BEK 2 Payloads – Old

BEK2 used to use a 64 char hex field in it’s payloads. Not seen lately.

HTTP Request Method = GET
HTTP URI = *.php?*

Regex URI for “\/[a-z0-9-_]+?\.php\?[a-z]+?=[0-9a-f]{64}&[a-z]+?=[0-9a-f]+?&”

Examples:

hxxp://epistlepu.info/links/busy-tasks-lacking.php?sbzpklj=050b040b0633090a04040904093508350b34060b0306030b070436360b383606&xvlubip=0a0005000300040a0b&fcqqb=03000900020009&xvljbpt=03030006000602040004080
hxxp://hiofuries.info/links/busy-tasks-lacking.php?kycis=0909073437030237070609050735020208063437330605073708023836380235&ujmnbn=0b000500020002&taltiudw=02000200020002&suo=030300060006020400040807
hxxp://wacookery.info/links/busy-tasks-lacking.php?fsbsreh=363402043406330b0835063807033506070b3636053603070a34043404050b38&tzhnrg=3d&ngo=333605330b3407083405&krvaiarm=0a0005000200040a02
hxxp://yaocookery.info/links/came_broadcasting_taking-various.php?gjbrvk=3736070804350b0b05063707330b04343609383436353508330705020b090802&wplctb=363c&mwesp=zjzqro&ncegre=vlefxsgu

Comments are closed.