Annex 4: IPs – Malicious activity July – November 2015

Pre-defacement Activity (help.php backdoor)

MPT

 203.81.85.66 July – October (lots of activity)
 103.25.12.12 July (little activity)

October Activity (noob.php backdoor)

MPT

 203.81.71.38 - - [03/Oct/2015:02:43:13 -0400] "POST //Backup/noob.php HTTP/1.1" 200 13834
 203.81.71.49 - - [11/Oct/2015:01:42:02 -0400] "POST //Backup/noob.php HTTP/1.1" 200 52898
 103.25.12.12 - wpadmin [19/Oct/2015:10:31:29 -0400] "POST /wp-admin/async-upload.php HTTP/1.1" 200 1349
 103.25.12.12 - - [19/Oct/2015:10:52:16 -0400] "POST /wp-content/plugins/meenews/inc/ajax/ajax_actions.php HTTP/1.1" 404 45195
 203.81.71.54 - - [21/Oct/2015:06:13:10 -0400] "POST //Backup/noob.php HTTP/1.1" 200 14829
 122.248.101.151 [11/Nov/2015:00:29:59] "GET /wp-content/wp-cache-config.php?1=ls%20-al"

Red Link

 61.4.76.243 - - [11/Oct/2015:07:53:39 -0400] "POST //Backup/noob.php HTTP/1.1" 200 15479
 61.4.76.60 - - [12/Oct/2015:02:41:12 -0400] "POST //Backup/noob.php HTTP/1.1" 200 15401

Telenor Myanmar

 111.84.193.91 - - [18/Oct/2015:03:35:56 -0400] "GET /phpinfo.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200
 111.84.193.91 - - [18/Oct/2015:03:35:56 -0400] "GET /phpinfo.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
 111.84.193.91 - - [18/Oct/2015:03:40:44 -0400] "GET /phpinfo.php?1=ls HTTP/1.1" 200 13583
 111.84.193.91 - - [18/Oct/2015:03:41:32 -0400] "GET /phpinfo.php?1=ls%20-al%20wp-admin HTTP/1.1" 200 14325