A Little Bit Pivoting: What Web Shells are Attackers Looking for?, (Tue, Apr 7th)

This SANS-style note documents scanning activity for webshells (notably /turkshell.php) from four IPs apparently assigned to Microsoft, lists the top probed URLs and a long catalog of 287 filename indicators commonly used as webshells or for fingerprinting (many WordPress-related), and recommends mitigations such as removing RCE/file upload vulnerabilities, restricting document-root write permissions, and monitoring filesystem changes.