# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://github.com/emposha/PHP-Shell-Detector

/120667kk.php
/1405674947.1405674947
/1n73ction.php
/420532shell.php
/629788tryag.php
/951078bij.php
/fatalisticz.php
/o0o.php
/azrail.php
/accept_language.php
/ahlisyurga_shell.php
/ajan.asp
/ajax_command_shell.php
/akatsuki.php
/al-marhum.php
/albanianshell.php
/andr3a.php
/antichat_shell.php
/antisecshell.php
/arab_black_hat.pl
/asmodeus.pl
/aspx-shell.aspx
/aspydrv.vb
/ayyildiz_tim.php
/b374k.php
/b64shell.php
/backdoor.php
/backdoorconnect.pl
/batavi4.php
/blindshell.c
/blood3rpriv8.php
/bogel_shell.php
/brute_force_tool.php
/buckethead.php
/c100.php
/c2007.php
/c99.php
/casus15.php
/cbot.php
/cfexec.cfm
/cgi-python.py
/cgi-shell.pl
/cgitelnet.pl
/cih.php
/clearshell.php
/cmd.asp
/cmd.aspx
/cmd.jsp
/cmd.php
/cmd.pl
/cmos_clr.php
/cocacola_shell.php
/coderz.php
/configspy.php
/connectback2.pl
/constance.php
/cpanel.php
/cristercorp_infocollector.php
/crystal.php
/cshell.php
/ctt_shell.php
/cybershell.php
/cyberspy5.asp
/darkshell.php
/dc3shell.php
/devil.php
/devilz0de.php
/devilzshell.php
/diveshell.php
/dtool.php
/dxshell.php
/efso2.asp
/egyspider.php
/ekin0x.php
/elmaliseker.asp
/elmaliseker.vbs
/empixcrew.pl
/empo.php
/entrika.php
/erne.php
/explore.asp
/extplorer.php
/fatalshell.php
/fenix.php
/filesman.php
/foreverpp.php
/fuckphpshell.php
/fx0.php
/g00nshell.php
/gammashell.pl
/gaulircbot.php
/getlinks.php
/gfs.php
/gnyshell.php
/gohack_powerserver.php
/goon.php
/gscshell.php
/h4ntu.php
/hacker.php
/hackerps.php
/harauku.php
/hiddenshell.php
/hostdevil.php
/hostdevil.pl
/hshell.php
/htaccess_shell.htaccess
/i47.php
/imhapftp.php
/includeshell.php
/indexer.asp
/indishell.php
/insomnia.aspx
/ipays777.php
/irc_bot.pl
/ironshell.php
/isko.php
/itsecteam_shell.php
/jackal.php
/javashell.py
/joomla_spam.php
/jspreverse.jsp
/jspwebshell.java
/kadotshell.php
/kaushell.php
/king511.pl
/klasvayv.asp
/kral.php
/lamashell.php
/lizozim.php
/loadshell.php
/locusshell.php
/lolipop.php
/lostdc.php
/lurm.cgi
/m1n1shell.php
/madspot.php
/mahkeme.php
/metasploit.php
/mildnet.php
/mm.php
/mohajer22.pl
/moroccan_spam.php
/mrtiger.php
/mulcishell.php
/myshell.php
/mysql.php
/mysql_adminer.php
/n3fa5t1ca.php
/nccshell.php
/networkfilemanager.php
/nexpl0rer.php
/nixshell.php
/nogrodpbot.php
/noname.php
/nshell.php
/nstview.php
/ntdaddy.asp
/obet.php
/onboomshell.php
/orbshell.php
/pas.php
/pbot.php
/perlbot.pl
/perlwebshell.pl
/phantasma.php
/php_mailer.php
/phpbackdoor.php
/phpemailer.php
/phpfilemanager.php
/phpmyadmin_exploit.php
/phpshell.php
/phpspy.php
/phvayv.php
/phytonshell.py
/postman.php
/powerdreamshell.asp
/priv8_scr.pl
/pwnshell.jsp
/pzadv.php
/qreyfurt.aspx
/r3laps3.php
/r57.php
/rader.asp
/remoteshell.php
/remoteview.php
/removexplorer.vb
/reverse_shell.php
/rhtool.asp
/rootshell.php
/s72shell.php
/safemode.php
/savefile.php
/scanner_jatimcrew.pl
/sec4ever.php
/sempak.php
/server_config.php
/shell_commander.php
/shell_exploit.php
/shell_uploader.php
/shellarchive.php
/shellatildi.php
/shellbot.pl
/simattacker.php
/simple_shell.php
/simshell.php
/sincap.php
/smartshell.asp
/smtpd.py
/snipershell.php
/spam.php
/spam_trustapp.php
/spyshell.php
/sroshell.php
/stakershell.php
/stressbypass.php
/stunshell.php
/symlink.php
/tbdsecurity.php
/tdshell.php
/teamps.php
/teamsql.php
/telnet.pl
/telnetd.pl
/troyan.php
/tryag.php
/udpflooder.php
/unitxshell.pl
/us3rspl.pl
/v0ld3m0r.php
/v0ld3m0rt.php
/variables.asp
/w3dshell.php
/wacking.php
/webadmin.php
/webmysql.php
/webroot.php
/webshell.php
/winx.php
/wordpress_exploit.php
/worse.php
/wso.php
/xinfo.php
/zaco.php
/zehir4.asp
/zehir4.php

# Reference: https://github.com/ismailtasdelen/shell-backdoor-list/tree/master/shell/asp

/aspcmd.asp
/kacak.asp
/newaspcmd.asp
/pouya.asp

# Reference: https://twitter.com/killamjr/status/1191923979549921280

/cxxz.php

# Reference: https://twitter.com/ANeilan/status/1232283590114840576
# Reference: https://pastebin.com/8LL4Hg9e
# Reference: https://pastebin.com/trRiwBKQ

/sh.php

# Reference: https://twitter.com/malwrhunterteam/status/1241318536280227844
# Reference: https://www.virustotal.com/gui/file/92b967726cfbdb5f2714025951403c51eadb8951fc13f868f9be4098884ee70b/behavior/C2AE

/shellcode.php
/shellcode.txt
/shellcode11.txt
/shellcode22.txt

# Reference: https://securelist.com/energetic-bear-crouching-yeti/85345/

/code29.php
/proxy87.php

# Reference: https://paste.ee/r/v9aRR/0

/shell.php

# Reference: https://twitter.com/jstrosch/status/1255898007377231873

/cxz.php

# Reference: https://twitter.com/Marco_Ramilli/status/1315327238255116288

/shell202007281.php

# Reference: https://twitter.com/ecarlesi/status/1344217410052579328

/ARS.shell.php
/C99.shell.php
/R57.shell.php
/WSO2.shell.php

# Misc.

rst.void.ru
r57.gen.tr
r57.biz
xshellz.com
c99shellphp.com
r57c99.com
c99php.com
localroot.net
shells.altervista.org
podathon.org/shell/

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/

/webshell/shell.php

# Reference: https://twitter.com/jstrosch/status/1338891751285788672

/aboz.php
/ass.php

# Reference: https://twitter.com/jstrosch/status/1359745151263010816

/cnx.php
/assets/plugins/bootstrap/js/by.txt

# Reference: https://www.virustotal.com/gui/file/acaf8bc99d2af3aa01f9a37a0662e98b05d182787a00978243628c24938fb2ec/detection

/BkLd6Pa7.php

# Reference: https://www.virustotal.com/gui/file/6dfa980937f5776358b5485e8a4e92d333779020974312851826420d2feffa45/detection

/HkPwijGf.php

# Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

/errorEE.aspx
/errorEEE.aspx
/errorEW.aspx
/errorFF.aspx
/aspnet_www.aspx
/aspnet_client.aspx
/xx.aspx
/shell.aspx
/aspnet_iisstart.aspx

# Reference: https://www.praetorian.com/blog/reproducing-proxylogon-exploit/

/ysfwduaohcma.aspx

# Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072a

/zXkZu6bn.aspx

# Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072c

/F48zhi6U.aspx
/Fc1b3WDP.aspx

# Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072d

/2XJHwN19.aspx
/UwSPMsFi.aspx

# Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072e

/E3MsTjP8.aspx

# Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072f

/supp0rt.aspx
/uHSPTWMG.aspx

# Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072g

/0q1iS7mn.aspx
/8aUco9ZK.aspx
/McYhCzdb.aspx
/ogu7zFil.aspx

# Reference: https://twitter.com/Bank_Security/status/1371712892907753473
# Reference: https://pastebin.com/aBxJEt2W

/Webshell.aspx

# Reference: https://blog.netlab.360.com/microsoft-exchange-vulnerability-cve-2021-26855-scan-analysis-3/

/aspnet_client/0q1iS7mn.aspx
/aspnet_client/0QWYSEXe.aspx
/aspnet_client/1d.aspx
/aspnet_client/2XJHwN19.aspx
/aspnet_client/7KmCS.aspx
/aspnet_client/8aUco9ZK.aspx
/aspnet_client/8lw7tahf9i1pjnro.aspx
/aspnet_client/aa.aspx
/aspnet_client/a.aspx
/aspnet_client/ahihi.aspx
/aspnet_client/aspnet.aspx
/aspnet_client/aspnet_client.aspx
/aspnet_client/aspnet_iisstart.aspx
/aspnet_client/aspnet_iistart.aspx
/aspnet_client/aspnet_pages.aspx
/aspnet_client/aspnettest.aspx
/aspnet_client/aspnet_www.aspx
/aspnet_client/aspx_client.aspx
/aspnet_client/authhead.aspx
/aspnet_client/bob.aspx
/aspnet_client/cafZCu.aspx
/aspnet_client/checkerror635284.aspx
/aspnet_client/client.aspx
/aspnet_client/config.aspx
/aspnet_client/configs.aspx
/aspnet_client/current/one1.aspx
/aspnet_client/default1.aspx
/aspnet_client/default.aspx
/aspnet_client/Default.aspx
/aspnet_client/discover.aspx
/aspnet_client/Discover.aspx
/aspnet_client/document.aspx
/aspnet_client/E3MsTjP8.aspx
/aspnet_client/eror.aspx
/aspnet_client/error404.aspx
/aspnet_client/error.aspx
/aspnet_client/errorcheck.aspx
/aspnet_client/erroree.aspx
/aspnet_client/errorEE.aspx
/aspnet_client/erroreee.aspx
/aspnet_client/errorEEE.aspx
/aspnet_client/errorew.aspx
/aspnet_client/errorEW.aspx
/aspnet_client/errorff.aspx
/aspnet_client/errorFF.aspx
/aspnet_client/error_page.aspx
/aspnet_client/errorpage.aspx
/aspnet_client/errorpages.aspx
/aspnet_client/est11.aspx
/aspnet_client/F48zhi6U.aspx
/aspnet_client/fatal-erro.aspx
/aspnet_client/Fc1b3WDP.aspx
/aspnet_client/healthcheck.aspx
/aspnet_client/help..aspx
/aspnet_client/help.aspx
/aspnet_client/httpproxy.aspx
/aspnet_client/HttpProxy.aspx
/aspnet_client/iispage.aspx
/aspnet_client/iisstart.aspx
/aspnet_client/load.aspx
/aspnet_client/log3.aspx
/aspnet_client/logaaa.aspx
/aspnet_client/log.aspx
/aspnet_client/logg.aspx
/aspnet_client/login.aspx
/aspnet_client/logout.aspx
/aspnet_client/Logout.aspx
/aspnet_client/MAlREnavuY.aspx
/aspnet_client/McYhCzdb.aspx
/aspnet_client/Metabase.aspx
/aspnet_client/multiup.aspx
/aspnet_client/MultiUp.aspx
/aspnet_client/obq.aspx
/aspnet_client/ogu7zFil.aspx
/aspnet_client/one1.aspx
/aspnet_client/one.aspx
/aspnet_client/online.aspx
/aspnet_client/Online.aspx
/aspnet_client/outlooken.aspx
/aspnet_client/OutlookEN.aspx
/aspnet_client/outlookfront.aspx
/aspnet_client/outlookjp.aspx
/aspnet_client/OutlookJP.aspx
/aspnet_client/outlookru.aspx
/aspnet_client/OutlookRU.aspx
/aspnet_client/outlookzh.aspx
/aspnet_client/qfmrucnzl.aspx
/aspnet_client/rabiitch.aspx
/aspnet_client/redirsuiteserverproxy.aspx
/aspnet_client/RedirSuiteServerProxy.aspx
/aspnet_client/s.aspx
/aspnet_client/server.aspx
/aspnet_client/Server.aspx
/aspnet_client/Service.aspx
/aspnet_client/session.aspx
/aspnet_client/shel2.aspx
/aspnet_client/shel90.aspx
/aspnet_client/shel.aspx
/aspnet_client/shell.aspx
/aspnet_client/shellex.aspx
/aspnet_client/show.aspx
/aspnet_client/signon.aspx
/aspnet_client/soHKY.aspx
/aspnet_client/sol.aspx
/aspnet_client/supp0rt.aspx
/aspnet_client/support.aspx
/aspnet_client/system.aspx
/aspnet_client/system_web/1A2ZeQOu.aspx
/aspnet_client/system_web/2TFGNswO.aspx
/aspnet_client/system_web/3NHhPxJ5.aspx
/aspnet_client/system_web/3ue5myCq.aspx
/aspnet_client/system_web/4_0_30319/self.aspx
/aspnet_client/system_web/9VkFwtxt.aspx
/aspnet_client/system_web/cMvBgHLZ.aspx
/aspnet_client/system_web/Cs64LbPk.aspx
/aspnet_client/system_web/E12B65rm.aspx
/aspnet_client/system_web/error.aspx
/aspnet_client/system_web/GnCwADKH.aspx
/aspnet_client/system_web/ioWYM7C4.aspx
/aspnet_client/system_web/log.aspx
/aspnet_client/system_web/logfe.aspx
/aspnet_client/system_web/logon.aspx
/aspnet_client/system_web/logx2.aspx
/aspnet_client/system_web/ogzsis0L.aspx
/aspnet_client/system_web/QBFjM1SC.aspx
/aspnet_client/system_web/sJ0f8qHt.aspx
/aspnet_client/system_web/sol.aspx
/aspnet_client/system_web/test.aspx
/aspnet_client/system_web/vY4qLEpG.aspx
/aspnet_client/system_web/WFk2or3Y.aspx
/aspnet_client/t.aspx
/aspnet_client/temp.aspx
/aspnet_client/test007.aspx
/aspnet_client/uHSPTWMG.aspx
/aspnet_client/upnews.aspx
/aspnet_client/UwSPMsFi.aspx
/aspnet_client/uyqITYBPew.aspx
/aspnet_client/voqbETdoni.aspx
/aspnet_client/web.aspx
/aspnet_client/web.config.aspx
/aspnet_client/WlUtyY.aspx
/aspnet_client/xclkmcfldfi948398430fdjkfdkj.aspx
/aspnet_client/xx.aspx
/aspnet_client/y3iGH.aspx
/aspnet_client/zEeomtdYcX.aspx
/aspnet_client/zXkZu6bn.aspx
/owa/auth/061a06908b.aspx
/owa/auth/15.0.1347/themes/resources/exchange_create_css.aspx
/owa/auth/15.0.1497/themes/resources/error.aspx
/owa/auth/15.0.847/themes/resources/hmask.aspx
/owa/auth/15.1.1913/themes/resources/bg_gradient_login.aspx
/owa/auth/15.1.1913/themes/resources/View_Photos.aspx
/owa/auth/15.1.2044/themes/resources/office365_ph.aspx
/owa/auth/15.1.225/scripts/premium/errorPE.aspx
/owa/auth/1d61acae91.aspx
/owa/auth/27fib.aspx
/owa/auth/6GIXZG.aspx
/owa/auth/8lw7tahf9i1pjnro.aspx
/owa/auth/8Lw7tAhF9i1pJnRo.aspx
/owa/auth/aaa.aspx
/owa/auth/aa.aspx
/owa/auth/a.aspx
/owa/auth/ahihi.aspx
/owa/auth/asas.aspx
/owa/auth/aspnet.aspx
/owa/auth/aspnet_client.aspx
/owa/auth/aspnet_iisstart.aspx
/owa/auth/aspnet_pages.aspx
/owa/auth/aspnettest.aspx
/owa/auth/aspnet_www.aspx
/owa/auth/aspx_client.aspx
/owa/auth/atlthunk.aspx
/owa/auth/authhead.aspx
/owa/auth/b.aspx
/owa/auth/bob.aspx
/owa/auth/checkerror635284.aspx
/owa/auth/CommonError.aspx
/owa/auth/Current/AMNBJLXqoHTV.aspx
/owa/auth/Current/app222.aspx
/owa/auth/Current/Exchanges.aspx
/owa/auth/Current/layout.aspx
/owa/auth/current/one1.aspx
/owa/auth/Current/scripts/premium/fexppw.aspx
/owa/auth/Current/themes/config1.aspx
/owa/auth/Current/themes/errorFS.aspx
/owa/auth/Current/themes/resources/daxlz.aspx
/owa/auth/current/themes/resources/error.aspx
/owa/auth/Current/themes/resources/errorFE.aspx
/owa/auth/Current/themes/resources/Ignrop.aspx
/owa/auth/Current/themes/resources/lgnleft.aspx
/owa/auth/Current/themes/resources/logon.aspx
/owa/auth/Current/themes/resources/OutlookQN.aspx
/owa/auth/Current/themes/resources/owafont_vn.aspx
/owa/auth/Current/themes/resources/owafont_vo.aspx
/owa/auth/Current/themes/resources/system_io.aspx
/owa/auth/Current/themes/resources/View_tools.aspx
/owa/auth/Current/zJBxcBoI.aspx
/owa/auth/dbuj9.aspx
/owa/auth/default1.aspx
/owa/auth/default.aspx
/owa/auth/DesktopShellExt.aspx
/owa/auth/discover.aspx
/owa/auth/Discover.aspx
/owa/auth/document.aspx
/owa/auth/Err0r.aspx
/owa/auth/error404.aspx
/owa/auth/ErrorAA.aspx
/owa/auth/error.aspx
/owa/auth/errorcheck.aspx
/owa/auth/ErrorDef.aspx
/owa/auth/erroree.aspx
/owa/auth/errorEE.aspx
/owa/auth/erroreee.aspx
/owa/auth/errorEEE.aspx
/owa/auth/errorew.aspx
/owa/auth/errorEW.aspx
/owa/auth/erroreww.aspx
/owa/auth/errorFE.aspx
/owa/auth/errorff.aspx
/owa/auth/errorFF.aspx
/owa/auth/errorfff.aspx
/owa/auth/error_page.aspx
/owa/auth/errorpage.aspx
/owa/auth/errorPage.aspx
/owa/auth/errorpages.aspx
/owa/auth/errorPages.aspx
/owa/auth/evilcorp.aspx
/owa/auth/expiredpassword.aspx
/owa/auth/fatal-erro.aspx
/owa/auth/fhsvc.aspx
/owa/auth/FR5Ha0D1dwfsqIUMhLCQ.aspx
/owa/auth/frow.aspx
/owa/auth/getpp.aspx
/owa/auth/HcDKNzBoha.aspx
/owa/auth/healthcheck.aspx
/owa/auth/help.aspx
/owa/auth/hmknq.aspx
/owa/auth/httpproxy.aspx
/owa/auth/HttpProxy.aspx
/owa/auth/hUjwpeROcY7Fo4g8ETH3.aspx
/owa/auth/HUUPItrNpXvI.aspx
/owa/auth/iasads.aspx
/owa/auth/iispage.aspx
/owa/auth/jhJ2zT9ouOfP6VnBcHg3.aspx
/owa/auth/jOBJIfr92ERLmg1HcnF3.aspx
/owa/auth/KBDBENE.aspx
/owa/auth/KrhHyDPwb70ct362JmLn.aspx
/owa/auth/L2oXwTljs3GnMyHQV0KR.aspx
/owa/auth/letmeinplzs.aspx
/owa/auth/load.aspx
/owa/auth/lo.aspx
/owa/auth/log.aspx
/owa/auth/logerr.aspx
/owa/auth/logg.aspx
/owa/auth/login.aspx
/owa/auth/logoff.aspx
/owa/auth/logout.aspx
/owa/auth/Logout.aspx
/owa/auth/m0xbqRg1ranzvGD3jiXT.aspx
/owa/auth/multiup.aspx
/owa/auth/MultiUp.aspx
/owa/auth/ntprint.aspx
/owa/auth/one1.aspx
/owa/auth/one.aspx
/owa/auth/online.aspx
/owa/auth/Online.aspx
/owa/auth/OutlookAR.aspx
/owa/auth/OutlookAS.aspx
/owa/auth/OutlookCN.aspx
/owa/auth/OutlookDA.aspx
/owa/auth/OutlookDE.aspx
/owa/auth/OutlookDN.aspx
/owa/auth/outlooken.aspx
/owa/auth/OutlookEN.aspx
/owa/auth/OutlookEN.US.aspx
/owa/auth/OutlookES.aspx
/owa/auth/OutlookFR.aspx
/owa/auth/outlookfront.aspx
/owa/auth/OutlookIO.aspx
/owa/auth/OutlookIT.aspx
/owa/auth/outlookjp.aspx
/owa/auth/OutlookJP.aspx
/owa/auth/OutlookPL.aspx
/owa/auth/outlookru.aspx
/owa/auth/OutlookRU.aspx
/owa/auth/OutlookSE.aspx
/owa/auth/OutlookUN.aspx
/owa/auth/OutlookUS.aspx
/owa/auth/outlookzh.aspx
/owa/auth/OutlookZH.aspx
/owa/auth/ovfwHWjwWm.aspx
/owa/auth/owaauth.aspx
/owa/auth/plorion.aspx
/owa/auth/ProximityService.aspx
/owa/auth/proxylogon.aspx
/owa/auth/pzbwl.aspx
/owa/auth/qnx.aspx
/owa/auth/redirsuiteserverproxy.aspx
/owa/auth/RedirSuiteServerProxy.aspx
/owa/auth/rlvgk.aspx
/owa/auth/rwinsta.aspx
/owa/auth/s.aspx
/owa/auth/secauth1.aspx
/owa/auth/secauth.aspx
/owa/auth/seclogon.aspx
/owa/auth/server.aspx
/owa/auth/session.aspx
/owa/auth/shel2.aspx
/owa/auth/shel90.aspx
/owa/auth/shel.aspx
/owa/auth/shell.aspx
/owa/auth/shellex.aspx
/owa/auth/shelltest.aspx
/owa/auth/signon.aspx
/owa/auth/signout.aspx
/owa/auth/sol.aspx
/owa/auth/supp0rt.aspx
/owa/auth/system_web/log.aspx
/owa/auth/t.aspx
/owa/auth/test13037.aspx
/owa/auth/test1337.aspx
/owa/auth/test.aspx
/owa/auth/theme-gsx8ujzpicf0.aspx
/owa/auth/theme-vten8snn874b.aspx
/owa/auth/TimeoutLogout.aspx
/owa/auth/tNLPge.aspx
/owa/auth/tpmvscmgrsvr.aspx
/owa/auth/tst1.aspx
/owa/auth/VqEUaLjKpcWoNC7yPMlz.aspx
/owa/auth/wanlin.aspx
/owa/auth/web.aspx
/owa/auth/web.config.aspx
/owa/auth/WMSPDMOD.aspx
/owa/auth/XblGameSave.aspx
/owa/auth/XboxNetApiSvc.aspx
/owa/auth/xclkmcfldfi948398430fdjkfdkj.aspx
/owa/auth/xx.aspx
/owa/auth/ZI3uMczmPa5bwTYVpKsE.aspx
/owa/auth/zntwv.aspx

# Reference: https://twitter.com/xuy1202/status/1374694429911523333

/c99.txt

# Reference: https://krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/
# Reference: https://otx.alienvault.com/pulse/6061ebaf97943b790e97e899
# Reference: https://www.virustotal.com/gui/file/5f7d898ade3162bfb0c8d3006c42e934ff81fab3b4ad3b51c13441fd63e438cb/detection

/owa/auth/babydraco.aspx

# Reference: https://twitter.com/sans_isc/status/1467835679187083267

/AK-74.php
/Ayyildiz_Tim.php
/CasuS-1.5.php
/Dive_Shell.php
/JspWebshell_1.2.php
/Loaderz_WEB_Shell.php
/SnIpEr_SA%20Shell.php
/c99_PSych0.php
/dC3_Security.php
/jspshell.jsp
/mma.php
/punk-nopass.php
/safe0ver.php
/spyshell.php

# Reference: https://www.mandiant.com/resources/fin13-cybercriminal-mexico

/shell/exec?cmd=
/shell2/exec?cmd=
/shell/cmd.jsp
/shell2/cmd.jsp

# Reference: https://twitter.com/bad_packets/status/1471375127824588802

/revshell.asp
/revshell.aspx
/revshell.jsp
/revshell.php
/revshell.py
/revshell.pyc

# Reference: https://twitter.com/bad_packets/status/1470914982405545986

/ReverseShell/
/Basic/ReverseShell/

# Reference: https://twitter.com/s1ckb017/status/1488467066583760896
# Reference: https://www.virustotal.com/gui/file/6421f9ad22df037dbf080bb77214ee09bdd59d1a901c7522f4971b9c5c3fa06c/detection

/adssp/adsf/index.jsp
/webapps/adssp/adsf/index.jsp

# Reference: https://decoded.avast.io/janneduchal/analysis-of-attack-against-national-games-of-china-systems/

/runscript.lua
/remote/miss.php
/remote/miss1.php

# Reference: https://twitter.com/r3dbU7z/status/1493675446210281479

/shell.jsp

# Reference: https://twitter.com/unmaskparasites/status/1499593717845348354
# Reference: https://www.virustotal.com/gui/file/b70e6b9745f425902f337d424a8a18f4f050085e12cf282d5089699f6c67b11d/detection

/_@files/php/FoxWSO-full.txt
/files/olux-shell.txt
/files/xleet-shell.txt
/php/FoxEx-shell.txt
/FoxEx-shell.txt
/FoxWSO-full.txt
/olux-shell.txt
/xleet-shell.txt
/akhmhcij/

# Reference: https://twitter.com/1ZRR4H/status/1510311007113158668
# Reference: https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/

/member3war.jsp
/myshell.jsp
/tomcatspring.jsp
/tomcatwar.jsp
/wpz.jsp

# Reference: https://twitter.com/bad_packets/status/1511796663140052994

/1877team.jsp

# Reference: https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/

/07935fdf05b66.jsp
/0xd0m7.jsp
/UJaez.jsp
/Y4kws.jsp
/aniwvzgvwqnwtehgsfsgbslwoiqkjk.jsp
/cbsewlaeqsdsqktavziakyzsuwfciu.jsp
/checkexploit.jsp
/curiositysec.jsp
/czbwzitpzjzkcvkrirybzihsibmuej.jsp
/czpdnhpraxgzrtatiuigsalfedwwit.jsp
/dnuurzjtlbjrnuukwdmaltqrqqlaig.jsp
/duvdqpoyrcapqbfcetgwsqxfkslubw.jsp
/gdGCT.jsp
/ggoibjvztvlpelaghjzeweqmopjosz.jsp
/goocmasqxwfufyxrgyachwidxdotkh.jsp
/hackerone0x.jsp
/hlbpgpqsyracfnvkgrgvlhcptpmdfn.jsp
/hmmyitbecwhmrdicykmfvqlcsknbff.jsp
/hnmqeuzumlokxuhqyekeetrgougeof.jsp
/ilvckpgzbrcdljyqdfhqendqcwhgxp.jsp
/inject.jsp
/izodfyvqujwztweclykgozahdlqvqp.jsp
/jarom_h1.jsp
/javatestfila.jsp
/jquery123123123cssbackup7331.jsp
/jynrrkjghebemkrhvfzllrepzosinb.jsp
/kqbnngrfnsxlreajyknuimoamysvwt.jsp
/lalalalal.jsp
/lelel.jsp
/ltcovlwqkckjpuzbqzbjdpkgkakvno.jsp
/mhoqqvpuxdqtuqzmwdrvdeayqvlygb.jsp
/mynameis0bsecure.jsp
/osanxuadyvjaiorcjfqnckfpewunnt.jsp
/poc4bugb.jsp
/ptipfhjosfvrfwndwqccapozcbasge.jsp
/pxwcqxzrstepmbwufjxuaydkwgmvds.jsp
/qnzfvqpeiljtoyvrywrkuvkrmuewzn.jsp
/rQFlA.jsp
/rakesh.jsp
/rmdwahilztwhhqnmcbodkgtbnmrhjx.jsp
/shei1.jsp
/shell13.jsp
/testqqsg.jsp
/tomcat74935.jsp
/tomcatlogin.jsp
/tomcatspring.jsp
/tomcatwa.jsp
/tomcatwar.jsp
/tomjj.jsp
/ubekdurthzexowlohzgienbwvexynd.jsp
/ufoubgkazumxhqvwlnyfejnmyqofcm.jsp
/ujpmauuhltvsokjracgwkbflkhhnwo.jsp
/vkmckfvljtpbyowxwhgbjsvyktfdiq.jsp
/xcoihpiouaamtnbqqvcvffyxyrokvn.jsp
/yjjhhdlxepozhirznemjabnsciycvv.jsp
/yutugdqbrossntwaujgxwgrpgczkbd.jsp
/zawpiupzzsjexllfbicrgvlcuxzqyb.jsp
/zqgwtzyrexctiyvsawmwttncwzoyyd.jsp
/zuvuegtemzfsyqjfykowggxpqkuqdp.jsp

# Reference: https://twitter.com/andrew_kutuzov/status/1506556755794350081

/07m6.php
/0pyi65ryuof
/delxxx.php
/ibsduhxmyh.php
/ibsduhxmyh(token).php
/ufiumnnpua.php
/ySLKRsrWcbV.php
/z6MadcuV3UL.php

# Reference: https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/

/shell.py

# Reference: https://twitter.com/1ZRR4H/status/1532802996362526720

/confluence/testAnt.jsp

# Reference: https://secjoes-reports.s3.eu-central-1.amazonaws.com/Backdoor%2Bvia%2BXFF%2BMysterious%2BThreat%2BActor%2BUnder%2BRadar.pdf

/dc9b66ce0.php
/tunnel123.php

# Reference: https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/

/wc2_deploy

# Reference: https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/

/aspnet_netclient/4_0_30319/devilzShell.aspx
/aspnet_netclient/4_0_30319/POWERshell.aspx
/devilzShell.aspx

# Reference: https://www.virustotal.com/gui/file/5d30ce01a19623aaaae84bf3a4cc3ec16811c98f2b6c3a70fcad6e473b0386e6/detection

/v3n0mbig.php

# Reference: https://twitter.com/r3dbU7z/status/1645318062806126593

/ani_shell.txt
/cyb3r-sh3ll.txt
/fx29_shell.txt
/phpjackal1.3.txt

# Reference: https://twitter.com/sicehice/status/1640160970994753537

/cmdsql.aspx
/Def0ult.aspx
/uploadcmd.aspx

# Reference: https://twitter.com/Yeti_Sec/status/1681294210492669953

/sharpjsshell.js

# Reference: https://twitter.com/r3dbU7z/status/1691158370231947266

/cihshell.php
/marijuana.php

# Reference: https://twitter.com/sicehice/status/1694546485864435835

/rootshell

# Reference: https://twitter.com/James_inthe_box/status/1711383373246251399

/xt/mmd/shell/

# Reference: https://twitter.com/r3dbU7z/status/1715570648737615991

/eightsix.shell
/eightsix.shell_enc

# Reference: https://twitter.com/Gi7w0rm/status/1716901758348521850

/b374kpriv.php
/Nginx1337.php
/b374kpriv.php.txt
/Nginx1337.php.txt

# Reference: https://twitter.com/sicehice/status/1747030318924677353

/FxCodeShell.jsp

# Reference: https://twitter.com/1ZRR4H/status/1751656174515098023
# Reference: https://twitter.com/r3dbU7z/status/1753692024216113625

/php-reverse-shell.php