Fergie's Tech Blog

Ukrainian Government Website Hacked, Subdirectory Redirects to Bogus Pharma - UPDATE

Another day, another website compromise.

Although this is a bit more interesting, as it belongs to a Ukrainian Government agency (zito.mvs.gov.ua).

A friend and colleague at Trend Micro alerted me to this late this afternoon.

The image below shows the main page, which looks like it always does:

Having said that, however, a particular subdirectory (which I won't reveal here), redirects to a bogus pharma site (www.myphentermine.net):



Oops.

At the moment of this posting, it is still hacked.

On the bright side, it is located in The Ukraine:

www.myphentermine.net --> 62.149.17.20

% Information related to '62.149.17.0 - 62.149.17.255'

inetnum: 62.149.17.0 - 62.149.17.255
netname: COLO-CC5
descr: Colocall Ltd.
country: UA
admin-c: COLO3-RIPE
tech-c: COLO2-RIPE
status: ASSIGNED PA
mnt-by: AS15497-MNT
mnt-lower: AS15497-MNT
mnt-routes: AS15497-MNT
source: RIPE # Filtered
role: Colocall NOC
address: Turgenevskaya, 52-58
address: Kiev
address: Ukraine

For what it's worth, I have sent an e-mail to the technical contact of this domain to notify them of the issue -- but somehow I don't think they'll receive it:


----- The following address(es) had permanent fatal errors ----- ;
originally to rfc822;semch@centrmia.gov.ua (unrecoverable error)
The user to whom this message was addressed has exceeded the allowed mailbox quota.
Please resend the message at a later time.

Bummer.


- ferg

UPDATE: 22:53 PST, 14 November 2007: I have received word from colleagues that this website belongs to Office of Ministry of Internal Affairs in Zhitomir Region of Ukraine. And yes, it is still hacked. -ferg

posted by Fergie @ 11/13/2007 05:26:00 PM