WP Beacon
Critical code_pattern
Online Payment for Bank Mellat Resolved · vendor_self_publishing_iranian_bank_sms_gateway
1mo ago
| Slug | bank-mellat |
|---|---|
| Pattern | hardcoded_ip_url |
| Kind | builtin |
| Version | 2.0.2 |
| Hit count | 6 |
| First hit |
|
| Explanation | plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths. |
View raw JSON
{
"slug": "bank-mellat",
"pattern": "hardcoded_ip_url",
"kind": "builtin",
"version": "2.0.2",
"hit_count": 6,
"first_hit": {
"file": "includes/BankMellat/class-bank-mellat-sms.php",
"line": 40,
"snippet": "$result = wp_remote_get( 'http://185.4.28.180/class/sms/webservice/send_url.php?from=' . $sms_line_number . '&to=' . $admin_mobile . '&msg=' . urlencode( $sms_text ) . '&uname=' . $sms_user_name ."
},
"explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}