• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Brazilian Protests Leading to Mass Defacements

June 17, 2013Estevao Avillez

FacebookTwitterSubscribe

Lately, Brazil is going through a series of political protests against the current administration and the large amount of over expenses related to the 2014 Soccer/FIFA World cup. When the police started to close down the protesters in the streets, they went online. We won’t go into much more politics, but those online protests recently switched from Twitter/Facebook discussions into a mass defacement of multiple high profiles sites (and Twitter accounts).

It includes the Twitter of the Veja Magazine (with over 2.5m followers – one of the biggest in Brazil):

Revista Veja compromised

And the site for Brazilian’s richest man, Eike Batista:

Screen Shot 2013-06-17 at 5.09.36 PM

Government sites affected too

And that’s not all, many government sites are getting hacked and defaced as part of the protest. All of them begging for the population to join them in the streets and in front of the soccer stadiums to show their dissatisfaction with what is happening. This is a small list of the ones defaced early today:

http://samu192.com.br/
http://www.juazeirinho.pb.gov.br/
http://www.camaradocabo.pe.gov.br/
http://www.macaeprev.rj.gov.br/
http://www.ciscel.mg.gov.br/
http://copa2014.gov.br/
http://www.saofelixdoaraguaia.mt.gov.br/
http://copaemcuiaba.com.br/
http://www.frentedetrabalho.sp.gov.br

We are also seeing some sites suffering from DDOS (denial of service) attacks. We don’t know exactly how those sites are getting hacked, but we will keep monitoring the situation and providing updates as they come. Note that none of the compromised sites were injected to host malware.

FacebookTwitterSubscribe

Categories: UncategorizedTags: Hacked Websites

About Estevao Avillez

Estevao Avillez is Sucuri’s Senior Director of Security Research, who joined the company in 2013. Estevao’s main responsibilities include leading the Research Group, which includes the Malware, Vulnerability and WAF/Sucuri Infrastructure. His professional experience covers 15 years with planning, project and operations management. Estevao has also worked in various areas such as logistics and supply chain, media and communication, telecommunications, and trading relationships with customers. He’s worked as a consultant in financial, strategic and operational management. When Estevao isn’t keeping our customers safe, you might find him taking care of his kids and running. Connect with him on Twitter.

Reader Interactions

Comments

  1. Steve

    June 20, 2013

    Daniel, it looks like our site has been hacked using this method. Can you offer any recommendations as to what to do? Our hosting provider hasn’t been especially willing to offer any assistance. Thanks in advance for any suggestions you can offer!

  2. Bit51

    June 20, 2013

    I’ve had more than one person report this but as of right now SiteCheck doesn’t seem to be picking it up on the affected sites. Will you guys be updating that soon?

  3. John Reedaw

    June 21, 2013

    It would be nice if you could submit a sample of “MD5 (mod_suphp5.so) = 0a64f8d809d0a73d1b0b4139126e8f94” to VT. According to them, file is not found in their database.

  4. Misael Castillo

    June 23, 2013

    Hi, Im from mexico and I get my site ataccked after I publish an Adwords campaing, since then all my sites have been hacked, thankyou for the information, I will be attending for new coments or solutions.

    Kind Regards

    • Roa

      July 7, 2013

      Do you need a sysadmin 🙂

  5. George

    June 24, 2013

    # grep -r AWAVAUATUS1 /usr/bin
    Binary file /usr/bin/X matches
    Binary file /usr/bin/pic matches
    Binary file /usr/bin/Xorg matches
    Binary file /usr/bin/unrar matches
    Binary file /usr/bin/cd-info matches
    Binary file /usr/bin/gdb matches
    Binary file /usr/bin/vimdiff matches
    Binary file /usr/bin/vim matches
    Binary file /usr/bin/rvim matches
    Binary file /usr/bin/fastboot matches
    Binary file /usr/bin/git-upload-pack matches
    Binary file /usr/bin/gpic matches
    Binary file /usr/bin/gmake matches
    Binary file /usr/bin/crash matches
    Binary file /usr/bin/ex matches
    Binary file /usr/bin/gdbtui matches
    Binary file /usr/bin/oldfind matches
    Binary file /usr/bin/gvfs-ls matches
    Binary file /usr/bin/make matches
    Binary file /usr/bin/geeqie matches
    Does that mean that my system was infected?

  6. Minecraft Games

    July 1, 2013

    Thanks for giving me the useful information. I think I need it. Thank you

  7. Kamikaze

    July 5, 2013

    I’d like to point out that it looks like the standard libphp5.so Apache2 module as provided by latest RHEL6 updates seems to include the AWAVAUATUS1 signature. I almost had a heart attack when I saw a match for that file on one of our servers. I then installed fresh PHP5 module on a different server, and the signature also matched. Unless RHELs repo is infected (now that would be interesting!) then it looks like it’s normal JUST FOR THAT FILE at least.

    Additional info:
    [user@somewhere ~]# ls -ltra /etc/httpd/modules/libphp5.so
    -rwxr-xr-x. 1 root root 3692496 Jun 25 2012 /etc/httpd/modules/libphp5.so
    [user@somewhere ~]# rpm -qa | grep php
    php-5.3.3-14.el6_3.x86_64
    php-common-5.3.3-14.el6_3.x86_64
    php-cli-5.3.3-14.el6_3.x86_64

    • littleguy

      July 16, 2013

      Also had a “hnng-” moment when I noticed this. But it seems to check out. 🙂

  8. Kizi 10

    July 5, 2013

    How good this article is! I like it. I will share with my friends. I hope that many people also have hobby the same as me.

  9. GalaxiaAndroid

    August 10, 2013

    My site has been hacked with a worm very similar to this, but your detection system has not been able to find it.

    #0f2490#
    echo ” You are blocked by day limit”;
    #/0f2490#

    — and in some php files ————

    #0f2490#
    echo ” script type=”text/javascript” language=”javascript” > try{if(window.document)–document.getElementById(’12’)}catch(qq){if(qq!=null)ss=eval(“St”+”ring”);}a=”74837c7182777d7c
    ————–(I can not put the full code because it overrides my antivirus) ———
    #/0f2490#

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.