Have you been hacked? Get Help

Wordfence Weekly September 04 2019 – September 10 2019

A weekly report of noteworthy threat data by the Defiant threat intelligence team.

Notable Vulnerabilities

Name: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
Description: WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
Type: A1 – Injection
Name: WordPress 5.2.2 – Authenticated Cross-Site Scripting (XSS) in Post Previews
Description: WordPress before 5.2.3 allows XSS in post previews by authenticated users.
Type: A1 – Injection
Name: WordPress 5.2.2 – Cross-Site Scripting (XSS) in Dashboard
Description: WordPress before 5.2.3 allows reflected XSS in the dashboard.
Type: A1 – Injection
Name: WordPress 5.2.2 – Cross-Site Scripting (XSS) in Shortcode Previews
Description: WordPress before 5.2.3 allows XSS in shortcode previews.
Type: A1 – Injection
Name: WordPress 5.2.2 – Cross-Site Scripting (XSS) in Stored Comments
Description: WordPress before 5.2.3 allows XSS in stored comments.
Type: A1 – Injection

Most Common New Infections

Malware samples identified on the greatest count of newly infected sites.

MD5 Signature Description Example File Names
CEC9A529B43D84F0A0E3624372CD9C51 Backdoor:PHP/WP-VCD.5409 Infected core file, triggers execution of another malicious script. post.php
380FA777B8C37FB60811E5972391261B Suspicious:PHP/eval_b64.1 WebShellOrb PHP webshell. .colors-rtl.php, .lapan.php, .wsa.php, and others.
CBF518A7A6722D9C7A9086E57E062737 Backdoor:PHP/WP-VCD.5476 Backdoor associated with SEO spam injections. wp-vcd.php
C62180F0D626D92E29E83778605DD8BE Suspicious:PHP/eval_exit.92 Obfuscated PHP backdoor. 4O4.php, file.php, i.php, and others.
3F60851C9F7E37C0D8817101D2212C68 Suspicious:PHP/eval_b64.1 Obfuscated PHP backdoor. -h7h0pfixp7.phpP, 01nbgrzyxu.php, 05hyfj1bf8.php, and others.

IPs Attacking Most Sites

Rank Prev. IP Address ASN Country
1 217.182.94.214 16276 (OVH SAS) France FR
2 139.198.0.135 4808 (China Unicom Beijing Province Network) China CN
3 167.99.57.138 14061 (DigitalOcean, LLC) United States US
4 51.89.224.145 16276 (OVH SAS) United Kingdom GB
5 91.134.154.170 16276 (OVH SAS) France FR
6 15.188.83.79 16509 (Amazon.com, Inc.) France FR
7 35.235.101.70 15169 (Google LLC) United States US
8 193.106.30.99 50297 (Infium, UAB) Ukraine UA
9 74.208.27.141 8560 (1&1 Internet SE) United States US
10 3 34.67.197.193 15169 (Google LLC) United States US

New Tracked Domains

Domain Name Date Added Current Status Notes
wiilberedmodels.com 09/04/2019 Up Hosting malicious scripts referenced in malware samples.
js.wiilberedmodels.com 09/06/2019 Up Hosting malicious scripts referenced in malware samples.

Subscribe To The Wordfence Weekly



Did you enjoy this post? Share it!

LinkedIn 

Recent Issues

Wordfence Weekly September 11 2019 – September 17 2019

In this Wordfence Weekly we share five new domains which have been added to our blacklist for their association with spamming and malvertising. A slightly modified variant of WP-VCD's wp-tmp.php script reaches the top of the malware chart, while the rest has remained stable from previous weeks. Lastly, several new IP addresses have reached the top ten attacking hosts during a week where the Wordfence firewall detected a notable surge in activity.

Read Full Report

Wordfence Weekly August 28 2019 – September 03 2019

This week we see a continued trend of WP-VCD infections on the top malware chart. Two newly tracked domains have been added, which are hosting malicious scripts referenced by other malware samples. Last, the popular Formidable Forms plugin was recently patched to improve its output sanitization, suggesting exploitability in its earlier versions.

Read Full Report

Wordfence Weekly August 21 2019 – August 27 2019

This week's Wordfence Weekly sees a continued trend of new WP-VCD infections taking over the Most Common New Infections chart. In Attacking IPs, the top two addresses from last week retain their positions while the rest of the list contains new IPs from a variety of hosts. Additionally, we're tracking some new malvertising domains as well as a MySQL host used by attackers taking over unfinished WordPress installs.

Read Full Report

Wordfence Weekly August 14 2019 – August 20 2019

In this Wordfence Weekly, we've got a Directory Traversal vulnerability in the highly popular WP Fastest Cache plugin. In the malware rankings, we see a number of samples associated with the WP_VCD SEO spam campaign as well as more PHP backdoor scripts. Also, this week's attacking IP rankings have returned to a typical spread of activity, with attacks from OVH SAS and DigitalOcean servers controlling the board.

Read Full Report

Wordfence Weekly August 07 2019 – August 13 2019

The prevalence of attacks from US-based host QuadraNet continues in this edition of Wordfence Weekly. Additionally, a few new noteworthy vulnerabilities have popped up, which are each seeing their own attacks. In particular, we've begun tracking some new domains associated with malicious redirects.

Read Full Report

Wordfence Weekly July 31 2019 – August 06 2019

This week, the list of the top IPs attacking WordPress sees a sudden appearance of seven addresses from the US-based hosting provider QuadraNet Enterprises LLC. In the tracked domains, we've added some illegitimate download sites referenced in malicious samples discovered by our site cleaning team.

Read Full Report

Wordfence Weekly July 24 2019 – July 30 2019

July's final Wordfence Weekly sees some news items regarding Marcus Hutchins' sentencing and a data breach from Capital One. Under the week's new tracked domains, we list xn--google-analytcs-xpb[.]com, a punycode domain masquerading as a Google Analytics domain when decoded. Malware trends and common attacking IPs remain stable, though OVH SAS's longtime domination of the attacking IP rankings continues to wane.

Read Full Report

Wordfence Weekly July 17 2019 – July 23 2019

This week's Wordfence Weekly shows an increase in US-based attack traffic, including an IP from popular web host GoDaddy. We're also seeing a rise in infected sites where the PHP webshell "Ironshell" is present. In the news, Equifax is slated to pay a settlement following its 2017 data breach and the nation of Kazakhstan is attempting to man-in-the-middle the internet traffic of its citizens.

Read Full Report

Wordfence Weekly July 10 2019 – July 16 2019

This week saw an uptick in malicious network activity from Chinese hosts, while IPs associated with OVH SAS have begun to pull back. We've begun tracking new domains associated with malvertising campaigns, while familiar backdoor scripts remain the top new infections of the week. In the news, an Instagram access control flaw could have allowed hackers to take over any account, and Apple put its foot down by removing hidden, vulnerable webservers from Zoom clients.

Read Full Report

Wordfence Weekly July 03 2019 – July 09 2019

This week, a new XSS flaw in Yoast was disclosed. Updating the plugin will resolve the issue, which could allow Editors in multisite environments to attack other sites in the network. In the news, YouTube catches flak for banning instructional hacking videos, and IBM officially acquires Red Hat. In our threat intel, we share a newly tracked domain used by infected sites to deploy new malicious content.

Read Full Report

Wordfence Weekly June 26 2019 – July 02 2019

In this Wordfence Weekly we've got a batch of repeat offenders occupying the malware rankings, but some newcomers have entered the top attacking IP addresses. In the news, check out Cloudflare's response following an outage that affected many internet users this week.

Read Full Report

Wordfence Weekly June 19 2019 – June 25 2019

In this week's Wordfence Weekly, we've tweaked the scope of our most common malware rankings. Previously these were ranked by which malware was identified on the most unique sites. However, this led to disproportionate representation of sites which neglected to clean old malware. Starting this week, we're ranking only malware found in new infections, which should provide more reliably actionable data.

Read Full Report

Wordfence Weekly June 12 2019 – June 18 2019

In this edition of the Wordfence Weekly, the top 5 list of malware hashes remains unchanged from last week, while French and Chinese hosts remain the largest source of blocked attacks on our network.

Read Full Report

Wordfence Weekly June 05 2019 – June 11 2019

In this edition of Wordfence Weekly, we see continued trends in malicious IPs from OVH SAS. On the malware side, familiar backdoors populate the top five but a script generating malicious binaries makes an appearance.

Read Full Report

Wordfence Weekly May 29 2019 – June 04 2019

In the first Wordfence Weekly we've got a vulnerability in the Convert Plus plugin, a script built to hide phishing campaigns hits the top five malware files for the week, and OVH SAS dominates the top ten attacking IPs.

Read Full Report
Archive