222.77.242.65 has no domain name.
222.77.242.65 is a Chinanet IP address.
inetnum: 222.76.0.0 - 222.79.255.255
netname: CHINANET-FJ
descr: CHINANET fujian province network
descr: China Telecom
descr: No1,jin-rong Street
descr: Beijing 100032
country: CN
p0f3 thinks that "Windows 7 or 8" ran that IP address.
The attacker(s) invoked a URL ending in /wp-content/themes/twentytwelve/404.php
That's a fairly common place for people to hid web shells and other backdoors.
The attacker(s) set stereotypical WSO web shell HTTP parameters and values.
| Name | Value |
|---|---|
| a | FilesMAn |
| c | /var/www/html/wp-content/themes/twentytwelve/ |
| p1 | uploadFile |
| charset | Windows-1251 |
Windows-1251 is an 8-bit character encoding designed to do Cyrillic writing.
The file downloaded would have been named l.php.
The HTTP headers include a User Agent:
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131
that confirms the "Windows 7 or 8" judgement about the attacking computer. The preferred language of the computer's user was Chinese:
zh-CN,zh;q=0.9
That matches the attack coming from a China Telecom address, but that's a pretty weak link.
