Web Shells and RFIs Collection
Web Shells and RFIs Collection
I
wrote a little script to periodically look through my web logs for
unique RFIs and Web Shells, and then collect them on one page where I
can go look at them or download them to add to my Web Shell library.
Many of these attacks are repeated multiple time, so I ignore the time
fields in judging if an RFI/Web Shell is unique. I've coded it to weed
out links to Web Shells that 404. I also use nofollow and a referrer
hiding service so it does not look like I'm attacking anyone with the
web shells (but the check for 404 sort of looks suspicious). This page
will also let you link off to firebwall.com
where you can use their PHP decoder to look at the obfuscated code.
Enjoy my Web Shell zoo, it should update itself every hour or so. If you
see your domain on the list of websites hosting Web Shells you are
likely pwned and should clean up your server.| Attacker | Whois IP | Request | View on PHP Decoder | Agent | Referer | Time |
| 187.40.82.13 | Whois | http://www.amerint.com.br/plugins/system/chupa.txt? | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 24/Dec/2012:19:47:31 -0800 |
| 187.40.81.59 | Whois | http://www.goodigood.com/mcharge/php/class//ekta.txt? | View on PHP Decoder | - | - | 20/Dec/2012:13:48:06 -0800 |
| 186.249.211.224 | Whois | http://www.goodigood.com/mcharge/php/class//dek.txt? | View on PHP Decoder | - | - | 20/Dec/2012:01:16:04 -0800 |
| 189.90.43.3 | Whois | http://www.qualityom.com.br/plugins/system/ip.txt? | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 18/Dec/2012:12:17:48 -0800 |
| 187.58.105.54 | Whois | http://c99.gen.tr/c99.txt? | View on PHP Decoder | Mozilla/5.0 (Windows NT 5.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 | - | 17/Dec/2012:13:26:10 -0800 |
| 187.40.106.182 | Whois | http://www.luvex.com.br/teste/riko.txt? | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 16/Dec/2012:20:34:42 -0800 |
| 200.98.143.17 | Whois | http://www.goodigood.com/mainfiles/teste.txt? | View on PHP Decoder | - | - | 14/Dec/2012:16:12:49 -0800 |
| 189.72.209.60 | Whois | http://casamarvera10.cwahi.net/tester.txt?? | View on PHP Decoder | Mozilla/3.0 (compatible; Indy Library) | - | 13/Dec/2012:13:57:09 -0800 |
| 200.98.143.17 | Whois | http://www.goodigood.com/mainfiles/inside.txt? | View on PHP Decoder | - | - | 13/Dec/2012:04:38:05 -0800 |
| 81.177.22.64 | Whois | http://adamhomes.co.uk/scripts/id1.txt? | View on PHP Decoder | Mozilla/5.0 | - | 13/Dec/2012:01:15:11 -0800 |
| 118.97.95.231 | Whois | http://ijencrew.wapsite.me/bnc.ichat.txt?? | View on PHP Decoder | Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0 | - | 11/Dec/2012:09:04:35 -0800 |
| 190.188.186.123 | Whois | http://mobile.asnieres-sur-seine.fr/data/hjkjyuf43.txt? | View on PHP Decoder | Mozilla/3.0 (compatible; Indy Library) | - | 09/Dec/2012:17:21:14 -0800 |
| 187.40.111.9 | Whois | http://www.khonkaenrongyen.com/plugins/cmd2.txt? | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 06/Dec/2012:20:58:26 -0800 |
| 187.40.103.247 | Whois | http://www.jcestetica.com.br/plugins/system/r57.txt?? | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 06/Dec/2012:06:38:05 -0800 |
| 111.68.215.186 | Whois | http://www.sungeundongsan.org/zb/id.txt? | View on PHP Decoder | libwww-perl/5.805 | - | 05/Dec/2012:21:35:42 -0800 |
| 200.98.129.248 | Whois | http://www.ideocondo.com/php/new/flood/Scripts/g.txt? | View on PHP Decoder | Mozilla/3.0 (compatible; Indy Library) | - | 03/Dec/2012:18:45:35 -0800 |
| 200.98.164.226 | Whois | http://swiatodziezy.com/libraries/inside.txt? | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 02/Dec/2012:10:11:41 -0800 |
| 177.6.107.193 | Whois | http://www.kini-kini.com/ancien_kini/optms.txt? | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 29/Nov/2012:03:43:41 -0800 |
| 5.39.9.95 | Whois | http://www.dunkerquepromotion.org/images/temoignages/danger.txt?? | View on PHP Decoder | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1 | - | 27/Nov/2012:16:21:38 -0800 |
| 111.119.184.52 | Whois | http://c99.gen.tr/c99.txt | View on PHP Decoder | Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0 | - | 26/Nov/2012:22:24:24 -0800 |
| 200.98.140.97 | Whois | http://www.ntempreco.com/teste.txt?? | View on PHP Decoder | Mozilla/3.0 (compatible; Indy Library) | - | 26/Nov/2012:16:29:14 -0800 |
| 200.98.129.118 | Whois | http://www.asiandogs.ru/dog/id1.txt?? | View on PHP Decoder | Mozilla/5.0 | - | 24/Nov/2012:16:48:24 -0800 |
| 189.73.212.194 | Whois | http://galaxiauniversal.com/css/optms.txt? | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 24/Nov/2012:03:09:29 -0800 |
| 187.40.94.178 | Whois | http://www.jcestetica.com.br/plugins/system/r57.txt? | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 20/Nov/2012:12:21:40 -0800 |
| 176.254.215.142 | Whois | http://www.drivehq.com/web/v3nd3tta/shells/c99.txt? | View on PHP Decoder | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 | - | 18/Nov/2012:15:45:22 -0800 |
| 177.25.109.82 | Whois | http://egyptinsideout.com/plugins/system/nnframework/images/tester.txt? | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 17/Nov/2012:04:26:40 -0800 |
| 189.74.19.227 | Whois | http://pc.eromil.com/goza.txt? | View on PHP Decoder | Mozilla/3.0 (compatible; Indy Library) | - | 16/Nov/2012:15:47:09 -0800 |
| 200.98.171.238 | Whois | http://acesso9583.hut4.ru/tester.txt? | View on PHP Decoder | - | - | 14/Nov/2012:16:43:05 -0800 |
| 201.15.114.66 | Whois | http://www.buy-nippon-motors.com/com/js/swfobject/optms.txt | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 14/Nov/2012:14:58:25 -0800 |
| 187.90.77.194 | Whois | http://www.xambre.pr.gov.br/plugins/system/tester.txt? | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 14/Nov/2012:08:46:22 -0800 |
| 189.48.124.171 | Whois | http://egyptinsideout.com/plugins/system//tooltips/images/tester.txt? | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 14/Nov/2012:06:18:24 -0800 |
| 189.1.174.192 | Whois | http://www.wushu.org.ge/e107_images/david.txt | View on PHP Decoder | Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.8pre) Gecko/20070928 Firefox/2.0.0.7 Navigator/9.0RC1 | - | 13/Nov/2012:17:23:57 -0800 |
| 201.24.16.247 | Whois | http://produtosmaster.com/sonaberadinha.txt? | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 09/Nov/2012:04:25:14 -0800 |
| 189.73.213.247 | Whois | http://produtosmaster.com/sonaberadinha.txt | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 08/Nov/2012:10:35:59 -0800 |
| 5.39.9.95 | Whois | http://swjzaleze.ovh.org/swietlica_15/danger.txt?? | View on PHP Decoder | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1 | - | 04/Nov/2012:08:49:21 -0800 |
| 49.156.155.246 | Whois | http://ead-aerospace.com/Intranet/Dossiers/Customers/2/c99.txt | View on PHP Decoder | Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4 | - | 01/Nov/2012:07:32:59 -0700 |
| 72.55.132.168 | Whois | http://jamina.vacau.com/e107_admin/raw.txt?? | View on PHP Decoder | Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 | - | 26/Oct/2012:20:12:31 -0700 |
| 64.20.38.154 | Whois | http://c99.gen.tr/r57.txt?&security/changemac | View on PHP Decoder | Snoopy v1.2.4 | - | 24/Oct/2012:11:12:35 -0700 |
| 64.20.38.154 | Whois | http://c99.gen.tr/r57.txt?&security/windows-forensics-registry-and-file-system-spots | View on PHP Decoder | Snoopy v1.2.4 | - | 24/Oct/2012:11:09:59 -0700 |
| 64.20.38.154 | Whois | http://c99.gen.tr/r57.txt?&security/networkprinterhacking | View on PHP Decoder | Snoopy v1.2.4 | - | 24/Oct/2012:10:35:49 -0700 |
| 177.0.49.124 | Whois | http://www.jkchemicals.in/wp-content/themes/Chameleon/cache/shell.txt | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 20/Oct/2012:18:22:20 -0700 |
| 186.247.205.162 | Whois | http://www.acfinance.com.br/tool.txt? | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 18/Oct/2012:09:45:34 -0700 |
| 200.98.164.62 | Whois | http://c99.gen.tr/c99.txt?? | View on PHP Decoder | Mozilla/3.0 (compatible; Indy Library) | - | 17/Oct/2012:16:42:06 -0700 |
| 217.71.106.39 | Whois | http://www.avidsen.com/2009/danger.txt???? | View on PHP Decoder | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 | - | 17/Oct/2012:05:41:12 -0700 |
| 63.143.40.27 | Whois | http://www.nysnagard.no/mail.txt? | View on PHP Decoder | Mozilla/3.0 (compatible; Indy Library) | - | 04/Oct/2012:08:25:27 -0700 |
| 187.40.106.157 | Whois | http://www.akakaslogistics.com/manolo.txt? | View on PHP Decoder | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | - | 02/Oct/2012:22:20:27 -0700 |
Web Shells and RFIs Collection
![Web Shells and RFIs Collection]()
Reviewed by Kembolle Amilkar
on
segunda-feira, dezembro 31, 2012
Rating:
Nenhum comentário