Type |
Botnet |
Target |
Content Management System (CMS) |
Impact
- Botnet can be used to perform distributed denial of service (DDoS) attacks.
- Account credentials can be leaked leading to account takeovers.
- Provides the attacker access to a device and its connection to a network.
IOC
Spam bot - malicious and compromised files
- /index.php
- /priv_sym/conf.php
- /priv_sympy/sym.py
- /tmp/pear/download/imagick-3.4.4.tgz
- /wp-content/plugins/three-column-screen-layout/db.php
- /wp-content/plugins/wordfence/url/cach/classes/model/wp-pingg.php
- /wp-content/sqlapi.php
- /wp-content/themes/danfe/db.php
- /wp-content/themes/danfe/indx.php
- /wp-content/themes/danfe/ramage_Libytheidae.php
- /wp-content/themes/danfe/tbl_status.php
- /wp-content/themes/danfe/wp_class_datlib.php
- /wp-content/themes/danfe/wp-data.php
- /wp-load.php
- Files with prefix ‘original1.’
Known KashmirBlack IPs
- 101.50.3.132
- 160.153.192.222
- 198.1.98.189
- 35.240.254.161
- 103.11.75.15
- 161.189.159.172
- 198.37.123.60
- 35.242.128.177
- 103.116.16.67
- 161.189.202.40
- 198.57.247.202
- 35.244.124.106
- 103.145.226.104
- 162.144.18.118
- 198.58.99.254
- 35.244.72.212
- 103.147.154.41
- 162.144.68.170
- 199.101.100.123
- 35.247.132.6
- 103.21.58.29
- 162.214.71.13
- 199.101.100.124
- 35.247.160.99
- 103.229.72.13
- 162.241.143.7
- 199.188.200.224
- 35.247.185.96
- 103.229.72.89
- 162.241.156.242
- 199.79.62.126
- 37.187.163.201
Mitigation
- Make sure CMS core files and modules are updated.
- Use strong passwords.
- Deploy web application firewall (WAF).
- Access should be denied or limited for sensitive files and paths such as wp-config.php, install.php, and eval-stdin.php.
- Keep your system updated and use antivirus software.