| name | wp-attacker-profile |
| description | Build an attacker IP/identity profile from WordPress forensic data. Extracts IPs from session_tokens, honeypot logs, login monitor alerts. Cross-references with a configurable ISP map or runs whois automatically. Output suitable for police reports and ISP abuse complaints. Works on any WP install.
|
| metadata | {"type":"forensics","script":"scripts/forensics/wp-attacker-profile.py","requires":"paramiko"} |
WP-ATTACKER-PROFILE — Forensic IP Analysis
Usage
python scripts/forensics/wp-attacker-profile.py \
--config config/config.yaml \
--isp-map config/isp-map.yaml \
--json > attacker-profile.json
python scripts/forensics/wp-attacker-profile.py \
--config config/config.yaml --whois
python scripts/forensics/wp-attacker-profile.py \
--config config/config.yaml
ISP map setup
cp config/isp-map.example.yaml config/isp-map.yaml
What it extracts
- WP session_tokens — Login IPs stored per-user (bypasses VPN if attacker authenticated to WP Admin without one)
- Honeypot hits — IP + WebRTC fingerprint from
honeypot.php error_log
- Login monitor alerts — Admin logins logged by
login-monitor.php
- Suspicious admin accounts — Pattern-matched against common attacker usernames
How to use the output for abuse reports
- Take each IP from the profile
- Run
whois <IP> to find the ISP's abuse contact
- Email
abuse@<isp> with: incident date/time, IP, damage description
- Also report to national cybercrime agency (Action Fraud, IC3, etc.)
ISP contact tips
Most ISPs respond to abuse reports within 24-72 hours. Include:
- Your site URL
- The exact IP address
- Date and time (UTC) of the incident
- A description of what was done (malware upload, admin account creation, etc.)
- Evidence (attach the attacker profile JSON)