Snippets Project Signature Terburuk di Kantorku

Just Hacked

Karena kecerobohan saya sendiri yang tidak melakukan pengecekan extension dari file yang akan diupload di Desktop Project, someone berhasil mengupload file php.

Sebenernya saya udah melakukan pengecekan file yang diupload dengan fungsi getimagesize. Ternyata, attacker berhasil mem-bypass dengan meletakkan instruksi file png di atas file, dan dibawahnya di embbed dengan skrip PHP, dengan nama shell.png.php. Bagi fungsi getimagesize, file shell.png.php merupakan sebuah file image yang valid. Tetapi bagi apache, file shell.png.php adalah file skrip PHP yang setiap saat bisa dieksekusi dengan mudah.

Untungnya, Desktop Project mempunyai reporting tool yang mengirimkan e-mail ke saya setiap saat ada file yang diupload. Ketika saya mengetahuinya, skrip tersebut langsung saya rename, kemudian, saya patch skripnya. Iseng2 saya coba download access log apache. Dibawah adalah snippet lognya:

ferdhie@homebox:~/Desktop/data/misc$ grep shell accesslog_ferdianto.com_4_15_2007 | awk '{ print $1, $6, $7, $8 }'
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php HTTP/1.1"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=sql&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2Fdesktop%2Fuploaded%2F

Hmm, dapet IP nya, coba saya cari apa aja yang dia lakukan, sekalian dari mana dia dateng

ferdhie@homebox:~/Desktop/data/misc$ grep 202.92.206.229 accesslog_ferdianto.com_4_15_2007 | awk '{ print $1, $6, $7, $8, $9, $10, $11 }'
202.92.206.229 "GET /demo/desktop/upload.php HTTP/1.1" 200 3938 "http://www.google.co.id/search?hl=id&q=inurl%3Aupload.php+site%3Acom&btnG=Telusuri&meta=cr%3DcountryID"

Ternyata dari mbah google. Terusin pencarian, setelah ngupload, ngapain lagi dia. Sambil memperkirakan berapa besar kerusakannya.

202.92.206.229 "POST /demo/desktop/upload.php HTTP/1.1" 200 3072 "http://ferdianto.com/demo/desktop/upload.php"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php HTTP/1.1" 200 8152 /demo/desktop/uploaded/shell.jpg.php?act=sql&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2Fdesktop%2Fuploaded%2F HTTP/1.1" 200 15736 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php? HTTP/1.1" 200 8152 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=sql&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2Fdesktop%2Fuploaded%2F"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2Fdesktop&sort=0a HTTP/1.1" 200 7658 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo&sort=0a HTTP/1.1" 200 7441 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2Fdesktop&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2F&sort=0a HTTP/1.1" 200 12625 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php? HTTP/1.1" 200 8152 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2F&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2Fdesktop%2F&sort=0a HTTP/1.1" 200 7658 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2F&sort=0a HTTP/1.1" 200 7441 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2Fdesktop%2F&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2F&sort=0a HTTP/1.1" 200 7263 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2F&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2F&sort=0a HTTP/1.1" 200 12965 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2F&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2F&sort=0a HTTP/1.1" 200 12965 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2F&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=eval&d=%2Fhome%2Fferdiant%2F HTTP/1.1" 200 13243 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2F&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=tools&d=%2Fhome%2Fferdiant%2F HTTP/1.1" 200 14479 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2F&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=tools&d=%2Fhome%2Fferdiant%2F&bind%5Bport%5D=31373&bind%5Bpass%5D=c99&bind%5Bsrc%5D=c99sh_bindport.pl&bindsubmit=Bind HTTP/1.1" 200 14549 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=tools&d=%2Fhome%2Fferdiant%2F"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=encoder&d=%2Fhome%2Fferdiant%2F HTTP/1.1" 200 14882 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=tools&d=%2Fhome%2Fferdiant%2F"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=encoder&d=%2Fhome%2Fferdiant%2F HTTP/1.1" 200 14882 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=encoder&d=%2Fhome%2Fferdiant%2F"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=search&d=%2Fhome%2Fferdiant%2F HTTP/1.1" 200 13879 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=encoder&d=%2Fhome%2Fferdiant%2F"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php? HTTP/1.1" 200 8152 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=search&d=%2Fhome%2Fferdiant%2F"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=phpinfo HTTP/1.1" 200 49753 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?"

Sepertinya dia mencoba tool2 shell nya. Terusin lagi ah…

202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php HTTP/1.1" 404 2455 "http://ferdianto.com/demo/desktop/index.php?id=18"

Ups, 404, pasti karena udah saya pindah filenya.

202.92.206.229 "GET /demo/desktop/index.php HTTP/1.1" 401 430 "http://ferdianto.com/demo/desktop/upload.php"
202.92.206.229 "GET /demo/desktop/index.php HTTP/1.1" 401 430 "http://ferdianto.com/demo/desktop/upload.php"
202.92.206.229 "GET /demo/desktop/index.php HTTP/1.1" 401 430 "http://ferdianto.com/demo/desktop/upload.php"
202.92.206.229 "GET /demo/desktop/index.php HTTP/1.1" 401 430 "http://ferdianto.com/demo/desktop/upload.php"
202.92.206.229 "GET /demo/desktop/index.php HTTP/1.1" 401 430 "http://ferdianto.com/demo/desktop/upload.php"
202.92.206.229 "GET /demo/ HTTP/1.1" 403 594 "-"

Kok 403 sih, tadi kan udah bisa, sekarang kok minta password yah? Saya sempet blokir pake httpd auth bentar. (*panik*). Karena saya merasa udah aman, saya coba cek dia datang dari mana. Ping dulu…

ferdhie@homebox:~/Desktop/data/misc$ ping 202.92.206.229
PING 202.92.206.229 (202.92.206.229) 56(84) bytes of data.
64 bytes from 202.92.206.229: icmp_seq=1 ttl=50 time=89.5 ms
64 bytes from 202.92.206.229: icmp_seq=2 ttl=50 time=78.2 ms
64 bytes from 202.92.206.229: icmp_seq=3 ttl=50 time=68.0 ms
64 bytes from 202.92.206.229: icmp_seq=4 ttl=50 time=88.8 ms
64 bytes from 202.92.206.229: icmp_seq=5 ttl=50 time=88.6 ms

Masuk, sekarang, coba trace pakai NMAP. Dari httpd log, saya tau kalau dia pake firefox, windows XP. user-agent lengkapnya: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3

ferdhie@homebox:~/Desktop/data/misc$ nmap -sS -P0 -A -v 202.92.206.229
TCP/IP fingerprint:
SInfo(V=4.10%P=i686-pc-linux-gnu%D=4/16%Tm=4623A40D%O=-1%C=-1)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

Hmm, linux? pasti ini router, karena tadi dia akses pakai win, dan ga ada port yang kebuka. Ngapain lagi yah, oh ya, whois aja

ferdhie@homebox:~/Desktop/data/misc$ whois 202.92.206.229
% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      202.92.192.0 - 202.92.207.255
netname:      GSMART-ID
descr:        PT. Bukit Mahligai Sentosa
descr:        GSMART.NET - Internet Service Provider
country:      ID
admin-c:      DT116-AP
tech-c:       DT116-AP
mnt-by:       MNT-APJII-ID
mnt-lower:    MAINT-ID-GSMARTNET
changed:      hostmaster@apjii.or.id 20020408
changed:      hostmaster@apjii.or.id 20021231
status:       ALLOCATED PORTABLE
remarks:      spam and abuse report : abuse@apjii.or.id
source:       APNIC

person:       Dirgantara R T
address:      Electrindo Building
address:      6th Floor Kuningan
address:      Jakarta Selatan
country:      ID
phone:        +62-21-5209060
fax-no:       +62-21-5209075
e-mail:       yd1eee@gsmart.net.id
nic-hdl:      DT116-AP
mnt-by:       MAINT-ID-GSMARTNET
changed:      yd1eee@gsmart.net.id 20020408
source:       APNIC

Ah, paling ISP. Coba gooling deh, siapa tau nemu. Dan waktu googling, saya nemu URL yang keren, ini hasil cached nya:
hasil cached.

Untuk patch dari Desktop Project, saya tambahin validasi dibawah:

$mime = strtolower($mime);
$ext = strtolower(strrchr($dest, '.'));

$validmime = array('image/jpg', 'image/jpeg', 'image/gif', 'image/png');
$validext = array('.jpg', '.gif', '.png');

if (!(in_array($mime, $validmime) && in_array($ext, $validext))) {
  seterrmsg("File uploaded is not an image");
  return 0;
}

Semoga cukup kuwat untuk nahan hacker2 yang semakin lama semangkin pandai. Thanks buat hacker pengunjung Ferdianto.com.

Monday, April 16th, 2007 @ 23:51 | Articles, Hacked | Isi Komentar

11 komentar

  1. Steven Haryanto bilang:

    tip dari zaman jadul: direktori uploadnya diset aja agar tidak bisa execute skrip apa2x, misalnya dengan .htaccess spt ini:

    sethandler default-handler

    hth

    April 17th, 2007 at 04:49
  2. Steven Haryanto bilang:

    hm, html dilucuti euy…

    [files *]
    sethandler default-handler
    [/files]

    (hati2x jika allow dot-files, tapi tinggal diadjust aja direktif [files] atau [filesmatch]-nya)

    April 17th, 2007 at 04:52
  3. Jauhari bilang:

    Pelajaran kwi jenenge boss :D

    April 17th, 2007 at 08:05
  4. ferdhie bilang:

    Matur nuwun, makasih buwat saran2 nya.

    April 17th, 2007 at 09:01
  5. Aryo Sanjaya bilang:

    Tindakan serang balik mana Fer?

    Perlu bantuan amunisi gak?

    April 17th, 2007 at 09:41
  6. ferdhie bilang:

    @aryo - Tindakan serang balik mana Fer?
    ngapain, wasting time aja

    April 17th, 2007 at 10:04
  7. GuM bilang:

    o_O;
    canggih, euy….

    April 17th, 2007 at 16:49
  8. yudhis bilang:

    makan2x !!!

    May 15th, 2007 at 10:31
  9. ferdhie bilang:

    apa hubungannya makan2 apa kehek?

    May 17th, 2007 at 11:15
  10. Visitor299 bilang:

    I could not find this site in the Search Engines index

    October 24th, 2007 at 08:00
  11. cosmo bilang:

    Ga ngerti..
    Baru blajar jaringan…
    Opo artine iku?

    *pringas-pringis*

    February 16th, 2008 at 15:50

trackback Trackback URI | feed Comments RSS

Tinggalkan Komentar





*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word