1. Home
  2. Forums Index
  3. General SEO Issues / Crawler, Spider, and User Agent ID 11:53 pm May 20, 2026

Forum Moderators: open

Message Too Old, No Replies

List of php script files requested by MSFT IP

don't put these files on your website

         

SumGuy

2:40 pm on Dec 2, 2022 (gmt 0)

5+ Year Member Top Contributors Of The Month



For what it's worth, and I rarely see activity like this, a Micro$oft IP hit my server yesterday, asking for this laundry list of script files:

/shell.php
/shell4.php
/ups.php
/ru.php
/if.php
/vuln.php
/fw.php
/skipper.php
/skippershell.php
/tttt.php
/tshop.php
/alfa.php
/inje3ctor.php
/saudi.php
/wso.php
/alfashell.php
/my_alfa.php
/uploader.php
/up.php
/hacked.php
/c99.php
/priv8.php
/Navir.php
/cmd13.php
/inc20k1.php
/1index.php
/404.php
/swm.php
/wp.php
/doc.php
/shx.php
/ws.php
/m.php
/edit-form.php
/LEAF.php
/leafmailer.php
/mailer.php
/leafmailer2.8.php
/Leaf.php
/leaf.php
/x.php
/srx.php
/1337.php
/xx.php
/XxX.php
/lf.php
/alex.php
/new.php
/marijuana.php
/gaza.php
/wp-admin.php
/3index.php
/wikindex.php
/wso1.php
/bb.php
/Lux.php
/haxor.php

The IP in question was 172.173.182.230. User Agent was

Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0

Referrer for all requests was [google.com....] All requests were http (port 80).

Because M$, Goog and Amazon are unnecessarily mis-allocated millions of IP's that are used for garbage like this, I've been adding their /16 CIDR's to my router's block-and-don't-log list over time as they make their filthy existence known to my web server. This was the first time for this /16, and I see its part of a /11 which is a new range to my blocking list.

Martin Potter

8:25 pm on Dec 11, 2022 (gmt 0)

5+ Year Member Top Contributors Of The Month



Actually there is a 1337.php file on my site, but only because I noticed that someone once requested it and I was curious who might ask for such a file. My 1337.php file records the requester's IP and other parameters and sends that data to a separate, little error file, so I don't have to search the server logs for it.

There have been very few requests for 1337.php. I suppose that the name derives from the hacker's "leet" expression.

not2easy

8:31 pm on Dec 11, 2022 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



Microsoft Azure Cloud Hosting isn't welcome. I block 172.160.0.0/11 - but that antique FF version should also be blocked.

Sgt_Kickaxe

4:56 am on Dec 12, 2022 (gmt 0)



Looks like someone searching for a laundry list of vulnerabilities. Smells like a service trying to keep you safe by selling the data they gathered from your site to others, a sales pitch for their protective services. No identifying data, of course.

Regardless of what it was, the most concerning entry on the list is "/wp-admin.php", IMO. Wordpress sites not properly configured will show they aren't by how that request is handled.

Ideally only one IP can access that file, and the login page, yours. All other IPs should get the same response as other non-existing URLs do, in my opinion. Blocking IPs from knocking on the door a second time is one defence. What happens when they knock the first time is another.

tangor

6:37 am on Dec 13, 2022 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



If you do not use .php for anything, denying that will solve a lot of requests, first, second, or otherwise!

blend27

11:13 am on Jan 8, 2023 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0

but that antique FF version should also be blocked.


It it not blocked on this Forum or Thread... for some reason...

;)
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. General SEO Issues / Crawler, Spider, and User Agent ID 11:53 pm May 20, 2026