Перманентный взлом
-
Вот так стучится бот:
198.71.59.117 - - [20/Aug/2015:00:16:00 +0300] "POST /wp-content/uploads/ms/view.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:01 +0300] "POST /wp-content/uploads/mgd/xmlrpcS0V.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:02 +0300] "POST /wp-content/uploads/ne/utf.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:02 +0300] "POST /wp-content/uploads/2012/07/guestbookVaV.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:03 +0300] "POST /wp-content/uploads/admlast.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:04 +0300] "POST /wp-content/uploads/vbv/title.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:05 +0300] "POST /wp-content/uploads/2014/02/object.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:06 +0300] "POST /wp-content/uploads/aj/header.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:07 +0300] "POST /wp-content/uploads/2014/02/backup.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:07 +0300] "POST /wp-content/uploads/2012/info.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:08 +0300] "POST /wp-content/uploads/ayv/template.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:09 +0300] "POST /wp-content/uploads/ne/admin.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:10 +0300] "POST /wp-content/uploads/2014/08/press.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:11 +0300] "POST /wp-content/uploads/2014/07/option.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:12 +0300] "POST /wp-content/uploads/ne/test.php HTTP/1.0" 404 3063 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:12 +0300] "POST /wp-content/uploads/qw/dir.php HTTP/1.0" 404 3058 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:13 +0300] "POST /wp-content/uploads/2014/03/test.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:14 +0300] "POST /wp-content/uploads/bj/article.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 178.137.90.21 - - [20/Aug/2015:00:16:15 +0300] "GET /administrator/index.php HTTP/1.0" 200 4547 "-" "-" 198.71.59.117 - - [20/Aug/2015:00:16:15 +0300] "POST /wp-content/uploads/hdy/info.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 178.137.90.21 - - [20/Aug/2015:00:16:15 +0300] "POST /administrator/index.php HTTP/1.0" 303 26 "-" "-" 178.137.90.21 - - [20/Aug/2015:00:16:15 +0300] "GET /administrator/index.php HTTP/1.0" 200 2065 "-" "-" 198.71.59.117 - - [20/Aug/2015:00:16:16 +0300] "POST /wp-content/uploads/ccs/dirs.php HTTP/1.0" 404 3058 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:17 +0300] "POST /wp-content/themes/twentyten/sidebar.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:17 +0300] "POST /wp-content/plugins/xcalendar/xcalendar.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:18 +0300] "POST /wp-pass.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:19 +0300] "POST /wp-content/themes/twentythirteen/sidebar.php HTTP/1.0" 500 26 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:20 +0300] "POST /wp-content/uploads/gqy/cache.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:21 +0300] "POST /wp-includes/theme-compat/header.php HTTP/1.0" 500 26 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:22 +0300] "POST /wp-content/themes/twentythirteen/archive.php HTTP/1.0" 500 26 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:23 +0300] "POST /wp-content/themes/twentyten/index.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:24 +0300] "POST /wp-includes/session.php HTTP/1.0" 200 26 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:25 +0300] "POST /wp-content/themes/twentyeleven/sidebar-page.php HTTP/1.0" 500 26 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:26 +0300] "POST /wp-includes/class-wp-editor.php HTTP/1.0" 200 26 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:26 +0300] "POST /wp-content/themes/twentyeleven/content-single.php HTTP/1.0" 500 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:27 +0300] "POST /wp-content/uploads/gqy/.1634dd.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:28 +0300] "POST /wp-content/uploads/vbv/info.php HTTP/1.0" 404 3059 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:29 +0300] "POST /wp-content/uploads/2014/02/templist.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:30 +0300] "POST /wp-content/uploads/wl/proxy.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:31 +0300] "POST /wp-includes/SimplePie/Author.php HTTP/1.0" 200 26 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:31 +0300] "POST /wp-includes/SimplePie/Category.php HTTP/1.0" 200 26 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:32 +0300] "POST /wp-content/model.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:33 +0300] "POST /wp-includes/images/smilies/page.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:34 +0300] "POST /wp-content/uploads/page.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:35 +0300] "POST /wp-content/themes/twentyfifteen/article.php HTTP/1.0" 404 3059 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:35 +0300] "POST /wp-content/themes/twentyfourteen/images/global.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:36 +0300] "POST /wp-content/themes/twentythirteen/js/user.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:37 +0300] "POST /wp-includes/js/imgareaselect/proxy.php HTTP/1.0" 404 3058 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:38 +0300] "POST /wp-content/uploads/ms/sql.php HTTP/1.0" 404 3058 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:39 +0300] "POST /wp-content/themes/twentyfifteen/css/dump.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:40 +0300] "POST /wp-includes/js/tinymce/plugins/paste/plugin.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:41 +0300] "POST /wp-includes/js/tinymce/plugins/wordpress/article.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:42 +0300] "POST /wp-includes/css/info.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:43 +0300] "POST /wp-includes/js/tinymce/plugins/compat3x/proxy.php HTTP/1.0" 404 3063 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:44 +0300] "POST /wp-includes/js/tinymce/plugins/lists/help.php HTTP/1.0" 404 3059 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:45 +0300] "POST /wp-content/uploads/2012/functions.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:45 +0300] "POST /wp-content/themes/twentythirteen/js/user.php HTTP/1.0" 200 993 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:46 +0300] "POST /wp-content/themes/twentythirteen/tag.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:47 +0300] "POST /wp-content/themes/twentyfourteen/inc/featured-content.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:48 +0300] "POST /wp-content/themes/twentytwelve/content.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:49 +0300] "POST /wp-content/themes/twentyfifteen/archive.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:49 +0300] "POST /wp-content/themes/twentyfifteen/index.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:50 +0300] "POST /wp-content/themes/twentyfifteen/search.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:51 +0300] "POST /wp-content/themes/twentythirteen/content-status.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:52 +0300] "POST /wp-content/themes/twentyeleven/sidebar-page.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:52 +0300] "POST /wp-content/themes/twentythirteen/functions.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:53 +0300] "POST /wp-content/themes/twentythirteen/author.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:54 +0300] "POST /wp-content/themes/index.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:55 +0300] "POST /wp-content/themes/twentyfourteen/index.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:55 +0300] "POST /wp-content/themes/twentythirteen/content-image.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:56 +0300] "POST /wp-content/themes/twentyfifteen/author-bio.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:57 +0300] "POST /wp-content/themes/twentythirteen/footer.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:58 +0300] "POST /wp-content/themes/twentyfourteen/inc/customizer.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:58 +0300] "POST /wp-content/themes/twentytwelve/sidebar.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 198.71.59.117 - - [20/Aug/2015:00:16:59 +0300] "POST /wp-content/themes/twentyfourteen/content-gallery.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
В результате чего все равно дропает кучу PHP в /wp-content. Там где он натыкается на 404 — это я уже почистил, за предыдущие 3-4 взлома 🙂 С помощью этой хрени рассылает кучу спама и используется в виде хостинга ссылок.
Вот что дропает:
https://www.virustotal.com/ru/file/bb15a692f22fa594a87d4da02f94daf334b5fb8ffc2c4c121d5005d363b0db8d/analysis/1440566877/Взять можно тут:
https://cloud.mail.ru/public/7LDt/hiBphdJax
Пароль 112233
Просмотр 12 ответов — с 1 по 12 (всего 12)
Просмотр 12 ответов — с 1 по 12 (всего 12)
- Тема «Перманентный взлом» закрыта для новых ответов.