
Exposed Server at 137.175.93.126 Logs 25,195 Confirmed WordPress and Joomla Webshell Installs in WP-SHELLSTORM Operation
WP-SHELLSTORM's exposed server revealed the full pipeline from FOFA scanning through webshell deployment and resale, confirming thousands of active compromises far below headline target counts. The incident highlights how plugin vulnerabilities in WordPress and Joomla enable persistent access brokerage that receives limited sustained tracking. Connections to prior VShell use show recurring infrastructure rather than novel campaigns.
The exposed Python web server ran for 22 days after June 11 2026, revealing automated scanners targeting 1.4 million domains pulled from FOFA. Primary success came from CVE-2026-3844 in the Breeze plugin, which hit 45,000 targets and yielded over 17,000 shells when the non-default Gravatars setting was enabled. SOCRadar counted 5,700 live shells while Ctrl-Alt-Intel's deduplication reached 25,195 validated compromises, showing the gap between scan lists and actual access. Evidence includes four-layer obfuscated down.php derived from BestShell, SNOWLIGHT droppers installing VShell masquerading as [kworker/0:2], and typed operator commands confirming resale of access. Joomla JCE targets exceeded 560,000 yet produced only 77 shells, underscoring low conversion rates typical of mass exploitation. This matches a documented pattern of long-lived web-server compromise where initial plugin flaws enable persistent brokerage operations that persist because remediation focuses on symptoms rather than infrastructure exposure. The same VShell chain appeared in Sysdig's April 2025 reporting on UNC5174 activity, though VShell's open distribution prevents firm state attribution from tooling alone. Follow-up coverage remains thin; the same infrastructure model will likely reappear on new rented IPs within weeks unless hosting providers implement directory indexing blocks and rapid takedown for known malicious patterns.
SOCRadar: At least 30 percent of the 5,700 active webshells will remain reachable on the same domains 60 days after July 2026 disclosure.
Sources (3)
- [1]SOCRadar WP-SHELLSTORM Report(https://socradar.com/exposed-server-wp-shellstorm)
- [2]Ctrl-Alt-Intel Hunt.io Analysis(https://ctrl-alt-intel.com/hunt-wp-shellstorm)
- [3]Sysdig UNC5174 VShell Tracking(https://sysdig.com/blog/unc5174-snowlight-vshell)