# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://github.com/emposha/PHP-Shell-Detector

/120667kk.php
/1405674947.1405674947
/1n73ction.php
/420532shell.php
/629788tryag.php
/951078bij.php
/fatalisticz.php
/o0o.php
/azrail.php
/accept_language.php
/ahlisyurga_shell.php
/ajan.asp
/ajax_command_shell.php
/akatsuki.php
/al-marhum.php
/albanianshell.php
/andr3a.php
/antichat_shell.php
/antisecshell.php
/arab_black_hat.pl
/asmodeus.pl
/aspx-shell.aspx
/aspydrv.vb
/ayyildiz_tim.php
/b374k.php
/b64shell.php
/backdoor.php
/backdoorconnect.pl
/batavi4.php
/blindshell.c
/blood3rpriv8.php
/bogel_shell.php
/brute_force_tool.php
/buckethead.php
/c100.php
/c2007.php
/c99.php
/casus15.php
/cbot.php
/cfexec.cfm
/cgi-python.py
/cgi-shell.pl
/cgitelnet.pl
/cih.php
/clearshell.php
/cmd.asp
/cmd.aspx
/cmd.jsp
/cmd.php
/cmd.pl
/cmos_clr.php
/cocacola_shell.php
/coderz.php
/configspy.php
/connectback2.pl
/constance.php
/cpanel.php
/cristercorp_infocollector.php
/crystal.php
/cshell.php
/ctt_shell.php
/cybershell.php
/cyberspy5.asp
/darkshell.php
/dc3shell.php
/devil.php
/devilz0de.php
/devilzshell.php
/diveshell.php
/dtool.php
/dxshell.php
/efso2.asp
/egyspider.php
/ekin0x.php
/elmaliseker.asp
/elmaliseker.vbs
/empixcrew.pl
/empo.php
/entrika.php
/erne.php
/explore.asp
/extplorer.php
/fatalshell.php
/fenix.php
/filesman.php
/foreverpp.php
/fuckphpshell.php
/fx0.php
/g00nshell.php
/gammashell.pl
/gaulircbot.php
/getlinks.php
/gfs.php
/gnyshell.php
/gohack_powerserver.php
/goon.php
/gscshell.php
/h4ntu.php
/hacker.php
/hackerps.php
/harauku.php
/hiddenshell.php
/hostdevil.php
/hostdevil.pl
/hshell.php
/htaccess_shell.htaccess
/i47.php
/imhapftp.php
/includeshell.php
/indexer.asp
/indishell.php
/insomnia.aspx
/ipays777.php
/irc_bot.pl
/ironshell.php
/isko.php
/itsecteam_shell.php
/jackal.php
/javashell.py
/joomla_spam.php
/jspreverse.jsp
/jspwebshell.java
/kadotshell.php
/kaushell.php
/king511.pl
/klasvayv.asp
/kral.php
/lamashell.php
/lizozim.php
/loadshell.php
/locusshell.php
/lolipop.php
/lostdc.php
/lurm.cgi
/m1n1shell.php
/madspot.php
/mahkeme.php
/metasploit.php
/mildnet.php
/mm.php
/mohajer22.pl
/moroccan_spam.php
/mrtiger.php
/mulcishell.php
/myshell.php
/mysql.php
/mysql_adminer.php
/n3fa5t1ca.php
/nccshell.php
/networkfilemanager.php
/nexpl0rer.php
/nixshell.php
/nogrodpbot.php
/noname.php
/nshell.php
/nstview.php
/ntdaddy.asp
/obet.php
/onboomshell.php
/orbshell.php
/pas.php
/pbot.php
/perlbot.pl
/perlwebshell.pl
/phantasma.php
/php_mailer.php
/phpbackdoor.php
/phpemailer.php
/phpfilemanager.php
/phpmyadmin_exploit.php
/phpshell.php
/phpspy.php
/phvayv.php
/phytonshell.py
/postman.php
/powerdreamshell.asp
/priv8_scr.pl
/pwnshell.jsp
/pzadv.php
/qreyfurt.aspx
/r3laps3.php
/r57.php
/rader.asp
/remoteshell.php
/remoteview.php
/removexplorer.vb
/reverse_shell.php
/rhtool.asp
/rootshell.php
/s72shell.php
/safemode.php
/savefile.php
/scanner_jatimcrew.pl
/sec4ever.php
/sempak.php
/server_config.php
/shell_commander.php
/shell_exploit.php
/shell_uploader.php
/shellarchive.php
/shellatildi.php
/shellbot.pl
/simattacker.php
/simple_shell.php
/simshell.php
/sincap.php
/smartshell.asp
/smtpd.py
/snipershell.php
/spam.php
/spam_trustapp.php
/spyshell.php
/sroshell.php
/stakershell.php
/stressbypass.php
/stunshell.php
/symlink.php
/tbdsecurity.php
/tdshell.php
/teamps.php
/teamsql.php
/telnet.pl
/telnetd.pl
/troyan.php
/tryag.php
/udpflooder.php
/unitxshell.pl
/us3rspl.pl
/v0ld3m0r.php
/v0ld3m0rt.php
/variables.asp
/w3dshell.php
/wacking.php
/webadmin.php
/webmysql.php
/webroot.php
/webshell.php
/winx.php
/wordpress_exploit.php
/worse.php
/wso.php
/xinfo.php
/zaco.php
/zehir4.asp
/zehir4.php

# Reference: https://github.com/ismailtasdelen/shell-backdoor-list/tree/master/shell/asp

/aspcmd.asp
/kacak.asp
/newaspcmd.asp
/pouya.asp

# Reference: https://twitter.com/killamjr/status/1191923979549921280

/cxxz.php

# Reference: https://twitter.com/ANeilan/status/1232283590114840576
# Reference: https://pastebin.com/8LL4Hg9e
# Reference: https://pastebin.com/trRiwBKQ

/sh.php

# Reference: https://twitter.com/malwrhunterteam/status/1241318536280227844

/shellcode.php
/shellcode.txt

# Reference: https://securelist.com/energetic-bear-crouching-yeti/85345/

/code29.php
/proxy87.php

# Reference: https://paste.ee/r/v9aRR/0

/shell.php

# Reference: https://twitter.com/jstrosch/status/1255898007377231873

/cxz.php

# Reference: https://twitter.com/Marco_Ramilli/status/1315327238255116288

/shell202007281.php

# Reference: https://twitter.com/ecarlesi/status/1344217410052579328

/ARS.shell.php
/C99.shell.php
/R57.shell.php
/WSO2.shell.php

# Misc.

rst.void.ru
r57.gen.tr
r57.biz
xshellz.com
c99shellphp.com
r57c99.com
c99php.com
localroot.net
shells.altervista.org
podathon.org/shell/

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/

/webshell/shell.php

# Reference: https://twitter.com/jstrosch/status/1338891751285788672

/aboz.php
/ass.php

# Reference: https://twitter.com/jstrosch/status/1359745151263010816

/cnx.php
/assets/plugins/bootstrap/js/by.txt

# Reference: https://www.virustotal.com/gui/file/acaf8bc99d2af3aa01f9a37a0662e98b05d182787a00978243628c24938fb2ec/detection

/BkLd6Pa7.php

# Reference: https://www.virustotal.com/gui/file/6dfa980937f5776358b5485e8a4e92d333779020974312851826420d2feffa45/detection

/HkPwijGf.php

# Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

/errorEE.aspx
/errorEEE.aspx
/errorEW.aspx
/errorFF.aspx
/aspnet_www.aspx
/aspnet_client.aspx
/xx.aspx
/shell.aspx
/aspnet_iisstart.aspx

# Reference: https://www.praetorian.com/blog/reproducing-proxylogon-exploit/

/ysfwduaohcma.aspx

# Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072a

/zXkZu6bn.aspx

# Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072c

/F48zhi6U.aspx
/Fc1b3WDP.aspx

# Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072d

/2XJHwN19.aspx
/UwSPMsFi.aspx

# Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072e

/E3MsTjP8.aspx

# Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072f

/supp0rt.aspx
/uHSPTWMG.aspx

# Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072g

/0q1iS7mn.aspx
/8aUco9ZK.aspx
/McYhCzdb.aspx
/ogu7zFil.aspx

# Reference: https://twitter.com/Bank_Security/status/1371712892907753473
# Reference: https://pastebin.com/aBxJEt2W

/Webshell.aspx

# Reference: https://blog.netlab.360.com/microsoft-exchange-vulnerability-cve-2021-26855-scan-analysis-3/

/aspnet_client/0QWYSEXe.aspx
/aspnet_client/0q1iS7mn.aspx
/aspnet_client/1d.aspx
/aspnet_client/2XJHwN19.aspx
/aspnet_client/7KmCS.aspx
/aspnet_client/8aUco9ZK.aspx
/aspnet_client/8lw7tahf9i1pjnro.aspx
/aspnet_client/Default.aspx
/aspnet_client/Discover.aspx
/aspnet_client/E3MsTjP8.aspx
/aspnet_client/F48zhi6U.aspx
/aspnet_client/Fc1b3WDP.aspx
/aspnet_client/HttpProxy.aspx
/aspnet_client/Logout.aspx
/aspnet_client/MAlREnavuY.aspx
/aspnet_client/McYhCzdb.aspx
/aspnet_client/Metabase.aspx
/aspnet_client/MultiUp.aspx
/aspnet_client/Online.aspx
/aspnet_client/OutlookEN.aspx
/aspnet_client/OutlookJP.aspx
/aspnet_client/OutlookRU.aspx
/aspnet_client/RedirSuiteServerProxy.aspx
/aspnet_client/Server.aspx
/aspnet_client/Service.aspx
/aspnet_client/UwSPMsFi.aspx
/aspnet_client/WlUtyY.aspx
/aspnet_client/a.aspx
/aspnet_client/aa.aspx
/aspnet_client/ahihi.aspx
/aspnet_client/aspnet.aspx
/aspnet_client/aspnet_client.aspx
/aspnet_client/aspnet_iisstart.aspx
/aspnet_client/aspnet_iistart.aspx
/aspnet_client/aspnet_pages.aspx
/aspnet_client/aspnet_www.aspx
/aspnet_client/aspnettest.aspx
/aspnet_client/aspx_client.aspx
/aspnet_client/authhead.aspx
/aspnet_client/bob.aspx
/aspnet_client/cafZCu.aspx
/aspnet_client/checkerror635284.aspx
/aspnet_client/client.aspx
/aspnet_client/config.aspx
/aspnet_client/configs.aspx
/aspnet_client/current/one1.aspx
/aspnet_client/default.aspx
/aspnet_client/default1.aspx
/aspnet_client/discover.aspx
/aspnet_client/document.aspx
/aspnet_client/eror.aspx
/aspnet_client/error.aspx
/aspnet_client/error404.aspx
/aspnet_client/errorEE.aspx
/aspnet_client/errorEEE.aspx
/aspnet_client/errorEW.aspx
/aspnet_client/errorFF.aspx
/aspnet_client/error_page.aspx
/aspnet_client/errorcheck.aspx
/aspnet_client/erroree.aspx
/aspnet_client/erroreee.aspx
/aspnet_client/errorew.aspx
/aspnet_client/errorff.aspx
/aspnet_client/errorpage.aspx
/aspnet_client/errorpages.aspx
/aspnet_client/est11.aspx
/aspnet_client/fatal-erro.aspx
/aspnet_client/healthcheck.aspx
/aspnet_client/help..aspx
/aspnet_client/help.aspx
/aspnet_client/httpproxy.aspx
/aspnet_client/iispage.aspx
/aspnet_client/iisstart.aspx
/aspnet_client/load.aspx
/aspnet_client/log.aspx
/aspnet_client/log3.aspx
/aspnet_client/logaaa.aspx
/aspnet_client/logg.aspx
/aspnet_client/login.aspx
/aspnet_client/logout.aspx
/aspnet_client/multiup.aspx
/aspnet_client/obq.aspx
/aspnet_client/ogu7zFil.aspx
/aspnet_client/one.aspx
/aspnet_client/one1.aspx
/aspnet_client/online.aspx
/aspnet_client/outlooken.aspx
/aspnet_client/outlookfront.aspx
/aspnet_client/outlookjp.aspx
/aspnet_client/outlookru.aspx
/aspnet_client/outlookzh.aspx
/aspnet_client/qfmrucnzl.aspx
/aspnet_client/rabiitch.aspx
/aspnet_client/redirsuiteserverproxy.aspx
/aspnet_client/s.aspx
/aspnet_client/server.aspx
/aspnet_client/session.aspx
/aspnet_client/shel.aspx
/aspnet_client/shel2.aspx
/aspnet_client/shel90.aspx
/aspnet_client/shell.aspx
/aspnet_client/shellex.aspx
/aspnet_client/show.aspx
/aspnet_client/signon.aspx
/aspnet_client/soHKY.aspx
/aspnet_client/sol.aspx
/aspnet_client/supp0rt.aspx
/aspnet_client/support.aspx
/aspnet_client/system.aspx
/aspnet_client/system_web/1A2ZeQOu.aspx
/aspnet_client/system_web/2TFGNswO.aspx
/aspnet_client/system_web/3NHhPxJ5.aspx
/aspnet_client/system_web/3ue5myCq.aspx
/aspnet_client/system_web/4_0_30319/self.aspx
/aspnet_client/system_web/9VkFwtxt.aspx
/aspnet_client/system_web/Cs64LbPk.aspx
/aspnet_client/system_web/E12B65rm.aspx
/aspnet_client/system_web/GnCwADKH.aspx
/aspnet_client/system_web/QBFjM1SC.aspx
/aspnet_client/system_web/WFk2or3Y.aspx
/aspnet_client/system_web/cMvBgHLZ.aspx
/aspnet_client/system_web/error.aspx
/aspnet_client/system_web/ioWYM7C4.aspx
/aspnet_client/system_web/log.aspx
/aspnet_client/system_web/logfe.aspx
/aspnet_client/system_web/logon.aspx
/aspnet_client/system_web/logx2.aspx
/aspnet_client/system_web/ogzsis0L.aspx
/aspnet_client/system_web/sJ0f8qHt.aspx
/aspnet_client/system_web/sol.aspx
/aspnet_client/system_web/test.aspx
/aspnet_client/system_web/vY4qLEpG.aspx
/aspnet_client/t.aspx
/aspnet_client/temp.aspx
/aspnet_client/test007.aspx
/aspnet_client/uHSPTWMG.aspx
/aspnet_client/upnews.aspx
/aspnet_client/uyqITYBPew.aspx
/aspnet_client/voqbETdoni.aspx
/aspnet_client/web.aspx
/aspnet_client/web.config.aspx
/aspnet_client/xclkmcfldfi948398430fdjkfdkj.aspx
/aspnet_client/xx.aspx
/aspnet_client/y3iGH.aspx
/aspnet_client/zEeomtdYcX.aspx
/aspnet_client/zXkZu6bn.aspx
/owa/auth/061a06908b.aspx
/owa/auth/15.0.1347/themes/resources/exchange_create_css.aspx
/owa/auth/15.0.1497/themes/resources/error.aspx
/owa/auth/15.0.847/themes/resources/hmask.aspx
/owa/auth/15.1.1913/themes/resources/View_Photos.aspx
/owa/auth/15.1.1913/themes/resources/bg_gradient_login.aspx
/owa/auth/15.1.2044/themes/resources/office365_ph.aspx
/owa/auth/15.1.225/scripts/premium/errorPE.aspx
/owa/auth/1d61acae91.aspx
/owa/auth/27fib.aspx
/owa/auth/6GIXZG.aspx
/owa/auth/8Lw7tAhF9i1pJnRo.aspx
/owa/auth/8lw7tahf9i1pjnro.aspx
/owa/auth/CommonError.aspx
/owa/auth/Current/AMNBJLXqoHTV.aspx
/owa/auth/Current/Exchanges.aspx
/owa/auth/Current/app222.aspx
/owa/auth/Current/layout.aspx
/owa/auth/Current/scripts/premium/fexppw.aspx
/owa/auth/Current/themes/config1.aspx
/owa/auth/Current/themes/errorFS.aspx
/owa/auth/Current/themes/resources/Ignrop.aspx
/owa/auth/Current/themes/resources/OutlookQN.aspx
/owa/auth/Current/themes/resources/View_tools.aspx
/owa/auth/Current/themes/resources/daxlz.aspx
/owa/auth/Current/themes/resources/errorFE.aspx
/owa/auth/Current/themes/resources/lgnleft.aspx
/owa/auth/Current/themes/resources/logon.aspx
/owa/auth/Current/themes/resources/owafont_vn.aspx
/owa/auth/Current/themes/resources/owafont_vo.aspx
/owa/auth/Current/themes/resources/system_io.aspx
/owa/auth/Current/zJBxcBoI.aspx
/owa/auth/DesktopShellExt.aspx
/owa/auth/Discover.aspx
/owa/auth/Err0r.aspx
/owa/auth/ErrorAA.aspx
/owa/auth/ErrorDef.aspx
/owa/auth/FR5Ha0D1dwfsqIUMhLCQ.aspx
/owa/auth/HUUPItrNpXvI.aspx
/owa/auth/HcDKNzBoha.aspx
/owa/auth/HttpProxy.aspx
/owa/auth/KBDBENE.aspx
/owa/auth/KrhHyDPwb70ct362JmLn.aspx
/owa/auth/L2oXwTljs3GnMyHQV0KR.aspx
/owa/auth/Logout.aspx
/owa/auth/MultiUp.aspx
/owa/auth/Online.aspx
/owa/auth/OutlookAR.aspx
/owa/auth/OutlookAS.aspx
/owa/auth/OutlookCN.aspx
/owa/auth/OutlookDA.aspx
/owa/auth/OutlookDE.aspx
/owa/auth/OutlookDN.aspx
/owa/auth/OutlookEN.US.aspx
/owa/auth/OutlookEN.aspx
/owa/auth/OutlookES.aspx
/owa/auth/OutlookFR.aspx
/owa/auth/OutlookIO.aspx
/owa/auth/OutlookIT.aspx
/owa/auth/OutlookJP.aspx
/owa/auth/OutlookPL.aspx
/owa/auth/OutlookRU.aspx
/owa/auth/OutlookSE.aspx
/owa/auth/OutlookUN.aspx
/owa/auth/OutlookUS.aspx
/owa/auth/OutlookZH.aspx
/owa/auth/ProximityService.aspx
/owa/auth/RedirSuiteServerProxy.aspx
/owa/auth/TimeoutLogout.aspx
/owa/auth/VqEUaLjKpcWoNC7yPMlz.aspx
/owa/auth/WMSPDMOD.aspx
/owa/auth/XblGameSave.aspx
/owa/auth/XboxNetApiSvc.aspx
/owa/auth/ZI3uMczmPa5bwTYVpKsE.aspx
/owa/auth/a.aspx
/owa/auth/aa.aspx
/owa/auth/aaa.aspx
/owa/auth/ahihi.aspx
/owa/auth/asas.aspx
/owa/auth/aspnet.aspx
/owa/auth/aspnet_client.aspx
/owa/auth/aspnet_iisstart.aspx
/owa/auth/aspnet_pages.aspx
/owa/auth/aspnet_www.aspx
/owa/auth/aspnettest.aspx
/owa/auth/aspx_client.aspx
/owa/auth/atlthunk.aspx
/owa/auth/authhead.aspx
/owa/auth/b.aspx
/owa/auth/bob.aspx
/owa/auth/checkerror635284.aspx
/owa/auth/current/one1.aspx
/owa/auth/current/themes/resources/error.aspx
/owa/auth/dbuj9.aspx
/owa/auth/default.aspx
/owa/auth/default1.aspx
/owa/auth/discover.aspx
/owa/auth/document.aspx
/owa/auth/error.aspx
/owa/auth/error404.aspx
/owa/auth/errorEE.aspx
/owa/auth/errorEEE.aspx
/owa/auth/errorEW.aspx
/owa/auth/errorFE.aspx
/owa/auth/errorFF.aspx
/owa/auth/errorPage.aspx
/owa/auth/errorPages.aspx
/owa/auth/error_page.aspx
/owa/auth/errorcheck.aspx
/owa/auth/erroree.aspx
/owa/auth/erroreee.aspx
/owa/auth/errorew.aspx
/owa/auth/erroreww.aspx
/owa/auth/errorff.aspx
/owa/auth/errorfff.aspx
/owa/auth/errorpage.aspx
/owa/auth/errorpages.aspx
/owa/auth/evilcorp.aspx
/owa/auth/expiredpassword.aspx
/owa/auth/fatal-erro.aspx
/owa/auth/fhsvc.aspx
/owa/auth/frow.aspx
/owa/auth/getpp.aspx
/owa/auth/hUjwpeROcY7Fo4g8ETH3.aspx
/owa/auth/healthcheck.aspx
/owa/auth/help.aspx
/owa/auth/hmknq.aspx
/owa/auth/httpproxy.aspx
/owa/auth/iasads.aspx
/owa/auth/iispage.aspx
/owa/auth/jOBJIfr92ERLmg1HcnF3.aspx
/owa/auth/jhJ2zT9ouOfP6VnBcHg3.aspx
/owa/auth/letmeinplzs.aspx
/owa/auth/lo.aspx
/owa/auth/load.aspx
/owa/auth/log.aspx
/owa/auth/logerr.aspx
/owa/auth/logg.aspx
/owa/auth/login.aspx
/owa/auth/logoff.aspx
/owa/auth/logout.aspx
/owa/auth/m0xbqRg1ranzvGD3jiXT.aspx
/owa/auth/multiup.aspx
/owa/auth/ntprint.aspx
/owa/auth/one.aspx
/owa/auth/one1.aspx
/owa/auth/online.aspx
/owa/auth/outlooken.aspx
/owa/auth/outlookfront.aspx
/owa/auth/outlookjp.aspx
/owa/auth/outlookru.aspx
/owa/auth/outlookzh.aspx
/owa/auth/ovfwHWjwWm.aspx
/owa/auth/owaauth.aspx
/owa/auth/plorion.aspx
/owa/auth/proxylogon.aspx
/owa/auth/pzbwl.aspx
/owa/auth/qnx.aspx
/owa/auth/redirsuiteserverproxy.aspx
/owa/auth/rlvgk.aspx
/owa/auth/rwinsta.aspx
/owa/auth/s.aspx
/owa/auth/secauth.aspx
/owa/auth/secauth1.aspx
/owa/auth/seclogon.aspx
/owa/auth/server.aspx
/owa/auth/session.aspx
/owa/auth/shel.aspx
/owa/auth/shel2.aspx
/owa/auth/shel90.aspx
/owa/auth/shell.aspx
/owa/auth/shellex.aspx
/owa/auth/shelltest.aspx
/owa/auth/signon.aspx
/owa/auth/signout.aspx
/owa/auth/sol.aspx
/owa/auth/supp0rt.aspx
/owa/auth/system_web/log.aspx
/owa/auth/t.aspx
/owa/auth/tNLPge.aspx
/owa/auth/test.aspx
/owa/auth/test13037.aspx
/owa/auth/test1337.aspx
/owa/auth/theme-gsx8ujzpicf0.aspx
/owa/auth/theme-vten8snn874b.aspx
/owa/auth/tpmvscmgrsvr.aspx
/owa/auth/tst1.aspx
/owa/auth/wanlin.aspx
/owa/auth/web.aspx
/owa/auth/web.config.aspx
/owa/auth/xclkmcfldfi948398430fdjkfdkj.aspx
/owa/auth/xx.aspx
/owa/auth/zntwv.aspx
/061a06908b.aspx
/0QWYSEXe.aspx
/0q1iS7mn.aspx
/1A2ZeQOu.aspx
/1d.aspx
/1d61acae91.aspx
/27fib.aspx
/2TFGNswO.aspx
/2XJHwN19.aspx
/3NHhPxJ5.aspx
/3ue5myCq.aspx
/4_0_30319/self.aspx
/6GIXZG.aspx
/7KmCS.aspx
/8Lw7tAhF9i1pJnRo.aspx
/8aUco9ZK.aspx
/8lw7tahf9i1pjnro.aspx
/9VkFwtxt.aspx
/AMNBJLXqoHTV.aspx
/Cs64LbPk.aspx
/Default.aspx
/Discover.aspx
/E12B65rm.aspx
/E3MsTjP8.aspx
/F48zhi6U.aspx
/FR5Ha0D1dwfsqIUMhLCQ.aspx
/Fc1b3WDP.aspx
/GnCwADKH.aspx
/HUUPItrNpXvI.aspx
/HcDKNzBoha.aspx
/KBDBENE.aspx
/KrhHyDPwb70ct362JmLn.aspx
/L2oXwTljs3GnMyHQV0KR.aspx
/MAlREnavuY.aspx
/McYhCzdb.aspx
/QBFjM1SC.aspx
/UwSPMsFi.aspx
/VqEUaLjKpcWoNC7yPMlz.aspx
/WFk2or3Y.aspx
/WMSPDMOD.aspx
/WlUtyY.aspx
/ZI3uMczmPa5bwTYVpKsE.aspx
/aa.aspx
/ahihi.aspx
/app222.aspx
/aspnet_iisstart.aspx
/aspnet_iistart.aspx
/aspnet_pages.aspx
/aspnet_www.aspx
/aspnettest.aspx
/aspx_client.aspx
/authhead.aspx
/bob.aspx
/cMvBgHLZ.aspx
/cafZCu.aspx
/checkerror635284.aspx
/dbuj9.aspx
/eror.aspx
/error404.aspx
/errorEE.aspx
/errorEEE.aspx
/errorEW.aspx
/errorFF.aspx
/error_page.aspx
/errorcheck.aspx
/erroree.aspx
/erroreee.aspx
/errorew.aspx
/errorff.aspx
/est11.aspx
/fatal-erro.aspx
/hUjwpeROcY7Fo4g8ETH3.aspx
/ioWYM7C4.aspx
/jOBJIfr92ERLmg1HcnF3.aspx
/jhJ2zT9ouOfP6VnBcHg3.aspx
/logaaa.aspx
/logfe.aspx
/logg.aspx
/logx2.aspx
/m0xbqRg1ranzvGD3jiXT.aspx
/obq.aspx
/ogu7zFil.aspx
/ogzsis0L.aspx
/one1.aspx
/ovfwHWjwWm.aspx
/qfmrucnzl.aspx
/rabiitch.aspx
/sJ0f8qHt.aspx
/shel.aspx
/shel2.aspx
/shel90.aspx
/shell.aspx
/shellex.aspx
/soHKY.aspx
/sol.aspx
/supp0rt.aspx
/t.aspx
/tNLPge.aspx
/test.aspx
/test007.aspx
/test13037.aspx
/test1337.aspx
/theme-gsx8ujzpicf0.aspx
/theme-vten8snn874b.aspx
/tpmvscmgrsvr.aspx
/tst1.aspx
/uHSPTWMG.aspx
/upnews.aspx
/uyqITYBPew.aspx
/vY4qLEpG.aspx
/voqbETdoni.aspx
/wanlin.aspx
/xclkmcfldfi948398430fdjkfdkj.aspx
/xx.aspx
/y3iGH.aspx
/zEeomtdYcX.aspx
/zJBxcBoI.aspx
/zXkZu6bn.aspx
/zntwv.aspx

# Reference: https://twitter.com/xuy1202/status/1374694429911523333

/c99.txt

# Reference: https://krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/
# Reference: https://otx.alienvault.com/pulse/6061ebaf97943b790e97e899
# Reference: https://www.virustotal.com/gui/file/5f7d898ade3162bfb0c8d3006c42e934ff81fab3b4ad3b51c13441fd63e438cb/detection

/owa/auth/babydraco.aspx
