[wp-trac] [WordPress Trac] #44554: Multiple sites hacked
WordPress Trac
noreply at wordpress.org
Tue Jul 10 04:52:11 UTC 2018
#44554: Multiple sites hacked
--------------------------+-----------------------------
Reporter: tkalfaoglu | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 4.9.7
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Our server's many wordpress installations are getting hacked..
All latest version code -- many of them freshly updated..
The hacker's IP is 178.137.85.118 and here is a log that shows what he did
on our server:
178.137.85.118 - - [09/Jul/2018:21:41:19 +0300] "GET /wp-login.php
HTTP/1.0" 200 4080 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:20 +0300] "GET /wp-login.php
HTTP/1.0" 200 4080 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:22 +0300] "POST /wp-login.php
HTTP/1.0" 302 1074 "http://mythos.com.tr/wp-login.php" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:26 +0300] "GET /wp-admin/ HTTP/1.0"
200 171112 "http://mythos.com.tr/wp-login.php" "Mozilla/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:35 +0300] "GET /wp-admin/theme-
editor.php HTTP/1.0" 200 197957 "-" "Mozilla/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132
Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:37 +0300] "GET /wp-admin/theme-
editor.php?file=404.php&theme=cuisine HTTP/1.0" 200 174019 "-"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:39 +0300] "GET /wp-admin/theme-
install.php?upload HTTP/1.0" 200 152843 "-" "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132
Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:41 +0300] "POST /wp-
admin/update.php?action=upload-theme HTTP/1.0" 500 3185
"http://mythos.com.tr/wp-admin/theme-install.php?upload" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:43 +0300] "GET /wp-
content/themes/all1/db.php HTTP/1.0" 302 450 "-" "Mozilla/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:44 +0300] "GET /wp-admin/plugin-
install.php?tab=upload HTTP/1.0" 200 142307 "-" "Mozilla/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:45 +0300] "POST /wp-
admin/update.php?action=upload-plugin HTTP/1.0" 500 3185 "-" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:47 +0300] "GET /wp-content/plugins
/stop-referrer-spam/db.php HTTP/1.0" 302 450 "-" "Mozilla/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:48 +0300] "POST /wp-
admin/update.php?action=upload-plugin HTTP/1.0" 500 3185
"http://mythos.com.tr/wp-admin/theme-install.php?tab=upload" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/63.0.3239.132 Safari/537.36"
etc.. let me know if you need more lines.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44554>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list