ForTransRis hosting malware and attacking our honeypots

ForTransRIS Project is a Coordination Action funded by the European Commission under the OMC-NET (Open Method of Coordination-NET) strategy of the Sixth Framework Programme for Research and Technological Development, managed by the DG Research..

Since last week we are seeing many RFI attacks against our honeypots using as the repository for the tests. These are some of the entries:

203.251.a.b – – [04/Apr/2010:11:13:11 -0700] “GET //_acp/templates/?SYSURL[root]= HTTP/1.1″ 404 213 “-” “Mozilla/5.0”
222.236.a.b – – [04/Apr/2010:12:23:52 -0700] “GET /?page=tools&mt;=xxx&dt;=yyy//index.php?get= HTTP/1.1″ 200 4395 “-” “Mozilla/5.0”

Looking at the specified files:

$ lynx –source –dump
< ? php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>
$ lynx –source –dump
< ?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>

As you can see, the very common file used by the FeeLCoMz RFI Scanner Bot. What worries me is that it is coming from their “intranet” domain, which generally contains sensitive information.

We tried to notify them about this issue, but their abuse address didn’t work… If you have any contacts there, let them know about it. If you want US to monitor your sites for you, visit

  1. Hi guys,

    Confirm you, our honey net has also see this RFI attack.

    RFI IP :
    RFI FQDN :
    RFI Country : – Spain
    RFI City : N/A

    RFI ID : 4463
    RFI Domain :
    RFI Domain IP :
    RFI URL :

    RFI number of events : 15
    RFI total SRC IP : 2
    RFI first seen : 2010-04-04 20:20:23
    RFI last seen : 2010-04-05 13:31:29
    RFI livetime : 1 day('s)

    We have sent yesterday an alert to ForTransRIS Project.


Comments are closed.

You May Also Like