Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
185.220.101.21-2018-01-01a/ and contents, README.md note
- Loading branch information
1 parent
ab09fb0
commit 6bfe661
Showing
5 changed files
with
116 additions
and
0 deletions.
There are no files selected for viewing
Binary file added
BIN
+1.56 MB
185.220.101.21-2018-01-01a/185.220.101.21WkjqapjoG7YwsaDQq38zLgAAAAE.0.file
Binary file not shown.
77 changes: 77 additions & 0 deletions
77
185.220.101.21-2018-01-01a/185.220.101.21WkjqapjoG7YwsaDQq38zLgAAAAE.upload-plugin.scans
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
|
|
||
| _SERVER | ||
| Array | ||
| ( | ||
| [UNIQUE_ID] => WkjqapjoG7YwsaDQq38zLgAAAAE | ||
| [SCRIPT_URL] => /wp-admin/update.php | ||
| [SCRIPT_URI] => http://stratigery.com/wp-admin/update.php | ||
| [HTTP_HOST] => stratigery.com | ||
| [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0 | ||
| [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | ||
| [HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.5 | ||
| [HTTP_ACCEPT_ENCODING] => gzip, deflate | ||
| [HTTP_REFERER] => http://stratigery.com/wp-admin/plugin-install.php?tab=upload | ||
| [HTTP_COOKIE] => wordpress_d1514727868fuck=admind1514727868fuck; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_ind1514727868fuck=admind1514727868fuck | ||
| [HTTP_CONNECTION] => keep-alive | ||
| [HTTP_UPGRADE_INSECURE_REQUESTS] => 1 | ||
| [CONTENT_TYPE] => multipart/form-data; boundary=---------------------------172401349217777 | ||
| [CONTENT_LENGTH] => 1638559 | ||
| [PATH] => /usr/local/sbin:/usr/local/bin:/usr/bin | ||
| [SERVER_SIGNATURE] => | ||
| [SERVER_SOFTWARE] => Apache/2.4.29 (Unix) PHP/7.2.0 | ||
| [SERVER_NAME] => stratigery.com | ||
| [SERVER_ADDR] => 162.246.45.144 | ||
| [SERVER_PORT] => 80 | ||
| [REMOTE_ADDR] => 185.220.101.21 | ||
| [DOCUMENT_ROOT] => /srv/http/stratigery/htdocs | ||
| [REQUEST_SCHEME] => http | ||
| [CONTEXT_PREFIX] => | ||
| [CONTEXT_DOCUMENT_ROOT] => /srv/http/stratigery/htdocs | ||
| [SERVER_ADMIN] => bediger@stratigery.com | ||
| [SCRIPT_FILENAME] => /srv/http/stratigery/htdocs/fake_wp/wp-admin/update.php | ||
| [REMOTE_PORT] => 39843 | ||
| [GATEWAY_INTERFACE] => CGI/1.1 | ||
| [SERVER_PROTOCOL] => HTTP/1.1 | ||
| [REQUEST_METHOD] => POST | ||
| [QUERY_STRING] => action=upload-plugin | ||
| [REQUEST_URI] => /wp-admin/update.php?action=upload-plugin | ||
| [SCRIPT_NAME] => /wp-admin/update.php | ||
| [PHP_SELF] => /wp-admin/update.php | ||
| [REQUEST_TIME_FLOAT] => 1514728042.8 | ||
| [REQUEST_TIME] => 1514728042 | ||
| ) | ||
|
|
||
| _REQUEST | ||
| Array | ||
| ( | ||
| [action] => upload-plugin | ||
| [_wpnonce] => 4f1202ce52 | ||
| [_wp_http_referer] => /wordpress/wp-admin/plugin-install.php?tab=upload | ||
| [install-plugin-submit] => Install Now | ||
| ) | ||
|
|
||
| _COOKIE | ||
| Array | ||
| ( | ||
| [wordpress_d1514727868fuck] => admind1514727868fuck | ||
| [wordpress_test_cookie] => WP Cookie check | ||
| [wordpress_logged_ind1514727868fuck] => admind1514727868fuck | ||
| ) | ||
|
|
||
| _FILES | ||
|
|
||
| UPLOADED FILE pluginzip | ||
| Array | ||
| ( | ||
| [name] => file-manager.zip | ||
| [type] => application/x-zip-compressed | ||
| [tmp_name] => /tmp/php1SbsL2 | ||
| [error] => 0 | ||
| [size] => 1637950 | ||
| ) | ||
|
|
||
| END UPLOADED FILE pluginzip | ||
| Uploaded file: /var/tmp/185.220.101.21WkjqapjoG7YwsaDQq38zLgAAAAE.0.file | ||
|
|
||
| END _FILES | ||
| $my_blog=http://stratigery.com/wp-admin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| # File Manager Plugin | ||
|
|
||
| ## Origin | ||
|
|
||
| ### IP address 185.220.101.21 | ||
|
|
||
| 185.220.101.21 → 185.220.101.0/24AS200052 | ||
|
|
||
| Appears to be a "Feral Hosting" IP address, located in London, UK | ||
|
|
||
| ### Download | ||
|
|
||
| Downloaded to my honey pot as a WordPress plugin installation. | ||
| Downloaded a Zip file, so it probably would install on a real WordPress instance. | ||
|
|
||
| ## Analysis | ||
|
|
||
| I could not find any obviously evil PHP code. | ||
|
|
||
| No extra files. Downloaded current [File Manager](https://da.wordpress.org/plugins/file-manager/), | ||
| unzipped it, and matched file names with the honey pot download. | ||
|
|
||
| Couldn't find anything fishy by | ||
|
|
||
| find . -type f | xargs egrep -a 'eval|assert|base64_decode|preg|ereg' | ||
|
|
||
| No "eval" or "assert" used in code, only a legit use of `base64_decode()`. Granted, | ||
| even simple obfuscation could overcome the regular expression based search. | ||
|
|
||
| Nothing but CSS files seemed to have extremely long lines of text. | ||
|
|
||
| However, a file manager, illegitimately installed, would have a lot of | ||
| use to someone covertly taking over a WordPress installation. About half | ||
| of WSO web shell functions are file management. |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters