Support » Fixing WordPress » Crackers are using xmlrpc.php and putting a backdoor into my PHP code…

  • access.log.1:151.80.103.33 - - [28/Sep/2015:23:03:10 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
    access.log.1:196.36.167.46 - - [28/Sep/2015:23:07:13 -0700] "POST /xmlrpc.php HTTP/1.1" 404 504 "-" "-"
    access.log.1:181.174.182.153 - - [28/Sep/2015:23:07:52 -0700] "POST /xmlrpc.php HTTP/1.1" 200 629 "-" "-"
    access.log.1:151.80.103.33 - - [28/Sep/2015:23:08:16 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
    access.log.1:42.116.25.90 - - [28/Sep/2015:23:09:01 -0700] "POST /xmlrpc.php HTTP/1.1" 200 836 "-" "-"
    access.log.1:151.80.103.33 - - [28/Sep/2015:23:13:04 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
    access.log.1:180.250.89.210 - - [28/Sep/2015:23:13:46 -0700] "POST /xmlrpc.php HTTP/1.1" 200 629 "-" "-"
    access.log.1:151.80.103.33 - - [28/Sep/2015:23:18:22 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
    access.log.1:151.80.103.33 - - [28/Sep/2015:23:23:25 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
    access.log.1:151.80.103.33 - - [28/Sep/2015:23:28:19 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
    access.log.1:59.178.173.233 - - [28/Sep/2015:23:30:29 -0700] "POST /xmlrpc.php HTTP/1.1" 404 474 "-" "-"
    access.log.1:151.80.103.33 - - [28/Sep/2015:23:33:15 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
    access.log.1:151.80.103.33 - - [28/Sep/2015:23:38:48 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
    access.log.1:151.80.103.33 - - [28/Sep/2015:23:43:56 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
    access.log.1:151.80.103.33 - - [28/Sep/2015:23:48:43 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
    access.log.1:151.80.103.33 - - [28/Sep/2015:23:53:38 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
    access.log.1:31.11.95.223 - - [28/Sep/2015:23:54:00 -0700] "POST /xmlrpc.php HTTP/1.1" 200 629 "-" "-"
    access.log.1:151.80.103.33 - - [28/Sep/2015:23:58:28 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
    access.log.1:151.80.103.31 - - [29/Sep/2015:00:00:35 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
    access.log.1:151.80.103.31 - - [29/Sep/2015:00:02:25 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
    access.log.1:151.80.103.33 - - [29/Sep/2015:00:03:15 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
    ^C

    This is info on the trojan they’re installing. I’m trying to use stream editor or possibly awk to remove it.. I think XMLRPC is how they’re getting in..
    http://stackoverflow.com/questions/33072420/how-do-i-use-find-sed-i-to-remove-the-line-containing-ua-strtolower-from-p

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Crackers are using xmlrpc.php and putting a backdoor into my PHP code…’ is closed to new replies.