[wp-trac] [WordPress Trac] #44554: Multiple sites hacked

WordPress Trac noreply at wordpress.org
Tue Jul 10 04:52:11 UTC 2018


#44554: Multiple sites hacked
--------------------------+-----------------------------
 Reporter:  tkalfaoglu    |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  4.9.7
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 Our server's many wordpress installations are getting hacked..
 All latest version code -- many of them freshly updated..
 The hacker's IP is 178.137.85.118 and here is a log that shows what he did
 on our server:

 178.137.85.118 - - [09/Jul/2018:21:41:19 +0300] "GET /wp-login.php
 HTTP/1.0" 200 4080 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
 178.137.85.118 - - [09/Jul/2018:21:41:20 +0300] "GET /wp-login.php
 HTTP/1.0" 200 4080 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"


 178.137.85.118 - - [09/Jul/2018:21:41:22 +0300] "POST /wp-login.php
 HTTP/1.0" 302 1074 "http://mythos.com.tr/wp-login.php" "Mozilla/5.0
 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
 Chrome/63.0.3239.132 Safari/537.36"
 178.137.85.118 - - [09/Jul/2018:21:41:26 +0300] "GET /wp-admin/ HTTP/1.0"
 200 171112 "http://mythos.com.tr/wp-login.php" "Mozilla/5.0 (Windows NT
 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
 Chrome/63.0.3239.132 Safari/537.36"
 178.137.85.118 - - [09/Jul/2018:21:41:35 +0300] "GET /wp-admin/theme-
 editor.php HTTP/1.0" 200 197957 "-" "Mozilla/5.0 (Windows NT 10.0; Win64;
 x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132
 Safari/537.36"
 178.137.85.118 - - [09/Jul/2018:21:41:37 +0300] "GET /wp-admin/theme-
 editor.php?file=404.php&theme=cuisine HTTP/1.0" 200 174019 "-"
 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
 Gecko) Chrome/63.0.3239.132 Safari/537.36"
 178.137.85.118 - - [09/Jul/2018:21:41:39 +0300] "GET /wp-admin/theme-
 install.php?upload HTTP/1.0" 200 152843 "-" "Mozilla/5.0 (Windows NT 10.0;
 Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132
 Safari/537.36"
 178.137.85.118 - - [09/Jul/2018:21:41:41 +0300] "POST /wp-
 admin/update.php?action=upload-theme HTTP/1.0" 500 3185
 "http://mythos.com.tr/wp-admin/theme-install.php?upload" "Mozilla/5.0
 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
 Chrome/63.0.3239.132 Safari/537.36"
 178.137.85.118 - - [09/Jul/2018:21:41:43 +0300] "GET /wp-
 content/themes/all1/db.php HTTP/1.0" 302 450 "-" "Mozilla/5.0 (Windows NT
 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
 Chrome/63.0.3239.132 Safari/537.36"
 178.137.85.118 - - [09/Jul/2018:21:41:44 +0300] "GET /wp-admin/plugin-
 install.php?tab=upload HTTP/1.0" 200 142307 "-" "Mozilla/5.0 (Windows NT
 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
 Chrome/63.0.3239.132 Safari/537.36"
 178.137.85.118 - - [09/Jul/2018:21:41:45 +0300] "POST /wp-
 admin/update.php?action=upload-plugin HTTP/1.0" 500 3185 "-" "Mozilla/5.0
 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
 Chrome/63.0.3239.132 Safari/537.36"
 178.137.85.118 - - [09/Jul/2018:21:41:47 +0300] "GET /wp-content/plugins
 /stop-referrer-spam/db.php HTTP/1.0" 302 450 "-" "Mozilla/5.0 (Windows NT
 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
 Chrome/63.0.3239.132 Safari/537.36"
 178.137.85.118 - - [09/Jul/2018:21:41:48 +0300] "POST /wp-
 admin/update.php?action=upload-plugin HTTP/1.0" 500 3185
 "http://mythos.com.tr/wp-admin/theme-install.php?tab=upload" "Mozilla/5.0
 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
 Chrome/63.0.3239.132 Safari/537.36"

 etc.. let me know if you need more lines.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44554>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list