 - Target SSH at hostname:22 (if enabled for this user) - Enumerate other accounts on the same shared host 2. "Hide My WP" plugin presence means: - Standard WP paths may be renamed/hidden (but we now know they exist) - wp-login.php may be at a custom URL - WP version headers may be stripped (but we confirmed 6.7.x from log) - The plugin itself has a known bug (line 11 error = potential vuln) 3. Debug Bar active means: - Admin users see additional debug info in the toolbar - May expose query counts, memory usage, hook info to authenticated users - Confirms this is either actively being developed or poorly maintained 4. MySQL on localhost via socket means: - If you get shell access, DB is directly accessible - wp-config.php (at /home/manarnet/public_html/wp-config.php) contains the database credentials - No external DB firewall to bypass 5. The "mzw_get_viewable_categories" function suggests: - There is restricted/hidden content on the site - Category ID 20 is one of the viewable categories - The access control may be bypassable if the function fails open HOSTING PROFILE: - cPanel shared hosting (Linux-based) - Account: manarnet - Stack: Apache/LiteSpeed + PHP 8.1.x + MySQL (localhost socket) - WordPress 6.7.x with custom theme - Likely a Lebanese hosting provider (almanar.com.lb is a .lb domain) ================================================================================ 12. RECOMMENDED FOLLOW-UP ================================================================================ 1. Check if wp-config.php is accessible (path traversal, backup files like wp-config.php.bak, wp-config.php~, wp-config.php.old, wp-config.php.save) 2. Check for other exposed log files: - /home/manarnet/public_html/wp-content/debug.log (current location) - /home/manarnet/logs/error.log (cPanel error log) - /home/manarnet/public_html/error_log 3. Enumerate cPanel services (ports 2083, 2087, 2096, 2095) 4. Check for wp-login.php at alternate URLs (Hide My WP may have renamed it) 5. Look for xmlrpc.php, wp-json/wp/v2/ (REST API), /readme.html, /license.txt 6. Research "Hide My WP" CVEs for the version with the line 11 bug 7. DNS/WHOIS on almanar.com.lb to identify the hosting provider 8. Check if "manarnet" username exists on the hosting provider's other services ================================================================================ END OF ANALYSIS ================================================================================