The Apache access logs in the exhibit show a sequence of HTTP requests and responses indicative of a malicious upload via WordPress:
A POST to:
/wp-admin/admin-ajax.php with parameters that include uploading r57.php (a known PHP web shell).
The uploaded file name appears as r57.php in:→ &name=%5B%5D=r57.php&FILES...
There are plugin installation and activation attempts, specifically for:
file-manager plugin:→ plugin=file-manager&...
Which is known to be vulnerable and exploited for file uploads.
GET requests to:
/wp-content/57.php and variations such as 57.php?28 — This suggests that r57.php was successfully uploaded and is being accessed.
These logs reveal that:
D. The attacker used the WordPress file manager plugin to upload r57.php — confirmed by plugin activity and file uploads.
B. The attacker uploaded the WordPress file manager trojan — as evidenced by the direct access to /wp-content/57.php (r57 shell variant).
Other options are invalid or speculative:
A is correct in identifying r57 as a web shell, but the logs don't show privilege escalation.
C mentions brute force and SQL injection, which are not indicated here.
E assumes legitimate access — logs suggest exploitation, not standard login.
[Reference:CyberOps Technologies (CBRFIR) 300-215 study guide, Chapter on “Analyzing HTTP and Apache Logs for Intrusion Behavior” and “Common CMS Exploits via Plugins and Upload]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit