That is a never-ending game of whack-a-mole. There are infinite places to put command and control data.
replyThe attack has to find the control nodes. Domains and IP addresses can be turned off. With this approach, there's no way to stop the finding process even after the attack has been reverse-engineered, short of firewalling or shutting down crypto nodes.
replyWhat happens when Ethereum gets a takedown order?
More generally, what happens as the malware ecosystem integrates with the cryptocurrency ecosystem?
If your Wordpress server had no reason to talk to Ethereum endpoints, then it should have never have been allowed to do so in the first place.
replyShould something like a WordPress server not have a domain allowlist for outbound connections? Does WordPress need to connect to arbitrary domains?
reply> Does this mean firewalls now have to block all Ethereum endpoints?
replyOr, instead of attempting to enumerate the bad, if you run WordPress make sure it can't call out anywhere except a whitelist of hosts if some plugins have legitimate reasons to call out. Assuming the black-hat jiggery-pokery is server side of course.