A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Social-engineer-training Button
Irongeek Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Web Shells and RFIs Collection

Web Shells and RFIs Collection

      I wrote a little script to periodically look through my web logs for unique RFIs and Web Shells, and then collect them on one page where I can go look at them or download them to add to my Web Shell library. Many of these attacks are repeated multiple time, so I ignore the time fields in judging if an RFI/Web Shell is unique. I've coded it to weed out links to Web Shells that 404. I also use nofollow and a referrer hiding service so it does not look like I'm attacking anyone with the web shells (but the check for 404 sort of looks suspicious). This page will also let you link off to defense.ballastsecurity.net where you can use their PHP decoder to look at the obfuscated code. Enjoy my Web Shell zoo, it should update itself every hour or so. If you see your domain on the list of websites hosting Web Shells you are likely pwned and should clean up your server.

Source code that generates this page

Filtered For More Likely Live Webshell RFIs

AttackerWhois IPRequest
(Truncated if over 60 chr for display, link should still work)
View on PHP DecoderAgentRefererTimeBackup
200.98.201.251Whoishttp://advancedcorretora.com.br/corretora/testevull.txt?View on PHP Decoder--25/May/2016:05:28:26 -0700Archived Webshell

Likely Dead Links

AttackerWhois IPRequest
(Truncated if over 60 chr for display, link should still work)
View on PHP DecoderAgentRefererTimeBackup
186.227.186.70Whoishttp://www.mrcerimonialeventos.com.br/plugins/system/RfiEmaiView on PHP Decoder--24/May/2016:23:57:09 -0700Archived Webshell

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast