Web Shells and RFIs Collection

      I wrote a little script to periodically look through my web logs for unique RFIs and Web Shells, and then collect them on one page where I can go look at them or download them to add to my Web Shell library. Many of these attacks are repeated multiple time, so I ignore the time fields in judging if an RFI/Web Shell is unique. I've coded it to weed out links to Web Shells that 404. I also use nofollow and a referrer hiding service so it does not look like I'm attacking anyone with the web shells (but the check for 404 sort of looks suspicious). This page will also let you link off to firebwall.com where you can use their PHP decoder to look at the obfuscated code. Enjoy my Web Shell zoo, it should update itself every hour or so. If you see your domain on the list of websites hosting Web Shells you are likely pwned and should clean up your server.
Filtered for more likely Webshell RFIs

Attacker	Whois IP	Request	View on PHP Decoder	Agent	Referer	Time
187.40.82.13	Whois	http://www.amerint.com.br/plugins/system/chupa.txt?	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	24/Dec/2012:19:47:31 -0800
187.40.81.59	Whois	http://www.goodigood.com/mcharge/php/class//ekta.txt?	View on PHP Decoder	-	-	20/Dec/2012:13:48:06 -0800
186.249.211.224	Whois	http://www.goodigood.com/mcharge/php/class//dek.txt?	View on PHP Decoder	-	-	20/Dec/2012:01:16:04 -0800
189.90.43.3	Whois	http://www.qualityom.com.br/plugins/system/ip.txt?	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	18/Dec/2012:12:17:48 -0800
187.58.105.54	Whois	http://c99.gen.tr/c99.txt?	View on PHP Decoder	Mozilla/5.0 (Windows NT 5.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1	-	17/Dec/2012:13:26:10 -0800
187.40.106.182	Whois	http://www.luvex.com.br/teste/riko.txt?	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	16/Dec/2012:20:34:42 -0800
200.98.143.17	Whois	http://www.goodigood.com/mainfiles/teste.txt?	View on PHP Decoder	-	-	14/Dec/2012:16:12:49 -0800
189.72.209.60	Whois	http://casamarvera10.cwahi.net/tester.txt??	View on PHP Decoder	Mozilla/3.0 (compatible; Indy Library)	-	13/Dec/2012:13:57:09 -0800
200.98.143.17	Whois	http://www.goodigood.com/mainfiles/inside.txt?	View on PHP Decoder	-	-	13/Dec/2012:04:38:05 -0800
81.177.22.64	Whois	http://adamhomes.co.uk/scripts/id1.txt?	View on PHP Decoder	Mozilla/5.0	-	13/Dec/2012:01:15:11 -0800
118.97.95.231	Whois	http://ijencrew.wapsite.me/bnc.ichat.txt??	View on PHP Decoder	Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0	-	11/Dec/2012:09:04:35 -0800
190.188.186.123	Whois	http://mobile.asnieres-sur-seine.fr/data/hjkjyuf43.txt?	View on PHP Decoder	Mozilla/3.0 (compatible; Indy Library)	-	09/Dec/2012:17:21:14 -0800
187.40.111.9	Whois	http://www.khonkaenrongyen.com/plugins/cmd2.txt?	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	06/Dec/2012:20:58:26 -0800
187.40.103.247	Whois	http://www.jcestetica.com.br/plugins/system/r57.txt??	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	06/Dec/2012:06:38:05 -0800
111.68.215.186	Whois	http://www.sungeundongsan.org/zb/id.txt?	View on PHP Decoder	libwww-perl/5.805	-	05/Dec/2012:21:35:42 -0800
200.98.129.248	Whois	http://www.ideocondo.com/php/new/flood/Scripts/g.txt?	View on PHP Decoder	Mozilla/3.0 (compatible; Indy Library)	-	03/Dec/2012:18:45:35 -0800
200.98.164.226	Whois	http://swiatodziezy.com/libraries/inside.txt?	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	02/Dec/2012:10:11:41 -0800
177.6.107.193	Whois	http://www.kini-kini.com/ancien_kini/optms.txt?	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	29/Nov/2012:03:43:41 -0800
5.39.9.95	Whois	http://www.dunkerquepromotion.org/images/temoignages/danger.txt??	View on PHP Decoder	Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1	-	27/Nov/2012:16:21:38 -0800
111.119.184.52	Whois	http://c99.gen.tr/c99.txt	View on PHP Decoder	Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0	-	26/Nov/2012:22:24:24 -0800
200.98.140.97	Whois	http://www.ntempreco.com/teste.txt??	View on PHP Decoder	Mozilla/3.0 (compatible; Indy Library)	-	26/Nov/2012:16:29:14 -0800
200.98.129.118	Whois	http://www.asiandogs.ru/dog/id1.txt??	View on PHP Decoder	Mozilla/5.0	-	24/Nov/2012:16:48:24 -0800
189.73.212.194	Whois	http://galaxiauniversal.com/css/optms.txt?	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	24/Nov/2012:03:09:29 -0800
187.40.94.178	Whois	http://www.jcestetica.com.br/plugins/system/r57.txt?	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	20/Nov/2012:12:21:40 -0800
176.254.215.142	Whois	http://www.drivehq.com/web/v3nd3tta/shells/c99.txt?	View on PHP Decoder	Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0	-	18/Nov/2012:15:45:22 -0800
177.25.109.82	Whois	http://egyptinsideout.com/plugins/system/nnframework/images/tester.txt?	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	17/Nov/2012:04:26:40 -0800
189.74.19.227	Whois	http://pc.eromil.com/goza.txt?	View on PHP Decoder	Mozilla/3.0 (compatible; Indy Library)	-	16/Nov/2012:15:47:09 -0800
200.98.171.238	Whois	http://acesso9583.hut4.ru/tester.txt?	View on PHP Decoder	-	-	14/Nov/2012:16:43:05 -0800
201.15.114.66	Whois	http://www.buy-nippon-motors.com/com/js/swfobject/optms.txt	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	14/Nov/2012:14:58:25 -0800
187.90.77.194	Whois	http://www.xambre.pr.gov.br/plugins/system/tester.txt?	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	14/Nov/2012:08:46:22 -0800
189.48.124.171	Whois	http://egyptinsideout.com/plugins/system//tooltips/images/tester.txt?	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	14/Nov/2012:06:18:24 -0800
189.1.174.192	Whois	http://www.wushu.org.ge/e107_images/david.txt	View on PHP Decoder	Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.8pre) Gecko/20070928 Firefox/2.0.0.7 Navigator/9.0RC1	-	13/Nov/2012:17:23:57 -0800
201.24.16.247	Whois	http://produtosmaster.com/sonaberadinha.txt?	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	09/Nov/2012:04:25:14 -0800
189.73.213.247	Whois	http://produtosmaster.com/sonaberadinha.txt	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	08/Nov/2012:10:35:59 -0800
5.39.9.95	Whois	http://swjzaleze.ovh.org/swietlica_15/danger.txt??	View on PHP Decoder	Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1	-	04/Nov/2012:08:49:21 -0800
49.156.155.246	Whois	http://ead-aerospace.com/Intranet/Dossiers/Customers/2/c99.txt	View on PHP Decoder	Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4	-	01/Nov/2012:07:32:59 -0700
72.55.132.168	Whois	http://jamina.vacau.com/e107_admin/raw.txt??	View on PHP Decoder	Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511	-	26/Oct/2012:20:12:31 -0700
64.20.38.154	Whois	http://c99.gen.tr/r57.txt?&security/changemac	View on PHP Decoder	Snoopy v1.2.4	-	24/Oct/2012:11:12:35 -0700
64.20.38.154	Whois	http://c99.gen.tr/r57.txt?&security/windows-forensics-registry-and-file-system-spots	View on PHP Decoder	Snoopy v1.2.4	-	24/Oct/2012:11:09:59 -0700
64.20.38.154	Whois	http://c99.gen.tr/r57.txt?&security/networkprinterhacking	View on PHP Decoder	Snoopy v1.2.4	-	24/Oct/2012:10:35:49 -0700
177.0.49.124	Whois	http://www.jkchemicals.in/wp-content/themes/Chameleon/cache/shell.txt	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	20/Oct/2012:18:22:20 -0700
186.247.205.162	Whois	http://www.acfinance.com.br/tool.txt?	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	18/Oct/2012:09:45:34 -0700
200.98.164.62	Whois	http://c99.gen.tr/c99.txt??	View on PHP Decoder	Mozilla/3.0 (compatible; Indy Library)	-	17/Oct/2012:16:42:06 -0700
217.71.106.39	Whois	http://www.avidsen.com/2009/danger.txt????	View on PHP Decoder	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13	-	17/Oct/2012:05:41:12 -0700
63.143.40.27	Whois	http://www.nysnagard.no/mail.txt?	View on PHP Decoder	Mozilla/3.0 (compatible; Indy Library)	-	04/Oct/2012:08:25:27 -0700
187.40.106.157	Whois	http://www.akakaslogistics.com/manolo.txt?	View on PHP Decoder	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)	-	02/Oct/2012:22:20:27 -0700