Wordfence Weekly June 05 2019 – June 11 2019

A weekly report of noteworthy threat data by the Defiant threat intelligence team.

Security News

  • Severe Vulnerability In Exim

    Qualys has put out an advisory on a vulnerability in the Exim mail transfer agent, versions 4.87 through 4.91; it allows for easy command execution by a local attacker and remote execution in some scenarios. Sites running Exim should upgrade to 4.92 if they have not already.
    Read More

  • New Extortion Scam Threatens to Ruin a Website’s Reputation

    A new extortion scam campaign is underway that is targeting websites owners and stating that if they do not make a payment, the attacker will ruin their site’s reputation and get them blacklisted for spam.
    Read More

  • Huawei Accused Of Technology Theft

    Huawei has become one of the world’s biggest manufacturers of cellphones and high-end telecom equipment. Its rise has come with multiple accusations of technology theft.
    Read More

New Vulnerabilities

Name: Crelly Slider <= 1.3.4 - Arbitrary File Upload
Description: Authenticated users could upload and execute malicious PHP scripts on affected sites.
Type: A5 – Broken Access Control

Most Common Malicious Files

Malware samples identified on the greatest count of unique sites.

MD5 Signature Description File Names
C62180F0D626D92E29E83778605DD8BE Suspicious:PHP/eval_exit.92 Obfuscated PHP backdoor. Various .php names like sq.php and wp-cache.php
446ABEFA504998F144A7AE906A173978 Suspicious:PHP/rot13_of_eval.95 Obfuscated, password-protected PHP backdoor. Generated .php names like b9448c1c.php
048648D9755220E727E7E0178837F7BF Backdoor:PHP/561C.110 Obfuscated PHP backdoor amp3.php, sib.php, wpfunck.php
3F6FD174B64E74D0E7BBA734FF01F065 Backdoor:PHP/FOPO.A.109 PHP backdoor obfuscated with FOPO. wp-dbs.php
8C9E8184A1523C7286FC11E7DE2EAC55 Backdoor:PHP/LD_PRELOAD.4426 PHP script which generates and executes a malicious binary. wp_form7.php

IPs Attacking Most Sites

Rank Prev. IP Address ASN Country
1 16276 (OVH SAS) Germany DE
2 3 12876 (Online S.a.s.) France FR
3 12876 (Online S.a.s.) France FR
4 5 59019 (Beijing Kingsoft Cloud Internet Technology Co., Ltd) China CN
5 7 59019 (Beijing Kingsoft Cloud Internet Technology Co., Ltd) China CN
6 16276 (OVH SAS) Canada CA
7 4837 (CHINA UNICOM China169 Backbone) China CN
8 16276 (OVH SAS) France FR
9 200313 (Internet It Company Inc) Netherlands NL
10 2 50896 (Trusov Ilya Igorevych) Poland PL

New Tracked Domains

Domain Name Date Added Current Status Notes
zmozsza.com 06/06/2019 Down Associated with SMS phishing.
vision2010usa.com 06/11/2019 Up Hosting malicious PHP scripts.
css.chatwithgreenbar.com 06/11/2019 Up Serving JS malware.

Subscribe To The Wordfence Weekly

Did you enjoy this post? Share it!

Recent Issues