WordPress : Attaque de type : wp-cron.php?doing_wp_cron via l’IP : 10.50.224.213

J’ai subit une attaque de type « wp-cron.php?doing_wp_cron », quelques chiffres :

% grep "10.50.224.213" access.log.20200208 | wc -l
    2501
% grep "10.50.224.213" access.log-2.20200208 | awk '{print $7}' | sed 's/?/ /g' | sed 's/=/ /g' | awk '{print $1 " " $2}' | sort -n | uniq -c
   2 / 
  12 / wordfence_syncAttackData
  11 /wp-admin/admin-ajax.php action
   1 /wp-content/uploads/2017/01/cyber-neurones_c23ce-wxuayaadm.jpg 
   1 /wp-content/uploads/2018/12/freeboxv5_atm-year-1.png 
   1 /wp-content/uploads/2018/12/freeboxv5_attenuation-year-1.png 
   1 /wp-content/uploads/2018/12/freeboxv5_crc-year-1.png 
   1 /wp-content/uploads/2018/12/freeboxv5_fec-year-1.png 
   1 /wp-content/uploads/2018/12/freeboxv5_hec-year-1.png 
   1 /wp-content/uploads/2018/12/freeboxv5_rates-year-1.png 
   1 /wp-content/uploads/2018/12/freeboxv5_snr-year-1.png 
   1 /wp-content/uploads/2018/12/freeboxv5_status-year-1.png 
   1 /wp-content/uploads/2018/12/freeboxv5_uptime-year-1.png 
   1 /wp-content/uploads/2019/02/capture-decran-2019-02-03-a-19-25-39.png 
   1 /wp-content/uploads/2019/02/capture-decran-2019-02-04-a-08-18-15.png 
   1 /wp-content/uploads/2019/02/capture-decran-2019-02-04-a-08-36-30.png 
   1 /wp-content/uploads/2019/02/capture-decran-2019-02-04-a-08-36-49.png 
   1 /wp-content/uploads/2019/02/capture-decran-2019-02-04-a-15-28-38.png 
   1 /wp-content/uploads/2019/02/capture-decran-2019-02-04-a-19-49-13.png 
2460 /wp-cron.php doing_wp_cron

Plus d’information sur l’IP : 10.50.224.213

Source: whois.arin.net
IP Address: 10.50.224.213
Name: PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED
Handle: NET-10-0-0-0-1
Registration Date: 
Range: 10.0.0.0-10.255.255.255
Org: Internet Assigned Numbers Authority
Org Handle: IANA
Address: 12025 Waterfront Drive 
Suite 300
City: Los AngelesS
tate/Province: CA
Postal Code: 90292
Country: United States

J’ai essayé de faire une commande cure pour comprendre mais sans succès :

% curl -X POST "https://www.cyber-neurones.org/wp-cron.php?doing_wp_cron=1581202796.1272060871124267578125" -vv  
*   Trying 188.130.25.102...
* TCP_NODELAY set
* Connected to www.cyber-neurones.org (188.130.25.102) port 80 (#0)
> POST /wp-cron.php?doing_wp_cron=1581202796.1272060871124267578125 HTTP/1.1
> Host: www.cyber-neurones.org
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< date: Sun, 09 Feb 2020 12:31:02 GMT
< server: Apache
< vary: User-Agent
< content-length: 0
< content-type: text/html; charset=UTF-8
< set-cookie: PHPNET-MNO=11113|Xj/7i|Xj/7i; path=/
< 
* Connection #0 to host www.cyber-neurones.org left intact
* Closing connection 0

J’ai pu lire sur cet article que je n’étais pas le seul : https://www.raymond.cc/blog/fixing-wordpress-website-constantly-hacked/ . Mais la faille est de 2017 … donc pas de stress.

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Time limit is exhausted. Please reload CAPTCHA.