dotquery
Forum Replies Created
Viewing 2 replies - 1 through 2 (of 2 total)
-
Ours got hit before we set a password on the installer. Logs provided above. Compare to your logs if they’re still around.
I had this happen to a site I host as well.
Within 10 minutes of setting up the new site, adding the DNS, and requesting a Let’s Encrypt Certificate, I had a foreign actor installing what appears to be fake WP plugin that then transitioned to this .query.php script and was eventually used to DDOS another hosting provider.
Excerpt from the logs:
185.59.x.x - - [11/Mar/2022:17:05:38 -0500] "GET /wp-admin/install.php HTTP/1.1" 200 13230 185.59.x.x - - [11/Mar/2022:17:05:38 -0500] "POST /wp-admin/install.php?step=2 HTTP/1.1" 200 5001 185.59.x.x - - [11/Mar/2022:17:05:40 -0500] "POST /wp-login.php HTTP/1.1" 302 - 185.59.x.x - - [11/Mar/2022:17:05:41 -0500] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.1" 200 26161 185.59.x.x - - [11/Mar/2022:17:05:51 -0500] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 200 17775 185.59.x.x - - [11/Mar/2022:17:05:52 -0500] "GET /wp-content/plugins/contact-form-maker/contact-form-maker.php?a=0&b=5768720944787703971 HTTP/1.1" 200 - 185.59.x.x - - [11/Mar/2022:17:05:52 -0500] "POST /wp-includes/.query.php HTTP/1.1" 200 9
Viewing 2 replies - 1 through 2 (of 2 total)