185.220.101.21 → 185.220.101.0/24AS200052
Appears to be a "Feral Hosting" IP address, located in London, UK
Downloaded to my honey pot as a WordPress plugin installation. Downloaded a Zip file, so it probably would install on a real WordPress instance.
I could not find any obviously evil PHP code.
No extra files. Downloaded current File Manager, unzipped it, and matched file names with the honey pot download.
Couldn't find anything fishy by
find . -type f | xargs egrep -a 'eval|assert|base64_decode|preg|ereg'
No "eval" or "assert" used in code, only a legit use of base64_decode(). Granted,
even simple obfuscation could overcome the regular expression based search.
Nothing but CSS files seemed to have extremely long lines of text.
However, a file manager, illegitimately installed, would have a lot of use to someone covertly taking over a WordPress installation. About half of WSO web shell functions are file management.