epeken

@epeken · wordpress.org profile ↗

Member since: 2015-04-05
Location: Jakarta, Indonesia
Employer: —
Job title: —
Authored: 4 (1 closed)
SVN commit access: 3 (1 closed)
Readme contributor: 0
Combined install base: 440 across 4 plugins

Alerts (0)

No open alerts.

Show 2 resolved alerts

Critical code_pattern Epeken for Anteraja Resolved · vendor_self_publishing_epeken_anteraja_courier 1mo ago

Slug	anteraja
Pattern	`hardcoded_ip_url`
Kind	`builtin`
Version	`2.2`
Hit count	1
First hit	File `epeken-anteraja.php` Line 86 Snippet `$server = 'http://103.252.101.131';`
Explanation	plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.

View raw JSON

{
    "slug": "anteraja",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "2.2",
    "hit_count": 1,
    "first_hit": {
        "file": "epeken-anteraja.php",
        "line": 86,
        "snippet": "$server = 'http://103.252.101.131';"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}

Critical code_pattern Epeken All Kurir for Woocommerce Resolved · vendor_self_publishing_epeken_courier 1mo ago

Slug	epeken-all-kurir
Pattern	`hardcoded_ip_url`
Kind	`builtin`
Version	`2.0.6`
Hit count	4
First hit	File `epeken_courier.php` Line 18 Snippet `$server = 'http://174.138.21.166'; //default data server..`
Explanation	plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.

View raw JSON

{
    "slug": "epeken-all-kurir",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "2.0.6",
    "hit_count": 4,
    "first_hit": {
        "file": "epeken_courier.php",
        "line": 18,
        "snippet": "$server = 'http://174.138.21.166'; //default data server.."
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}

Plugins authored (4)

Plugin	Version	Installs	Last updated	Status
Epeken All Kurir for Woocommerce ·`epeken-all-kurir`	2.1.1	400	7d ago	Active
Epeken for Anteraja ·`anteraja`	2.2	40	26d ago	Active
Epeken Delivery Date ·`epeken-delivery-date`	1.0	—	7y ago	Active
JExpress Integrated Shipping Plugin for WooCommerce ·`epeken-jexpress`	1.0.0	—	—	Closed

SVN commit access (3)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin	Primary author	Installs	Commits	First	Latest	Status
JExpress Integrated Shipping Plugin for WooCommerce	epeken	—	2	4y ago	4y ago	Closed
Epeken All Kurir for Woocommerce	epeken	400	1	7y ago	7d ago	Active
Epeken for Anteraja	epeken	40	1	5y ago	26d ago	Active