Annex 3: Backdoor activity October 2015

61.4.76.243 - - [02/Oct/2015:12:01:02 -0400] "POST /Backup/noob.php HTTP/1.1" 200 14827 …
61.4.76.243 - - [02/Oct/2015:12:04:25 -0400] "POST /Backup/noob.php HTTP/1.1" 200 21552 
61.4.76.243 - - [02/Oct/2015:12:04:42 -0400]  "POST /Backup/noob.php?__cf_waf_tk__=0311230080Q3I4rAVSSpQ1tOmM5M9Q86vhGA HTTP/1.1" 404 - …
61.4.76.243 - - [02/Oct/2015:12:15:20 -0400] "POST /Backup/noob.php HTTP/1.1" 200 761 
203.81.71.38 - - [03/Oct/2015:02:42:35 -0400] "POST //Backup/noob.php HTTP/1.1" 200 61522 …
203.81.71.38 - - [03/Oct/2015:02:43:29 -0400] "POST //Backup/noob.php HTTP/1.1" 200 19617 
61.4.76.243 - - [09/Oct/2015:04:10:50 -0400] "POST /Backup/noob.php HTTP/1.1" 200 27598 
61.4.76.243 - - [09/Oct/2015:11:09:01 -0400] "POST //Backup/noob.php HTTP/1.1" 200 14423 … (20)
61.4.76.243 - - [09/Oct/2015:14:11:20 -0400] "POST /Backup/noob.php HTTP/1.1" 200 14807 
203.81.71.49 - - [10/Oct/2015:04:06:00 -0400] "POST //Backup/noob.php HTTP/1.1" 200 14426 … (10)
203.81.71.49 - - [10/Oct/2015:05:35:39 -0400] "POST //Backup/noob.php HTTP/1.1" 200 130426 
61.4.76.243 - - [10/Oct/2015:15:41:53 -0400] "POST //Backup/noob.php HTTP/1.1" 200 15396 …
61.4.76.243 - - [10/Oct/2015:15:42:32 -0400] "POST //Backup/noob.php HTTP/1.1" 200 72379 
203.81.71.49 - - [10/Oct/2015:22:07:18 -0400] "POST //Backup/noob.php HTTP/1.1" 200 72380 … (10)
203.81.71.49 - - [10/Oct/2015:22:24:20 -0400] "POST //Backup/noob.php HTTP/1.1" 200 52898 …
203.81.71.49 - - [11/Oct/2015:01:42:02 -0400] "POST //Backup/noob.php HTTP/1.1" 200 52898 
61.4.76.243 - - [11/Oct/2015:07:53:39 -0400] "POST //Backup/noob.php HTTP/1.1" 200 15479 
61.4.76.243 - - [11/Oct/2015:07:58:27 -0400] "POST //Backup/noob.php HTTP/1.1" 200 15714 ...
61.4.76.243 - - [11/Oct/2015:08:42:52 -0400] "POST /wp-content/uploads/2015/10/noob.php HTTP/1.1" 200 6338 
61.4.76.243 - - [11/Oct/2015:08:43:50 -0400] "POST /wp-content/uploads/2015/10/noob.php HTTP/1.1" 200 6406 
61.4.76.60 - - [12/Oct/2015:01:53:16 -0400] "GET //Backup/noob.php HTTP/1.1" 200 22497 
61.4.76.60 - - [12/Oct/2015:02:40:19 -0400] "GET //Backup/noob.php HTTP/1.1" 200 22497 
61.4.76.60 - - [12/Oct/2015:02:40:24 -0400] "POST //Backup/noob.php HTTP/1.1" 200 15478 …  (10)
61.4.76.60 - - [12/Oct/2015:02:41:12 -0400] "POST //Backup/noob.php HTTP/1.1" 200 15401 
111.84.193.91 - - [18/Oct/2015:03:35:54 -0400] "GET /phpinfo.php?1=mv%20wp-admin/.htacess.bbk%20wp-admin/.htacess HTTP/1.1" 302 272 
111.84.193.91 - - [18/Oct/2015:03:35:55 -0400] "GET /phpinfo.php?1=mv%20wp-admin/.htacess.bbk%20wp-admin/.htacess HTTP/1.1" 200 13158 
111.84.193.91 - - [18/Oct/2015:03:35:56 -0400] "GET /phpinfo.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524 
111.84.193.91 - - [18/Oct/2015:03:35:56 -0400] "GET /phpinfo.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146 
111.84.193.91 - - [18/Oct/2015:03:40:44 -0400] "GET /phpinfo.php?1=ls HTTP/1.1" 200 13583 
111.84.193.91 - - [18/Oct/2015:03:41:32 -0400] "GET /phpinfo.php?1=ls%20-al%20wp-admin HTTP/1.1" 200 14325 
111.84.193.91 - - [18/Oct/2015:03:42:52 -0400] "GET /phpinfo.php?1=mv%20wp-admin/.htaccess.bbk%20wp-admin/.htaccess HTTP/1.1" 200 13208 ...
203.81.71.54 - - [21/Oct/2015:06:13:10 -0400] "POST //Backup/noob.php HTTP/1.1" 200 14829