Open bobbingwide opened 3 years ago
While analysing the daily trace summary file from my local machine ( s.b/wordpress ) I noted that some of the requests logged as being to the home URL were actually batch invocations run under oikwp.
Sample output for an oikwp batch command was:
oikwp
/,,8.566959,7.4.0,1286,5022,809,29,1074,40,37,21,14,0.060049772262573,C:/apache/htdocs/wordpress/bwtrace3/bwtrace.cli,110,0,14994,,8.566388,2021-01-04T20:54:15+00:00,,GET
Sample output for a wp cli command was:
wp
\d_drive\dos\wp-cli.phar plugin list,,4.589548,7.4.0,1286,5436,1224,29,1556,40,37,21,41,0.14247679710388,C:/apache/htdocs/wordpress/bwtrace3/bwtrace.cli,275,220,70765,127.0.0.1,4.588934,2021-01-04T20:47:19+00:00,,GET
oikwp batch commands can be detected by a null IP address.
While analysing the daily trace summary file from my local machine ( s.b/wordpress ) I noted that some of the requests logged as being to the home URL were actually batch invocations run under oikwp.
Sample output for an
oikwpbatch command was:/,,8.566959,7.4.0,1286,5022,809,29,1074,40,37,21,14,0.060049772262573,C:/apache/htdocs/wordpress/bwtrace3/bwtrace.cli,110,0,14994,,8.566388,2021-01-04T20:54:15+00:00,,GET
Sample output for a
wpcli command was:\d_drive\dos\wp-cli.phar plugin list,,4.589548,7.4.0,1286,5436,1224,29,1556,40,37,21,41,0.14247679710388,C:/apache/htdocs/wordpress/bwtrace3/bwtrace.cli,275,220,70765,127.0.0.1,4.588934,2021-01-04T20:47:19+00:00,,GET
oikwp batch commands can be detected by a null IP address.