Apr 08 2008

Chinese .gov sites pwn3d

Published by at 11:41 pm under Chinese Malware,Hacking for money

So not only is the PRC the largest victim of spyware, they seem to have a significant problem securing their .gov web servers too.

Turkish hacker pwnz .gov.cn

Some interesting Google searches you may want to try:

site:gov.cn intitle:”hacked by”

site:gov.cn “iframe src” width..0

So the first search yields 818 results.  That search represents PRC .gov pages that were defaced.  Many of these are probably on the same hacked server.  Most of the sites seem to be regional government servers. There are a lot of political messages from Iranian and Turkish hacker groups.

To put this into some perspective here are the results from other countries that seem to use the .gov domain naming convention like .gov.cn:

.gov (USA): 04

.gov.uk:  22

.gov.au:  01

.gov.ir:  04

.gov.sa:  543

.gov.tw:  01

Saudi Arabia comes in 2nd with 543 results mostly from the same server and mostly dealing with pharma spam.   Taiwan has probably the best single defacement result:

De Oppresso Liber?

It makes me wonder about the motivation of this “PLA” hacker.  Was this a serious political statement by a patriotic hacker or was it someone trying to be funny by attributing this defacement to the PLA?

So how about iframes?  An inline frame or iframe is an html tag that is usually used to create a section of a site containing content from third party sites like an advertisement.  There are many legitimate reasons for iframes but they are frequently used to link to malicious javascript and their appearance on a website is a good indication that it was pwn3d.  

So searching for site:gov.cn will limit the search results to the government of the PRC.  Adding “iframe src” will limit the results to pages with iframe tags in them and the width..0 limits the search to those with invisible iframes only (the dots let us include width=0 or width=”0″ cases).  So the result seems to be a lot of pharma spam injected into forums and bulletin boards.


 If you add .exe you can get a lot of malware.  I used this to pull down some malware that I analyzed last night.  It turned out to be a well known keylogger that was picked up by 30/32 on virus total.  Yawn.  More to follow…

4 responses so far

4 Responses to “Chinese .gov sites pwn3d”

  1. Heikeon 08 Apr 2008 at 11:57 pm

    Just wondering how many of these .gov.cn sites were hacked by Chinese youth? Hmmm….

  2. jumperon 09 Apr 2008 at 12:22 am

    None as far as I can tell.

  3. [...] from jumper: Please see this article about googling defaced Chinese .gov [...]

  4. [...] most loyal TDV readers may remember a post from a while back showing some Google searches that turned up more than one hundred Chinese .gov [...]