After checking the access logs for any suspicious activity on the server, I noticed some common paths that seemed to come up a lot.
Checking about them through Gemini AI and online searches provided the following information:
Here’s a breakdown of the listed paths and why some are likely attacks:
Likely Attacks:
- /wp-content/uploads/wp-casper.php: This file is not a standard WordPress file and likely a malicious script for uploading malware or exploiting vulnerabilities.
- /wp-content/uploads/uploads.php: Uploading functionality is typically handled by WordPress core, not a separate script in the uploads folder. This suggests a potential attempt to bypass security measures.
- /wp-content/uploads/wso112233.php: This filename format (wsoXXXX) is commonly associated with webshell tools used for gaining unauthorized access.
- /wp-content/uploads/2023/wp-signup.php: While a legitimate signup script could exist in this location for some plugins, it’s uncommon. The presence of a year in the path makes it more suspicious.
- /wp-includes/css/wp-config.php: This is a highly critical configuration file storing database credentials. Accessing it via a HTTP request is a clear attack attempt.
Suspicious but require further investigation:
- /vendor/phpunit: PHPUnit is a legitimate testing framework used by developers. However, if you are not actively running tests or expecting PHPUnit usage, unknown access to this folder could be suspicious.
- /vendor/bin/test.php: Similar to the above, this could be a legitimate testing script but requires verification of its purpose.
- /wp-content/uploads/2022/themes.php”: Themes are usually stored in the /wp-content/themes folder. Having a themes.php script in the uploads folder is suspicious, especially with a year in the path.
- /wp-content/uploads/2020/09/themes.php: Similar to the above, the presence of a themes.php script in the uploads folder with a date path is suspicious.
After searching online further, I found a long list of paths that shows common paths that are attacked:
https://www.luszcz.de/widwsisw/i/i0004en.php
WordPress paths and .env paths come up a lot!
Also, the reasoning for searching for phpunit, might be answered by the following article: https://thephp.cc/articles/phpunit-a-security-risk
It seems there has been a file included in it that can be exploited.
As usual, it is best to be careful to not include development code in production and also not expose dependency areas such as vendor publicly.