270 unique attackers were responsible for the attacks during the sample week

70% of the attacks originated from only 6 attackers in France

The rest of the attacks mostly originated from Italy, US, Germany, Canada and Brazil (in that order)

A total of 318 different web applications were targeted during the sample week

Out of the 318 web applications that were being targeted:

39% belong to '.com' domains





23% belong to US military domains ('.mil' TLD)





6% belong to US government domains ('.gov' TLD)





1% belong to non-profit organization domains ('.org' TLD)





1% belong to educational domains ('.edu' TLD)





All other targets were country code second-level domains (e.g. .co.uk, .co.jp, etc.)

The URLs used inside the RFI payload point almost entirely to hostnames that resemble legitimate known sites such as: Picasa, Blogger, Flickr, YouTube (in this order), for example, http://www.picasa.some.site or http://flickr.com.some.site

Deeper analysis of the majority of remote PHP code that is used by hackers revealed that it was written by Indonesian hackers, who breached and took over legitimate web servers across the web

The remote PHP code, which is included, was always encoded multiple times using Base64, ROT13, and Gzip compressed. This is probably done for the purpose of WAF, Anti-Virus and Anti-Malware evasion

The purpose of the remote PHP included code is to install two main types of malware:

A remote command execution PHP web page, which enables the hackers to remotely control the web server's machine, and grants them access to all files on the system





A highly evolved botnet software with many capabilities such as remote command and control through IRC, automatic propagation to other web servers using similar vulnerabilities, MySQL data dumping capabilities and so forth





As suspected, it is beyond any doubt that WordPress plugin exploitation is one of the main tools in the malicious web hackers' arsenal. Specifically, the 'Timthumb' remote file inclusion vulnerability, which was originally published back in August 2011, is still the most sought after by hackers.We have also concluded that the root cause for the majority of WordPress plugin vulnerabilities that are being targeted by web hackers is remote file inclusion - this is probably due to the high ROI involved with these vulnerabilities. Moreover, it seems that hackers are still actively looking for vulnerabilities, which are 2-5 years old. This may indicate that application owners are very slow in deploying fixes and do not tend to upgrade WordPress plugins to the latest, more secure versions.Based on the malicious PHP code that was 'remotely included' in the attacks, it seems that while the majority of attacks appeared to originate from European countries, the people behind these attacks were actually Indonesian hackers. In addition, the remote code was always encoded multiple times to evade pattern-based protections such as WAF, Anti-Virus or Anti-Malware, and was placed on remote machines with domain names that resemble popular legitimate sitesLast but not least - all of the attacks mentioned in this article were thwarted by Akamai's KONA security solutions.