When trying to report the domain wpsys.org on the “Submit an Abuse Report” page, I receive the error that this domain isn’t hosted on Cloudflare.
But it is. Doing a dig -t ns wpsys.org returns:
; <<>> DiG 9.16.1-Ubuntu <<>> -t ns wpsys.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64591
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;wpsys.org. IN NS
;; ANSWER SECTION:
wpsys.org. 86400 IN NS dora.ns.cloudflare.com.
wpsys.org. 86400 IN NS max.ns.cloudflare.com.
;; Query time: 451 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: sab giu 25 19:55:01 CEST 2022
;; MSG SIZE rcvd: 92
And dig wpsys.org returns:
; <<>> DiG 9.16.1-Ubuntu <<>> wpsys.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59841
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;wpsys.org. IN A
;; ANSWER SECTION:
wpsys.org. 300 IN A 198.37.113.30
;; Query time: 456 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: sab giu 25 20:28:41 CEST 2022
;; MSG SIZE rcvd: 54
This domain is used to receive the hostname/domain of infected servers (victims) where vulnerable Wordpress are exploited (customers of our hosting company included).
The source code of one of the malware files is here: https://www.toptal.com/developers/hastebin/opumixihit.php
Decoding the line 4 (after many steps) we got:
define('RURL', 'http://wpsys.org/html/'.HTTP_HOST);
Thank you in advance