@Babak @James Bogouin
HI,
Can you tell me where these folders are?
Are they related to the plugin?
The attacker is trying to install a malicious WordPress plugin called Auto Image Attributes Pro. They have opened the following files:
* /dev/urandom: This is a pseudorandom number generator device. The attacker may be using this to generate random numbers for their attack.
* /etc/dconf/profile/user: This file contains the user's dconf settings. The attacker may be trying to change these settings to gain more control over the system.
* /etc/dpkg/dpkg.cfg: This file contains dpkg configuration options. The attacker may be trying to change these options to make it easier for them to install the malicious plugin.
* /etc/dpkg/dpkg.cfg.d/pkg-config-hook-config: This file contains a hook that is executed when a package is installed or removed. The attacker may be trying to modify this hook to install the malicious plugin automatically.
* /etc/fonts/conf.avail: This directory contains font configuration files. The attacker may be trying to modify these files to inject malicious code into your system.
The attacker has also written the following file:
* /root/.cache/dconf/user: This file contains the user's dconf settings. The attacker may have written this file to store their malicious settings.
The attacker has executed the following shell commands:
* /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh engrampa /tmp/auto-image-attributes-pro_v4.3-nulled.zip: This command opens the file /tmp/auto-image-attributes-pro_v4.3-nulled.zip in the engrampa file manager. This is likely the malicious plugin that the attacker is trying to install.
* /usr/lib/p7zip/7z l -slt -bd -y -- /tmp/auto-image-attributes-pro_v4.3-nulled.zip: This command lists the contents of the file /tmp/auto-image-attributes-pro_v4.3-nulled.zip. This is likely the attacker checking to see if the malicious plugin is in the file.
* dbus-launch --autolaunch=a39eb3ed78b7401fb6809ed0c562a5b1 --binary-syntax --close-stderr: This command starts the dbus-launch service. This service is used to launch other programs. The attacker may be using this service to launch the malicious plugin automatically.
* dpkg --print-architecture: This command prints the system architecture. The attacker may be using this information to determine if their malicious plugin is compatible with the system.
* engrampa /tmp/auto-image-attributes-pro_v4.3-nulled.zip: This command opens the file /tmp/auto-image-attributes-pro_v4.3-nulled.zip in the engrampa file manager. This is likely the malicious plugin that the attacker is trying to install.
The attacker has also created the following process tree:
* 3204 - /usr/bin/exo-open exo-open /tmp/auto-image-attributes-pro_v4.3-nulled.zip: This process opens the file /tmp/auto-image-attributes-pro_v4.3-nulled.zip in the exo-open file manager. This is likely the malicious plugin that the attacker is trying to install.
* 3206 - /usr/bin/dbus-launch dbus-launch --autolaunch=a39eb3ed78b7401fb6809ed0c562a5b1 --binary-syntax --close-stderr: This process starts the dbus-launch service. This service is used to launch other programs. The attacker may be using this service to launch the malicious plugin automatically.
* 3208 - /usr/bin/exo-open n/a: This process is not responding. It may have been terminated by the attacker.
* 3209 - /usr/bin/engrampa engrampa /tmp/auto-image-attributes-pro_v4.3-nulled.zip: This process opens the file /tmp/auto-image-attributes-pro_v4.3-nulled.zip in the engrampa file manager. This is likely the malicious plugin that the attacker is trying to install.
* 3212 - /usr/bin/dbus-launch dbus-launch --autolaunch=a39eb3ed78b7401fb6809ed0c562a5b1 --binary-syntax --close-stderr: This process starts the dbus-launch
