Ecuador Government Web Site Attack

Jorge Mieres posted this blog on the ESET Latin America web site at http://blogs.eset-la.com/laboratorio/2010/06/08/sitio-gobierno-ecuatoriano-comprometido-ataque/ today. Errors in interpretation and translation are, as usual, mine. Over to Jorge....

Criminal activity that exploits web sites is commonplace these days; nevertheless, when the affected Web site belongs to a governmental organization, the event takes on more relevance and impact, and reinforces the need to maintain strong and positive controls in order to keep data safe.

A while ago we posted an alert pertaining to a phishing attack that deposited fraudulent files on a site relating to a governmental organization in Colombia. Of course we advised the people in charge of the site of the need to take action against the threat.

In this instance, a similar situation has arisen in a governmental site in Ecuador. Taking advantage of a vulnerability on the server where the Web site is hosted, the attackers succeeded in accessing the system remotely. Here is a screenshot with the files uploaded by the attacker:

The attackers belong to a group called the Hacker-Newbie Crew that dedicates itself to gaining unauthorized access by exploiting vulnerabilities in the server, and specialize in web defacement.

These malicious files are uploaded through a backdoor usually written in PHP, which gives them the means to obtain total control of the Web site and in this way they can upload any kind of file to the server. This screenshot shows “a.php”:

ESET NOD32 detects this malware as PHP/IRCBot.NAA, PHP/IRCBot.NAD and Perl/Shellbot.B. Nevertheless, it is important to emphasize the importance of protecting file servers, whether they're based on Windows platforms or GNU/Linux, using proactive security solutions of security like ESET Gateway Security.

In addition, it's important to keep monitoring servers and networks so as to detect this  type of activity as early as possible, since, as in many similar and high-profile cases, the compromised Web site can be used as a staging post from which to mount other other attacks on other sites.

Jorge Mieres
Security Analyst
ESET Latin America

David Harley CITP FBCS CISSP
ESET Research Fellow