ha trovato il registro completo in un altro post di te.
Ecco cosa ho letto da questo:
La richiesta GET per i file wp-login.php da 91.210.145.98 (Windows 10 64 Bit, con probabilmente Mozilla Firefox 50) è 200
200 = Statuscode HTTP = OK che significa riuscito.
Il POST dei dati di accesso ha avuto successo. (Una cosa interessante è che non vedo alcun segno di Bruteforce nel LOG che hai postato).
L'attaccante ha ora effettuato l'accesso con successo (accesso a wp-admin)
L'attaccante apre l'Editor dei temi. (/Wp-admin/theme-editor.php)
L'attaccante controlla se esiste già il tema TwentyFourteen. (/wp-admin/theme-editor.php?file=404.php&theme=twentyfourteen)
L'attaccante apre la pagina per caricare un tema.
L'attaccante lega una shell remota Wordpress al database.php del tema Gaukingo (Wordpress Shell Uploader \ gaukingo)
e lo carica.
L'attaccante lega una shell remota Wordpress al db.php del layout a schermo a tre colonne del plug-in (layout a tre colonne-schermo / db.php)
e lo carica.
Verifica se il file GET /wp-content/uploads/db.php esiste già ma ottiene un HTTP 404 che significa non trovato.
Fa lo stesso con /wp-content/uploads/2017/23/db.php.
Emette una HEAD Request che significa che riceve solo Homepage Header Data, che è più veloce ad esempio se si desidera ricevere dati in una shell Linux.
Forse sta usando un programma come Metasploit d'ora in poi perché ha molto più possibilità di Browser (Mozilla / 5.0 (Windows NT 6.1) AppleWebKit / 537.36 (KHTML, come Gecko) Chrome / 45.0.2454.85 Safari / 537.36 OPR / 32.0.1948.45)
- Si collega tramite wp-login.php
- Apre la pagina per caricare un tema
- Controlla se lo schizzo del tema è già installato qui testo
Dopo aver letto il log, penso che stia tentando di utilizzare un punto debole in plugin e temi obsoleti ma ancora installati. Penso che sia il migliore per proteggere il tuo Wordpress in futuro come suggerito nei commenti.
[30/Mar/2017:13:52:56 +0100] "GET /wp-login.php HTTP/1.1" 200 2752 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0" 91.210.145.98 - -
[30/Mar/2017:13:52:57 +0100] "POST /wp-login.php HTTP/1.1" 302 1136 "http://*************.com.it/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0" 91.210.145.98 - -
[30/Mar/2017:13:52:58 +0100] "GET /wp-admin/ HTTP/1.1" 200 62061 "http://*************.com.it/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0" 91.210.145.98 - -
[30/Mar/2017:13:52:59 +0100] "GET /wp-admin/theme-editor.php HTTP/1.1" 200 38782 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0" 91.210.145.98 - -
[30/Mar/2017:13:53:00 +0100] "GET /wp-admin/theme-editor.php?file=404.php&theme=twentyfourteen HTTP/1.1" 500 3785 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0" 91.210.145.98 - -
[30/Mar/2017:13:53:01 +0100] "GET /wp-admin/theme-install.php?upload HTTP/1.1" 200 52466 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0" 91.210.145.98 - -
[30/Mar/2017:13:53:02 +0100] "POST /wp-admin/update.php?action=upload-theme HTTP/1.1" 200 31812 "*************.com.it/wp-admin/theme-install.php?upload" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0" 91.210.145.98 - -
[30/Mar/2017:13:53:07 +0100] "GET /wp-content/themes/F:\xc4\xee\xf0\xee\xe3\xee\xf1\xf2\xee\xff\xf9\xe8\xe5\MultiShell2\xf8\xe5\xeb\xeb\xfb\xcf\xee\xea\xf3\xef\xed\xee\xe9 \xf1\xee\xf4\xf2\uploader\Wordpress Shell Uploader\gaukingo/db.php HTTP/1.1" 404 51872 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0" 91.210.145.98 - -
[30/Mar/2017:13:53:08 +0100] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.1" 200 40682 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0" 91.210.145.98 - -
[30/Mar/2017:13:53:09 +0100] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 200 31541 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0" 91.210.145.98 - -
[30/Mar/2017:13:53:15 +0100] "GET /wp-content/plugins/F:\xc4\xee\xf0\xee\xe3\xee\xf1\xf2\xee\xff\xf9\xe8\xe5\MultiShell2\xf8\xe5\xeb\xeb\xfb\xcf\xee\xea\xf3\xef\xed\xee\xe9 \xf1\xee\xf4\xf2\uploader\Wordpress Shell Uploader\three-column-screen-layout/db.php HTTP/1.1" 404 51874 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0" 91.210.145.98 - -
[30/Mar/2017:13:53:16 +0100] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 200 31426 "*************.com.it/wp-admin/theme-install.php?tab=upload" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0" 91.210.145.98 - -
[30/Mar/2017:13:53:19 +0100] "GET /wp-content/uploads/db.php HTTP/1.1" 404 51729 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0" 91.210.145.98 - -
[30/Mar/2017:13:53:20 +0100] "GET /wp-content/uploads/2017/23/db.php HTTP/1.1" 404 51753 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0" 91.210.145.98 - -
[30/Mar/2017:13:58:22 +0100] "HEAD /wp-login.php HTTP/1.1" 200 343 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.45" 91.210.145.98 - -
[30/Mar/2017:13:58:23 +0100] "GET /wp-login.php HTTP/1.1" 200 2697 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.45" 91.210.145.98 - -
[30/Mar/2017:13:58:23 +0100] "POST /wp-login.php HTTP/1.0" 302 1305 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.45" 91.210.145.98 - -
[30/Mar/2017:13:58:24 +0100] "POST /wp-admin/ HTTP/1.0" 200 61984 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.45" 91.210.145.98 - -
[30/Mar/2017:13:58:25 +0100] "GET /wp-admin/theme-install.php HTTP/1.1" 200 52420 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.45" 91.210.145.98 - -
[30/Mar/2017:13:58:27 +0100] "POST /wp-admin/update.php?action=upload-theme HTTP/1.0" 200 32257 "http://*************.com.it/wp-admin/theme-install.php?upload" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.45" 91.210.145.98 - -
[30/Mar/2017:13:58:33 +0100] "GET /wp-content/themes/sketch/404.php HTTP/1.1" 200 377 "http://*************.com.it/wp-admin/theme-install.php?upload" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.45"