This site uses cookies in accordance with our Privacy Policy.
Wordfence Weekly July 17 2019 – July 23 2019
A weekly report of noteworthy threat data by the Defiant threat intelligence team.
Security News
-
Equifax data breach: Credit reporting agency to pay up to $700 million in settlement
Credit reporting agency Equifax has reached a deal to pay up to $700 million to state and federal regulators to settle probes stemming from a data breach that exposed the personal information of nearly 150 million people. It will be the largest settlement ever paid for a data breach.
Read More -
Kazakhstan tries and fails to MITM all of its internet users with rogue certificate installation
On July 17th, 2019, the government of Kazakhstan enacted a new cybersecurity measure that aims to spy on its citizens’ internet traffic. Specifically, the Kazakh government ordered all of the internet service providers (ISPs) to force their customers to install a government-issued root certificate by Qaznet Trust Network on all of their internet accessing devices.
Read More -
Google Chrome is ditching its XSS detection tool
Google is removing a nine-year-old feature in its Chrome web browser, which spotted a common online attack. Don’t worry, though – another, hopefully better, protection measure is on the way.
Read More
Notable Vulnerabilities
Name: Email Subscribers & Newsletters <= 4.1.7 - SQL Injection
Description: Vulnerable versions could allow attackers to perform SQL injection attacks.
Type: A1 – Injection
Description: Vulnerable versions could allow attackers to perform SQL injection attacks.
Type: A1 – Injection
Name: Adaptive Images for WordPress <= 0.6.66 - Local File Inclusion & Deletion
Description: Unauthenticated attackers can read or delete arbitrary files on affected sites.
Type: Multiple
Description: Unauthenticated attackers can read or delete arbitrary files on affected sites.
Type: Multiple
Most Common New Infections
Malware samples identified on the greatest count of newly infected sites.
| MD5 | Signature | Description | File Names |
|---|---|---|---|
| C62180F0D626D92E29E83778605DD8BE | Suspicious:PHP/eval_exit.92 | Obfuscated PHP backdoor. | file.php, i.php, ihqxkhi.php, and others. |
| 048648D9755220E727E7E0178837F7BF | Backdoor:PHP/561C.110 | Obfuscated PHP backdoor. | amp3.php, sib.php, wpfunck.php, and others. |
| 8C9E8184A1523C7286FC11E7DE2EAC55 | Backdoor:PHP/2842.103 | PHP script which generates and executes a malicious binary. | wp_form7.php |
| C2CC3D90B67A9D6C7DF738A8CD8661C7 | Suspicious:PHP/eval_exit.92 | Obfuscated PHP backdoor. | 101.gone.php, 412.client.php, 423.508.php, and others. |
| F672EB5C2EF23BF5180DC94CAE720FC7 | Backdoor:PHP/Ironshell.56 | PHP web shell known as Ironshell. | checkbox.php, stats.php |
IPs Attacking Most Sites
| Rank | Prev. | IP Address | ASN | Country |
|---|---|---|---|---|
| 1 | — | 160.153.245.87 | 26496 (GoDaddy.com, LLC) |  US |
| 2 | — | 95.47.56.28 | 51500 (Servisnet Ltd.) |  UA |
| 3 | 1 | 5.8.47.2 | 50896 (Trusov Ilya Igorevych) |  PL |
| 4 | — | 84.246.231.100 | 35393 (CTS Computers and Telecommunications Systems SAS) |  ES |
| 5 | — | 54.36.119.91 | 16276 (OVH SAS) |  DE |
| 6 | 2 | 120.131.12.178 | 59019 (Beijing Kingsoft Cloud Internet Technology Co., Ltd) |  CN |
| 7 | 3 | 120.92.33.226 | 23724 (IDC, China Telecommunications Corporation) | CN |
| 8 | — | 35.187.183.174 | 15169 (Google LLC) | US |
| 9 | 10 | 51.77.53.229 | 16276 (OVH SAS) | PL |
| 10 | — | 68.183.164.2 | 14061 (DigitalOcean, LLC) | US |
New Tracked Domains
| Domain Name | Date Added | Current Status | Notes |
|---|---|---|---|
| acint.net | 07/23/2019 | Up | Hosting JavaScript files sourced by infected scripts. |
| deliverygoodstrategy.com | 07/22/2019 | Up | Associated with a JavaScript injection campaign |
| db.deliverygoodstrategy.com | 07/19/2019 | Up | Associated with a JavaScript injection campaign. |
| 4ksudckusdkc.space | 07/18/2019 | Up | Associated with redirect campaign. |
| submed-drenew.com | 07/17/2019 | Up | Associated with redirect campaign. |