WP Beacon

alquemie

@alquemie · wordpress.org profile ↗
Member since
2013-08-28
Location
Employer
Alquemie Marketing, LLC
Job title
Authored
3 (1 closed)
SVN commit access
1
Readme contributor
0
Combined install base
60 across 3 plugins

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Gravity Forms Campaign Fields Add-On Resolved · vendored_whichbrowser_library_data_fp 1mo ago
Sluggf-campaign-fields
Patternhardcoded_ip_url
Kindbuiltin
Version2.4.1
Hit count38
First hit
File
lib/whichbrowser/parser/data/profiles.php
Line
600
Snippet
'http://112.74.195.169/upload/xmlfiles/STUDIO_X8_HD.XML' => [ 'BLU', 'Studio X8 HD', 'Android', DeviceType::MOBILE ],
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "gf-campaign-fields",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "2.4.1",
    "hit_count": 38,
    "first_hit": {
        "file": "lib/whichbrowser/parser/data/profiles.php",
        "line": 600,
        "snippet": "'http://112.74.195.169/upload/xmlfiles/STUDIO_X8_HD.XML'                                              => [ 'BLU', 'Studio X8 HD', 'Android', DeviceType::MOBILE ],"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}

Plugins authored (3)

Plugin Version Installs Last updated Status
Gravity Forms Campaign Fields Add-On ·gf-campaign-fields 2.4.1 60 8y ago Active
Alquemie SEO ·alquemie-seo 2.01 Closed
Audience Segments ·audience-segment-taxonomies 1.1.0 9y ago Active

SVN commit access (1)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
Gravity Forms Campaign Fields Add-On alquemie 60 20 9y ago 8y ago Active