New Hack using var_dump

  • Resolved Webmaster

    (@monkeyfaqs)


    5 years, 3 months ago

    This last week I’ve started seeing this sequence in my logs. Generally several times a day each from a different IP. It’s the same sequence except for the token which changes. Has anyone encountered this as well and I’m wondering at the sequence. It looks like they are trying to profile the system to gain entry. Any insights?

    138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:31 -0800] “GET / HTTP/1.1” 200 11059 “-”
    138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:32 -0800] “GET / HTTP/1.1” 200 11059 “-”
    138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:32 -0800] “GET /?token=8d2df1fb0fcbd1090ad2c4f7c6e032a1 HTTP/1.1” 200 11080 “-”
    138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:33 -0800] “GET / HTTP/1.1” 200 11059 “-”
    138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:33 -0800] “GET /?pass=var_dump&lock=vfdgdfg HTTP/1.1” 200 11080 “-”
    138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:33 -0800] “GET /?Z=var_dump(‘vfdgdfg’); HTTP/1.1” 301 – “-”
    138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:34 -0800] “GET /?Z=var_dump%28%5C%27vfdgdfg%5C%27%29%3B HTTP/1.1” 200 11080 “https://mywebsite.com/?Z=var_dump(‘vfdgdfg’);”
    138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:34 -0800] “POST / HTTP/1.1” 200 11082 “-”
    138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:35 -0800] “GET /?lt=1 HTTP/1.1” 200 11080 “-”
    138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:35 -0800] “POST / HTTP/1.1” 200 11082 “-”
    138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:36 -0800] “GET /?lt=1 HTTP/1.1” 200 11080 “-”
    138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:37 -0800] “GET /wp-content/plugins/ultimate-member/assets/js/um-modal.js HTTP/1.1” 404 29910 “-”
    138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:37 -0800] “GET /wp-content/plugins/ti-woocommerce-wishlist/assets/js/public.js HTTP/1.1” 404 29910 “-”
    138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:38 -0800] “GET / HTTP/1.1” 200 11059 “-“

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    5 years, 3 months ago

    Hi @monkeyfaqs, I apologise for a slightly delayed response, we had our team looking into this quite thoroughly to advise you on what’s being attempted here.

    The IP from these logs was blocklisted during Nov 23-30. That IP and some others we detected have been looking for wp-config files probing for vulnerabilities, so if you’re not detecting any malware on your site, we suspect this may be scanning behavior for known backdoors.

    We recommend a plugin reset which may find files that got added to exclusions during the first scan, then running another scan to see if there’s possibly an uncaught infection.

    Firstly please follow the instructions to reset as follows:

    https://www.wordfence.com/help/advanced/remove-or-reset/

    If you want to do a fresh reinstall of Wordfence you can enable the option “Delete Wordfence tables and data on deactivation”. If you then deactivate the plugin, all the Wordfence tables will be deleted. You can then choose to activate Wordfence again to get a fresh installation

    Following this, run a scan with the following options enabled in Wordfence > Scan > Scan Options and Scheduling:

    Scan images, binary, and other files as if they were executable
    Scan files outside your WordPress installation

    Let us know how you get on. If there’s nothing detected, then we think it may have been an unsuccessful probe for vulnerabilities as an attack will rarely pre-check a site for plugins with issues in advance.

    Thanks,

    Peter.

    Plugin Support wfpeter

    (@wfpeter)

    5 years, 3 months ago

    Hi @monkeyfaqs,

    Hopefully the steps outlined above were successful for you. If you have more Wordfence questions in the future, please start a new topic and we’ll be glad to help any time.

    Peter.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘New Hack using var_dump’ is closed to new replies.