Title: New Hack using var_dump Last modified: December 3, 2020 --- # New Hack using var_dump * Resolved [Webmaster](https://wordpress.org/support/users/monkeyfaqs/) * (@monkeyfaqs) * [5 years, 6 months ago](https://wordpress.org/support/topic/new-hack-using-var_dump/) * This last week I’ve started seeing this sequence in my logs. Generally several times a day each from a different IP. It’s the same sequence except for the token which changes. Has anyone encountered this as well and I’m wondering at the sequence. It looks like they are trying to profile the system to gain entry. Any insights? * 138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:31 -0800] “GET / HTTP/1.1” 200 11059 “-” 138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:32 -0800]“ GET / HTTP/1.1” 200 11059 “-” 138.197.197.172 mywebsite.com – – [02/Dec/2020: 17:20:32 -0800] “GET /?token=8d2df1fb0fcbd1090ad2c4f7c6e032a1 HTTP/1.1” 200 11080“-” 138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:33 -0800] “GET / HTTP/1.1” 200 11059 “-” 138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:33 -0800] “ GET /?pass=var_dump&lock=vfdgdfg HTTP/1.1” 200 11080 “-” 138.197.197.172 mywebsite. com – – [02/Dec/2020:17:20:33 -0800] “GET /?Z=var_dump(‘vfdgdfg’); HTTP/1.1” 301 – “-” 138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:34 -0800] “GET/? Z=var_dump%28%5C%27vfdgdfg%5C%27%29%3B HTTP/1.1” 200 11080 “[https://mywebsite.com/?Z=var_dump(‘vfdgdfg’](https://mywebsite.com/?Z=var_dump(‘vfdgdfg’););” 138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:34 -0800] “POST / HTTP/1.1” 200 11082 “-” 138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:35 -0800] “ GET /?lt=1 HTTP/1.1” 200 11080 “-” 138.197.197.172 mywebsite.com – – [02/Dec/ 2020:17:20:35 -0800] “POST / HTTP/1.1” 200 11082 “-” 138.197.197.172 mywebsite. com – – [02/Dec/2020:17:20:36 -0800] “GET /?lt=1 HTTP/1.1” 200 11080 “-” 138.197.197.172 mywebsite.com – – [02/Dec/2020:17:20:37 -0800] “GET /wp-content/plugins/ultimate- member/assets/js/um-modal.js HTTP/1.1” 404 29910 “-” 138.197.197.172 mywebsite. com – – [02/Dec/2020:17:20:37 -0800] “GET /wp-content/plugins/ti-woocommerce- wishlist/assets/js/public.js HTTP/1.1” 404 29910 “-” 138.197.197.172 mywebsite. com – – [02/Dec/2020:17:20:38 -0800] “GET / HTTP/1.1” 200 11059 “-“ Viewing 2 replies - 1 through 2 (of 2 total) * Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/) * (@wfpeter) * [5 years, 6 months ago](https://wordpress.org/support/topic/new-hack-using-var_dump/#post-13748188) * Hi [@monkeyfaqs](https://wordpress.org/support/users/monkeyfaqs/), I apologise for a slightly delayed response, we had our team looking into this quite thoroughly to advise you on what’s being attempted here. * The IP from these logs was blocklisted during Nov 23-30. That IP and some others we detected have been looking for wp-config files probing for vulnerabilities, so if you’re not detecting any malware on your site, we suspect this may be scanning behavior for known backdoors. * We recommend a plugin reset which may find files that got added to exclusions during the first scan, then running another scan to see if there’s possibly an uncaught infection. * Firstly please follow the instructions to reset as follows: * [https://www.wordfence.com/help/advanced/remove-or-reset/](https://www.wordfence.com/help/advanced/remove-or-reset/) * > If you want to do a fresh reinstall of Wordfence you can enable the option “** > Delete Wordfence tables and data on deactivation**”. If you then deactivate > the plugin, all the Wordfence tables will be deleted. You can then choose to > activate Wordfence again to get a fresh installation * Following this, run a scan with the following options enabled in **Wordfence > Scan > Scan Options and Scheduling**: * **Scan images, binary, and other files as if they were executable** **Scan files outside your WordPress installation** * Let us know how you get on. If there’s nothing detected, then we think it may have been an unsuccessful probe for vulnerabilities as an attack will rarely pre-check a site for plugins with issues in advance. * Thanks, * Peter. * Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/) * (@wfpeter) * [5 years, 5 months ago](https://wordpress.org/support/topic/new-hack-using-var_dump/#post-13791455) * Hi [@monkeyfaqs](https://wordpress.org/support/users/monkeyfaqs/), * Hopefully the steps outlined above were successful for you. If you have more Wordfence questions in the future, please start a new topic and we’ll be glad to help any time. * Peter. Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘New Hack using var_dump’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) * 2 replies * 2 participants * Last reply from: [wfpeter](https://wordpress.org/support/users/wfpeter/) * Last activity: [5 years, 5 months ago](https://wordpress.org/support/topic/new-hack-using-var_dump/#post-13791455) * Status: resolved