Difference between revisions of "2013/06/23 - Account KPUD Kuningan di Hack & Menyebarkan Spam a/n Onno W. Purbo"

From OnnoWiki
Jump to navigation Jump to search
Line 65: Line 65:
  
  
 +
sepertinya dieksekusi dari script PHP, dimana account nya mungkin sudah di take over orang lain atau kpudkun1 itu sendiri
 +
 +
2013-06-23 19:13:26 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id
 +
2013-06-23 19:13:26 1UqjAc-004Jdw-Os <= onno@indo.net.id U=kpudkun1 P=local S=2324 id=20130623191326.7531.onno@indo.net.id T="TERKUTUKLAH
 +
SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for asosiasi-warnet@yahoogroups.com
 +
2013-06-23 19:14:47 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id
 +
2013-06-23 19:14:47 1UqjBv-004K6R-1T <= onno@indo.net.id U=kpudkun1 P=local S=2309 id=20130623191447.0279.onno@indo.net.id T="TERKUTUKLAH
 +
SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for orari-news@yahoogroups.com
 +
2013-06-23 19:15:11 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id
 +
2013-06-23 19:15:11 1UqjCJ-004K9s-M7 <= onno@indo.net.id U=kpudkun1 P=local S=2300 id=20130623191511.6626.onno@indo.net.id T="TERKUTUKLAH
 +
SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for indowli@yahoogroups.com
 +
2013-06-23 19:15:50 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id
 +
2013-06-23 19:15:51 1UqjCw-004KY9-Sw <= onno@indo.net.id U=kpudkun1 P=local S=2309 id=20130623191550.8739.onno@indo.net.id T="TERKUTUKLAH
 +
SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for telematika@yahoogroups.com
 +
2013-06-23 19:16:25 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id
 +
2013-06-23 19:16:26 1UqjDV-004KeA-Vl <= onno@indo.net.id U=kpudkun1 P=local S=2309 id=20130623191625.9609.onno@indo.net.id T="TERKUTUKLAH
 +
SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for telematika@yahoogroups.com
 +
2013-06-23 19:16:39 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id
 +
2013-06-23 19:16:40 1UqjDj-004Khb-Vv <= onno@indo.net.id U=kpudkun1 P=local S=2321 id=20130623191639.9656.onno@indo.net.id T="TERKUTUKLAH
 +
SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for mastel-anggota@yahoogroups.com
  
  

Revision as of 06:51, 25 June 2013

Sumber: http://blog.idwebhost.com/redaksi/hack-account-hosting-kp-kuning-go-id/

Sehubungan dengan informasi dari milis telematika@yahoogroups.com, terkait adanya salah email spam yang bersumber dari salah satu account hosting di server kami, maka saat ini sudah kami nonaktifkan account hosting www.kpud-kuningankab.go.id

Kami selaku manajemen IDwebhost, juga mohon maaf kepada Bapak Onno W Purbo, yang telah menjadi korban pencemaran nama baik dengan mengatasnamakan email beliau oleh hacker yang menyerang salah satu account hosting kami.

Informasi dari log kami, bahwa account tersebut menggunakan CMS Joomla dan sudah terkena hack sekitar 31 Maret 2012. Sedangkan untuk pengiriman spam email, yang sesuai dari informasi di milis, mulai dijalankan dari tanggal 23 Juni 2013 sekitar pukul 19.17 WIB. Hacker mengatasnamakan email Pak Onno W Purbo onno@indo.net.id dengan menggunakan account hosting yg sudah dihack sebelumnya.

Berikut ini milis yang di spam oleh hacker :

  1. asosiasi-warnet@yahoogroups.com
  2. orari-news@yahoogroups.com
  3. indowli@yahoogroups.com
  4. telematika@yahoogroups.com
  5. mastel-anggota@yahoogroups.com

Log akses file yang sudah dihack tersebut dijalankan kemungkinan menggunakan proxy IP dari China seperti yang terlihat di log sebagai berikut : 

221.7.11.23 – - [23/Jun/2013:19:17:09 +0700] ”GET http://kp**-kuning*****.go.id/includes/joomla.phpHTTP/1.1″ 200 3513 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36″
221.7.11.23 – - [23/Jun/2013:19:19:00 +0700] ”POST http://kp**-kuning*****.go.id/includes/joomla.phpHTTP/1.1″ 200 3431 “http://kp**-kuning*****.go.id/includes/joomla.php” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36″
221.7.11.23 – - [23/Jun/2013:19:19:13 +0700] ”POST http://kp**-kuning*****.go.id/includes/joomla.phpHTTP/1.1″ 200 5242 “http://kp**-kuning*****.go.id/includes/joomla.php” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36″
221.7.11.23 – - [23/Jun/2013:19:19:18 +0700] ”POST http://kp**-kuning*****.go.id/includes/joomla.phpHTTP/1.1″ 200 3492 “http://kp**-kuning*****.go.id/includes/joomla.php” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36″

whois 221.7.11.23 

[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net node-6]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 221.7.11.0 – 221.7.11.31
netname: Gegraphical-co
country: cn
descr: Geographical Engineering Co.
descr: Urumqi
admin-c: WF116-AP
tech-c: WF116-AP
status: ASSIGNED NON-PORTABLE
changed: wangfj@xjcnc.net 20040814
mnt-by: MAINT-CNCGROUP-XJ
source: APNIC

route: 221.7.0.0/19
descr: CNC Group CHINA169 Xinjiang Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20060118
source: APNIC

person: wang fujiang
nic-hdl: WF116-AP
e-mail: apnic@xjcnc.net
address: No.168 Huang He Road
address: Urumqi 830000,China
phone: +86 991 6119981
fax-no: +86 991 6119946
country: cn
changed: apnic@xjcnc.net 20090108
mnt-by: MAINT-CNCGROUP-XJ
source: APNIC

Cara Pengiriman Spam

sepertinya dieksekusi dari script PHP, dimana account nya mungkin sudah di take over orang lain atau kpudkun1 itu sendiri 

2013-06-23 19:13:26 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id
2013-06-23 19:13:26 1UqjAc-004Jdw-Os <= onno@indo.net.id U=kpudkun1 P=local S=2324 id=20130623191326.7531.onno@indo.net.id T="TERKUTUKLAH

SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for asosiasi-warnet@yahoogroups.com 

2013-06-23 19:14:47 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id
2013-06-23 19:14:47 1UqjBv-004K6R-1T <= onno@indo.net.id U=kpudkun1 P=local S=2309 id=20130623191447.0279.onno@indo.net.id T="TERKUTUKLAH

SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for orari-news@yahoogroups.com 

2013-06-23 19:15:11 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id
2013-06-23 19:15:11 1UqjCJ-004K9s-M7 <= onno@indo.net.id U=kpudkun1 P=local S=2300 id=20130623191511.6626.onno@indo.net.id T="TERKUTUKLAH

SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for indowli@yahoogroups.com 

2013-06-23 19:15:50 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id
2013-06-23 19:15:51 1UqjCw-004KY9-Sw <= onno@indo.net.id U=kpudkun1 P=local S=2309 id=20130623191550.8739.onno@indo.net.id T="TERKUTUKLAH

SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for telematika@yahoogroups.com 

2013-06-23 19:16:25 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id
2013-06-23 19:16:26 1UqjDV-004KeA-Vl <= onno@indo.net.id U=kpudkun1 P=local S=2309 id=20130623191625.9609.onno@indo.net.id T="TERKUTUKLAH

SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for telematika@yahoogroups.com 

2013-06-23 19:16:39 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id
2013-06-23 19:16:40 1UqjDj-004Khb-Vv <= onno@indo.net.id U=kpudkun1 P=local S=2321 id=20130623191639.9656.onno@indo.net.id T="TERKUTUKLAH

SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for mastel-anggota@yahoogroups.com




Referensi

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=2013/06/23_-_Account_KPUD_Kuningan_di_Hack_%26_Menyebarkan_Spam_a/n_Onno_W._Purbo&oldid=37467"