Below is a list of the most frequently attacked PHP URLs. The list is calculated from 400 days worth of server access logs.
There area a couple of things worth noting: A lot of rouge servers attack the same set of URLs. Therefore, I that the same malware is running on many different servers. I block computers that do this type of thing once it is detected. Therefore, the numbers are biased towards the number of infected computers rather than the total number of attacks made by all infected computers.
50) /thinkphp/html/public/index.php 49) /sane.php 48) /TP/index.php 47) /b.php 46) /Appf2302434.php 45) /cmx.php 44) /index.php 43) /TP/public/index.php?s=captcha 42) /TP/public/index.php?s=index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1 41) /t6nv.php 40) /phpMyAdmin/scripts/setup.php 39) /phpmyadmin/scripts/setup.php 38) /wpc.php 37) /help.php 36) /java.php 35) /_query.php 34) /db_cts.php 33) /db_pma.php 32) /logon.php 31) /log.php 30) /x.php 29) /license.php 28) /hell.php 27) /z.php 26) /pmd_online.php 25) /help-e.php 24) /desktop.ini.php 23) /htdocs.php 22) /lala.php 21) /lala-dpr.php 20) /wpo.php 19) /text.php 18) /muhstiks.php 17) /muhstik2.php 16) /muhstik-dpr.php 15) /cmdd.php 14) /appserv.php 13) /wp-config.php 12) /uploader.php 11) /cmv.php 10) /lol.php 9) /knal.php 8) /test.php 7) /TP/public/index.php 6) /xmlrpc.php 5) /scripts/setup.php 4) /muhstik.php 3) /cmd.php 2) /shell.php 1) /wp-login.php