Re: Warning - t00ls.org hidden callback in shells

[Seanybob <seanybob () gmail com>]

Just an update to the previous post on this topic. The attacker has
been moving around his datafile containing the list of urls with shell
scripts installed.

His old one:
http://xmors.byethost7.com/mynameisahmed..html
has been shutdown.

Did some investigating, and found some other places this guy has
hidden his data he collected.

This link is one he used before the first one I posted. It was working
until a few days ago, when it looks like he shut it down. You may be
able to find a cache somewhere.
http://xmors.byethost7.com/mynameisahmed.a7a.html

Here's his new live one. As you can see, the list is... quite long.
http://97.79.238.155/~data/mero..html

Obviously I can't tell you what to do with this info. I share this
with the hopes that some kind soul(s) will take the time to notify the
affected websites, or alternatively go through and delete the shell
scripts. I've deleted a lot of them myself, but quite simply don't
have the time to sit there and delete thousands of these shells one by
one. (I considered writing a script, but lost interest rather fast).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/