Full Disclosure mailing list archives
Re: Warning - t00ls.org hidden callback in shells
From: Seanybob <seanybob () gmail com>
Date: Tue, 26 Apr 2011 11:01:52 -0700
Just an update to the previous post on this topic. The attacker has been moving around his datafile containing the list of urls with shell scripts installed. His old one: http://xmors.byethost7.com/mynameisahmed..html has been shutdown. Did some investigating, and found some other places this guy has hidden his data he collected. This link is one he used before the first one I posted. It was working until a few days ago, when it looks like he shut it down. You may be able to find a cache somewhere. http://xmors.byethost7.com/mynameisahmed.a7a.html Here's his new live one. As you can see, the list is... quite long. http://97.79.238.155/~data/mero..html Obviously I can't tell you what to do with this info. I share this with the hopes that some kind soul(s) will take the time to notify the affected websites, or alternatively go through and delete the shell scripts. I've deleted a lot of them myself, but quite simply don't have the time to sit there and delete thousands of these shells one by one. (I considered writing a script, but lost interest rather fast). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Warning - t00ls.org hidden callback in shells Seanybob (Apr 06)
- Re: Warning - t00ls.org hidden callback in shells Seanybob (Apr 26)