A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Social-engineer-training Button
Irongeek Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Web Shells and RFIs Collection

Web Shells and RFIs Collection

      I wrote a little script to periodically look through my web logs for unique RFIs and Web Shells, and then collect them on one page where I can go look at them or download them to add to my Web Shell library. Many of these attacks are repeated multiple time, so I ignore the time fields in judging if an RFI/Web Shell is unique. I've coded it to weed out links to Web Shells that 404. I also use nofollow and a referrer hiding service so it does not look like I'm attacking anyone with the web shells (but the check for 404 sort of looks suspicious). This page will also let you link off to defense.ballastsecurity.net where you can use their PHP decoder to look at the obfuscated code. Enjoy my Web Shell zoo, it should update itself every hour or so. If you see your domain on the list of websites hosting Web Shells you are likely pwned and should clean up your server.

Source code that generates this page

Filtered For More Likely Live Webshell RFIs

AttackerWhois IPRequest
(Truncated if over 60 chr for display, link should still work)
View on PHP DecoderAgentRefererTimeBackup
54.213.112.26Whoishttp://phreaknic.info/pn0x0bView on PHP DecoderVegeBot (we follow your robots.txt settings before crawling, you can slow down the bot by change the Crawl-Delay parameter in the settings.if you have an enquiry, please email to: abuse-report@terrykyleseoagency.com)-28/Apr/2016:08:05:06 -0700Not In Archive
54.213.112.26Whoishttp://www.regonline.com/issa-kentuckianaView on PHP DecoderVegeBot (we follow your robots.txt settings before crawling, you can slow down the bot by change the Crawl-Delay parameter in the settings.if you have an enquiry, please email to: abuse-report@terrykyleseoagency.com)-28/Apr/2016:08:05:05 -0700Archived Webshell
191.40.93.216Whoishttp://biodunsotunmbiministries.org/images/sampledata/sliderView on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-27/Apr/2016:17:46:42 -0700Archived Webshell
191.7.198.106Whoishttp://rts-group.org/rittal/r57.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-25/Apr/2016:10:15:44 -0700Archived Webshell
200.98.200.26Whoishttp://egmcard.com/about/x7.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-24/Apr/2016:14:29:46 -0700Archived Webshell
200.98.64.65Whoishttp://aegv.pt//images/icons/x7.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-21/Apr/2016:16:58:41 -0700Archived Webshell
200.98.165.112Whoishttp://nym.nyp.org/test/templates/beez_20/x7.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-20/Apr/2016:08:28:04 -0700Archived Webshell
177.179.119.24Whoishttp://birintas.cacaron.net/r57.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-19/Apr/2016:19:02:31 -0700Archived Webshell
179.105.38.10Whoishttp://douglasscherner.ucoz.site/test.txt?View on PHP Decoder--17/Apr/2016:14:16:29 -0700Archived Webshell

Likely Dead Links

AttackerWhois IPRequest
(Truncated if over 60 chr for display, link should still work)
View on PHP DecoderAgentRefererTimeBackup
54.213.112.26Whoishttp://phreaknic.info/pn0x0bView on PHP DecoderVegeBot (we follow your robots.txt settings before crawling, you can slow down the bot by change the Crawl-Delay parameter in the settings.if you have an enquiry, please email to: abuse-report@terrykyleseoagency.com)-28/Apr/2016:08:05:06 -0700Not In Archive
54.213.112.26Whoishttp://phreaknic.info/pn0x0bView on PHP DecoderVegeBot (we follow your robots.txt settings before crawling, you can slow down the bot by change the Crawl-Delay parameter in the settings.if you have an enquiry, please email to: abuse-report@terrykyleseoagency.com)-28/Apr/2016:08:05:06 -0700Not In Archive
190.145.78.70Whoishttp://enjambre.cc/encuentros/wp-includes/images/go.gif???View on PHP DecoderMozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6-24/Apr/2016:03:56:03 -0700Archived Webshell
177.14.240.158Whoishttp://parafialomianki.pl/images/smilies/r57.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-19/Apr/2016:14:47:43 -0700Archived Webshell
177.14.240.158Whoishttp://www.saamavedam.org/images/Gallery/SriVishnuVidya/r57.View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-20/Apr/2016:07:48:12 -0700Archived Webshell
187.40.78.206Whoishttp://www.pachecopa.com.br/uploads/maysa.txt?View on PHP Decoder--24/Apr/2016:08:49:53 -0700Archived Webshell
187.78.21.14Whoishttp://nt.com.py/plugins/system/zeno.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-22/Apr/2016:18:39:06 -0700Archived Webshell
177.185.129.14Whoishttp://www.credoschoonmaak.nl/images/banners/r57.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-20/Apr/2016:20:29:28 -0700Archived Webshell
177.223.52.30Whoishttp://nurmoskva.ru/tmp/plupload/2016.txt??View on PHP Decoder--19/Apr/2016:01:50:40 -0700Archived Webshell
187.40.86.230Whoishttp://www.thisismongolia.com/ices/j.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-17/Apr/2016:12:31:10 -0700Archived Webshell
179.105.38.10Whoishttp://douglasscherner.ucoz.site/test.txt?View on PHP Decoder--17/Apr/2016:14:16:29 -0700Archived Webshell

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast