Wordfence Weekly July 03 2019 – July 09 2019

A weekly report of noteworthy threat data by the Defiant threat intelligence team.

Security News

  • YouTube mystery ban on hacking videos has content creators puzzled

    YouTube recently began enforcing a ban on instructional hacking videos on its platform. This has sparked controversy among infosec professionals, a community largely united by the free dissemination of information.
    Read More

  • Top VPNs secretly owned by Chinese firms

    Almost a third (30%) of the world’s top virtual private network (VPN) providers are secretly owned by six Chinese companies, according to a study by privacy and security research firm VPNpro.
    Read More

  • IBM closes its $34 billion acquisition of Red Hat

    IBM closed its $34 billion acquisition of Red Hat, the companies announced Tuesday. The acquisition of Red Hat, an open-source, enterprise software maker, marks the close of IBM’s largest deal ever. The move was originally announced in October, when the companies said IBM would buy all shares in Red Hat at $190 each in cash.
    Read More

Notable Vulnerabilities

Name: Yoast SEO < 11.6 - Authenticated XSS
Description: Untrusted-but-privileged users (such as Editors on a single site of a multisite environment) can inject XSS payloads into the admin dashboard and, in some themes, the frontend of affected sites.
Type: A7 – Cross-Site Scripting (XSS)

Most Common New Infections

Malware samples identified on the greatest count of newly infected sites.

MD5 Signature Description File Names
C62180F0D626D92E29E83778605DD8BE Suspicious:PHP/eval_exit.92 Obfuscated PHP backdoor. file.php, i.php, ihqxkhi.php, and others.
048648D9755220E727E7E0178837F7BF Backdoor:PHP/561C.110 Obfuscated PHP backdoor. amp3.php, sib.php, wpfunck.php, and others.
446ABEFA504998F144A7AE906A173978 Suspicious:PHP/rot13_of_eval.95 PHP backdoor which takes XOR-encoded input. b9448c1c.php
8C9E8184A1523C7286FC11E7DE2EAC55 Backdoor:PHP/2842.103 PHP script which generates and executes a malicious binary. wp_form7.php
BF3A65A77DA363AC779A2C45FD2DA2FF Suspicious:PHP/eval_exit.92 Obfuscated PHP backdoor. common_config.php

IPs Attacking Most Sites

Rank Prev. IP Address ASN Country
1 4 46.105.99.212 16276 (OVH SAS) France FR
2 3 46.105.99.163 16276 (OVH SAS) France FR
3 2 46.105.127.166 16276 (OVH SAS) France FR
4 7 5.8.47.2 50896 (Trusov Ilya Igorevych) Poland PL
5 10 158.69.162.111 16276 (OVH SAS) Canada CA
6 85.214.252.186 6724 (Strato AG) Germany DE
7 198.27.70.61 16276 (OVH SAS) Canada CA
8 5 120.131.12.178 59019 (Beijing Kingsoft Cloud Internet Technology Co., Ltd) China CN
9 213.128.89.176 42926 (Radore Veri Merkezi Hizmetleri A.S.) Turkey TR
10 108.179.224.14 46606 (Unified Layer) United States US

New Tracked Domains

Domain Name Date Added Current Status Notes
topproduct01.online 07/09/2019 Up Contacted by PHP malware to provide additional scripts and instructions.

Subscribe To The Wordfence Weekly



Did you enjoy this post? Share it!

Recent Issues

Archive