After the infection, multiple IP’s try to access the wp-xmlrpc.php file. Suspicious activity captured by WebARX activity logsĪttackers are abusing a vulnerability within the plugin to log in to an existing account, uploading tmp.zip file to install fake Seo stats plugin which will then add a wp-xmlrpc.php backdoor to the root directory of the vulnerable website.
