WP Beacon

Abyss.Cong

@safly · wordpress.org profile ↗
Member since
2016-02-04
Location
China
Employer
Beijing OranMe Technology Co., Ltd.
Job title
Founder
Authored
3
SVN commit access
1
Readme contributor
0
Combined install base
200 across 3 plugins

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern SaFly Curl Patch Resolved · tencent_doh_public_dns_explicit_curl_fix 1mo ago
Slugsafly-curl-patch
Patternhardcoded_ip_url
Kindbuiltin
Version1.0.0
Hit count1
First hit
File
SaFly-Curl-Patch.php
Line
70
Snippet
$ip = wp_remote_retrieve_body(wp_remote_get('http://119.29.29.29/d?dn=' . $domain));
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "safly-curl-patch",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "1.0.0",
    "hit_count": 1,
    "first_hit": {
        "file": "SaFly-Curl-Patch.php",
        "line": 70,
        "snippet": "$ip = wp_remote_retrieve_body(wp_remote_get('http://119.29.29.29/d?dn=' . $domain));"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}

Plugins authored (3)

Plugin Version Installs Last updated Status
SaFly Curl Patch ·safly-curl-patch 1.0.0 200 8y ago Active
SaFly Cloud Protection ·safly-cloud-protection 3.1.0 8y ago Active
SaFly Article Lock ·safly-article-lock 1.0.0 7y ago Active

SVN commit access (1)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
SaFly Curl Patch safly 200 4 8y ago 8y ago Active