Wordfence Weekly September 25 2019 – October 01 2019

A weekly report of noteworthy threat data by the Defiant threat intelligence team.

Notable Vulnerabilities

Name: GiveWP < 2.5.5 - Authentication Bypass
Description: Certain configurations allow unauthenticated information disclosure.
Type: A3 – Sensitive Data Exposure
Name: Easy Fancybox < 1.8.18 - Authenticated Stored XSS
Description: Authenticated users with Editor privileges or greater can inject XSS payloads in media metadata.
Type: A7 – Cross-Site Scripting (XSS)
Name: Theme Editor <= 2.1 - Multiple Vulnerabilities
Description: Multiple issues, including an authenticated arbitrary file upload.
Type: A5 – Broken Access Control

Most Common New Infections

Malware samples identified on the greatest count of newly infected sites.

MD5 Signature Description Example File Names
CEC9A529B43D84F0A0E3624372CD9C51 Backdoor:PHP/WP-VCD.5409 Infected core file, triggers execution of another malicious script. post.php
7D9A88B33CD777B0949A3033512C1D08 Backdoor:PHP/wp-vcd.5476 Backdoor associated with SEO spam injections. wp-vcd.php
3F60851C9F7E37C0D8817101D2212C68 Suspicious:PHP/eval_b64.1 Obfuscated PHP backdoor. -h7h0pfixp7.phpP, 01nbgrzyxu.php, 05hyfj1bf8.php, and others.
701CB9E0ACF43569D3C539B073DAAF2F Spam:PHP/oclasinsert.5483 SEO spam code injector. wp-tmp.php
380FA777B8C37FB60811E5972391261B Suspicious:PHP/evalB64.4068 WebShellOrb PHP webshell. wp-update.php, ob.php, aw.php, and others.

IPs Attacking Most Sites

Rank Prev. IP Address ASN Country
1 8 14061 (DigitalOcean, LLC) Germany DE
2 4 14061 (DigitalOcean, LLC) United States US
3 16276 (OVH SAS) France FR
4 5 16276 (OVH SAS) Canada CA
5 42926 (Radore Veri Merkezi Hizmetleri A.S.) Turkey TR
6 10 16276 (OVH SAS) France FR
7 7684 (SAKURA Internet Inc.) Japan JP
8 14061 (DigitalOcean, LLC) Singapore SG
9 16276 (OVH SAS) Canada CA
10 9 14061 (DigitalOcean, LLC) United States US

New Tracked Domains

Domain Name Date Added Current Status Notes
6tws.us 09/26/2019 Up Several subdomains referenced in malware samples.
belaterbewasthere.com 09/27/2019 Up Associated with malvertising campaign.
createrelativechanging.com 09/28/2019 Up Associated with malvertising campaign.

Subscribe To The Wordfence Weekly

Did you enjoy this post? Share it!

Recent Issues