Investigating some interesting entries in log files from our customers, we see that hackers apparently are still looking for infected WordPress websites.
First we see this:
(IP address blanked to protect the infected) - - [28/Dec/2016:20:44:14 -0500] "GET / HTTP/1.1" 200 [qodef_highlight background_color="yellow" color="red"]72904[/qodef_highlight] "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31"
The big tipoff here is the size of the GET request: 72904.
And then this:
(IP address... Read More