17,400 sites affected by Fx29 – RFI pt2
For my next installment on RFI attacks we will look at the extremely popular FX29 shell.
To find if you or someone else has been compromised with this shell search for the following:
intitle:”FaTaLisTiCz_Fx”
At the time of writing this, the above search query returns 17,400 matches which certainly indicates the prevalence of this shell.
Here is what the shell looks like while running on my own server.
By default, the file names used for fx29 are:
fx29bot.txt
fx29id1.txt
fx29id2.txt
fx29Sh.txt
Fx29Spreadz.txt
The shell is very full featured and lets the user: navigate the file system, execute commands, find writable directories, download backdoors, show logged in users, brute force ftp accounts, upload files, interact with MySQL databases and much much more. For investigative purposes, the script contains a variable for an email address of the attacker:
##[ ADVANCED ]##
$log_email = “attacker@some.com”;
