Just an update to the previous post on this topic. The attacker has been moving around his datafile containing the list of urls with shell scripts installed.
His old one: http://xmors.byethost7.com/mynameisahmed..html has been shutdown. Did some investigating, and found some other places this guy has hidden his data he collected. This link is one he used before the first one I posted. It was working until a few days ago, when it looks like he shut it down. You may be able to find a cache somewhere. http://xmors.byethost7.com/mynameisahmed.a7a.html Here's his new live one. As you can see, the list is... quite long. http://97.79.238.155/~data/mero..html Obviously I can't tell you what to do with this info. I share this with the hopes that some kind soul(s) will take the time to notify the affected websites, or alternatively go through and delete the shell scripts. I've deleted a lot of them myself, but quite simply don't have the time to sit there and delete thousands of these shells one by one. (I considered writing a script, but lost interest rather fast). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
