epeken

Member since
2015-04-05
Location
Jakarta, Indonesia
Employer
Job title
Authored
4 (1 closed)
SVN commit access
3 (1 closed)
Readme contributor
0
Combined install base
540 across 4 plugins

Alerts (0)

No open alerts.

Show 2 resolved alerts
Critical code_pattern Epeken for Anteraja Resolved · vendor_self_publishing_epeken_anteraja_courier 1mo ago
Sluganteraja
Patternhardcoded_ip_url
Kindbuiltin
Version2.2
Hit count1
First hit
File
epeken-anteraja.php
Line
86
Snippet
$server = 'http://103.252.101.131';
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "anteraja",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "2.2",
    "hit_count": 1,
    "first_hit": {
        "file": "epeken-anteraja.php",
        "line": 86,
        "snippet": "$server = 'http://103.252.101.131';"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}
Critical code_pattern Epeken All Kurir for Woocommerce Resolved · vendor_self_publishing_epeken_courier 1mo ago
Slugepeken-all-kurir
Patternhardcoded_ip_url
Kindbuiltin
Version2.0.6
Hit count4
First hit
File
epeken_courier.php
Line
18
Snippet
$server = 'http://174.138.21.166'; //default data server..
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "epeken-all-kurir",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "2.0.6",
    "hit_count": 4,
    "first_hit": {
        "file": "epeken_courier.php",
        "line": 18,
        "snippet": "$server = 'http://174.138.21.166'; //default data server.."
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}

Plugins authored (4)

Plugin Version Installs Last updated Status
Epeken All Kurir for Woocommerce ·epeken-all-kurir 2.1.1 500 28d ago Active
Epeken for Anteraja ·anteraja 2.2 40 1mo ago Active
Epeken Delivery Date ·epeken-delivery-date 1.0 7y ago Active
JExpress Integrated Shipping Plugin for WooCommerce ·epeken-jexpress 1.0.0 Closed

SVN commit access (3)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
Epeken All Kurir for Woocommerce epeken 500 661 10y ago 28d ago Active
Epeken for Anteraja epeken 40 63 5y ago 1mo ago Active
JExpress Integrated Shipping Plugin for WooCommerce epeken 2 4y ago 4y ago Closed