bediger4000
diff --git a/‎91.223.167.117-2017-12-27a/91.223.167.117WkGUO-k3411Y64MGy-pOIQAAAAo.0.file
+313 b/‎91.223.167.117-2017-12-27a/91.223.167.117WkGUO-k3411Y64MGy-pOIQAAAAo.0.file
+313
diff --git a/‎91.223.167.117-2017-12-27a/91.223.167.117WkGUO-k3411Y64MGy-pOIQAAAAo.wso.scans
+79 b/‎91.223.167.117-2017-12-27a/91.223.167.117WkGUO-k3411Y64MGy-pOIQAAAAo.wso.scans
+79
diff --git a/‎91.223.167.117-2017-12-27a/README.md
+45 b/‎91.223.167.117-2017-12-27a/README.md
+45
diff --git a/‎91.223.167.117-2017-12-27a/dc1.php
+379 b/‎91.223.167.117-2017-12-27a/dc1.php
+379
@@ -0,0 +1,79 @@
+
+_SERVER
+Array
+(
+    [UNIQUE_ID] => WkGUO-k3411Y64MGy-pOIQAAAAo
+    [SCRIPT_URL] => /wp-content/themes/twentytwelve/apache2.php
+    [SCRIPT_URI] => http://stratigery.com/wp-content/themes/twentytwelve/apache2.php
+    [HTTP_CONNECTION] => Keep-Alive
+    [CONTENT_TYPE] => multipart/form-data; boundary=--------122617031341835
+    [CONTENT_LENGTH] => 34248
+    [HTTP_HOST] => stratigery.com
+    [HTTP_ACCEPT] => text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
+    [HTTP_ACCEPT_LANGUAGE] => ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
+    [HTTP_REFERER] => http://stratigery.com/wp-content/themes/twentytwelve/apache2.php
+    [HTTP_USER_AGENT] => Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17
+    [HTTP_COOKIE] => d8670190bc460b6abebf276d20db5892=63a9f0ea7bb98050796b649e85481845
+    [PATH] => /usr/local/sbin:/usr/local/bin:/usr/bin
+    [SERVER_SIGNATURE] => 
+    [SERVER_SOFTWARE] => Apache/2.4.29 (Unix) PHP/7.2.0
+    [SERVER_NAME] => stratigery.com
+    [SERVER_ADDR] => 162.246.45.144
+    [SERVER_PORT] => 80
+    [REMOTE_ADDR] => 91.223.167.117
+    [DOCUMENT_ROOT] => /srv/http/stratigery/htdocs
+    [REQUEST_SCHEME] => http
+    [CONTEXT_PREFIX] => 
+    [CONTEXT_DOCUMENT_ROOT] => /srv/http/stratigery/htdocs
+    [SERVER_ADMIN] => [email protected]
+    [SCRIPT_FILENAME] => /srv/http/stratigery/htdocs/fake_wp/wso.php
+    [REMOTE_PORT] => 57824
+    [GATEWAY_INTERFACE] => CGI/1.1
+    [SERVER_PROTOCOL] => HTTP/1.1
+    [REQUEST_METHOD] => POST
+    [QUERY_STRING] => 
+    [REQUEST_URI] => /wp-content/themes/twentytwelve/apache2.php
+    [SCRIPT_NAME] => /wp-content/themes/twentytwelve/apache2.php
+    [PHP_SELF] => /wp-content/themes/twentytwelve/apache2.php
+    [REQUEST_TIME_FLOAT] => 1514247227.381
+    [REQUEST_TIME] => 1514247227
+)
+
+_REQUEST
+Array
+(
+    [a] => FilesMan
+    [c] => /var/www/html/.htaccess/
+    [p1] => uploadFile
+    [charset] => Windows-1251
+)
+
+_COOKIE
+ Array
+(
+    [d8670190bc460b6abebf276d20db5892] => 63a9f0ea7bb98050796b649e85481845
+)
+
+_FILES
+ 
+UPLOADED FILE f
+ Array
+(
+    [name] => .htaccessPNB1PN
+    [type] => application/octet-stream
+    [tmp_name] => /tmp/phpkYY6Ni
+    [error] => 0
+    [size] => 33416
+)
+
+END UPLOADED FILE f
+ Uploaded file: /var/tmp/91.223.167.117WkGUO-k3411Y64MGy-pOIQAAAAo.0.file
+
+END _FILES
+ $my_blog=http://stratigery.com/wp-content/themes/twentytwelve
+Acting as WSO, login cookie.
+a = FilesMan
+c = /var/www/html/.htaccess/
+p1 = uploadFile
+Acting as WSO, receive uploaded file.
+Acting as WSO, send /var/www/html/ listing.
@@ -0,0 +1,45 @@
+# .htaccess mobile phone redirector
+
+Redirect mobile phone browsers to some undesired URL
+
+## Origin
+
+### IP Address 91.223.167.117
+
+Belongs in 91.223.167.0/24AS197615, NASZASIEC-NET in Poland.
+
+`traceroute` agrees, hopping through hosts named 'naszasiec.ip4.epix.net.pl' and
+ending at 'ip-91-223-167-117.naszasiec.net'.
+
+### Download
+
+Downloaded to my WordPress honey pot's fake WSO web shell, via `FilesMan` action,
+`uploadFile` sub-action. The downloader was hoping to put a file `/var/www/html/.htaccess/.htaccessPNB1PN`
+in place.
+
+## Decoding
+
+1. Copy `*file` to `dc1.php`
+2. Run [tidy](https://github.com/htacg/tidy-html5) on, and hand edit `dc1.php` to fix HTML problems, yielding `f1.php`
+
+## Analysis
+
+Seems to put in place a `.htaccess` file that selectively redirects
+(via Apache `mod_rewrie`)
+mobile phone browser accesses of document root (`/var/www/html/`)
+for the WordPress
+Apache server
+to `http://googleads.g.doubleclick.cn.com/udoe19.html`
+
+I got `ERROR 403: Forbidden` when I tried to access that URL using `wget`.
+The URL is clearly formed to trick the human eye.
+
+The weird part is that it wants to leave in place the HTML
+generated by my fake WSO, to display if a non-mobile phone
+browser does the same access. I can't tell if the downloader
+is buggy, or it got confused by the fake WSO, or some other
+possibility.
+
+Domain name `googleads.g.doubleclick.cn.com` resolves to 5.188.62.23,
+an IP address in 5.188.62.0/24as44050, assigned to some Ukrainian
+entity.