2013/06/23 - Account KPUD Kuningan di Hack & Menyebarkan Spam a/n Onno W. Purbo
Sumber: http://blog.idwebhost.com/redaksi/hack-account-hosting-kp-kuning-go-id/
Sehubungan dengan informasi dari milis telematika@yahoogroups.com, terkait adanya salah email spam yang bersumber dari salah satu account hosting di server kami, maka saat ini sudah kami nonaktifkan account hosting www.kpud-kuningankab.go.id
Kami selaku manajemen IDwebhost, juga mohon maaf kepada Bapak Onno W Purbo, yang telah menjadi korban pencemaran nama baik dengan mengatasnamakan email beliau oleh hacker yang menyerang salah satu account hosting kami.
Informasi dari log kami, bahwa account tersebut menggunakan CMS Joomla dan sudah terkena hack sekitar 31 Maret 2012. Sedangkan untuk pengiriman spam email, yang sesuai dari informasi di milis, mulai dijalankan dari tanggal 23 Juni 2013 sekitar pukul 19.17 WIB. Hacker mengatasnamakan email Pak Onno W Purbo onno@indo.net.id dengan menggunakan account hosting yg sudah dihack sebelumnya.
Berikut ini milis yang di spam oleh hacker :
- asosiasi-warnet@yahoogroups.com
- orari-news@yahoogroups.com
- indowli@yahoogroups.com
- telematika@yahoogroups.com
- mastel-anggota@yahoogroups.com
Log akses file yang sudah dihack tersebut dijalankan kemungkinan menggunakan proxy IP dari China seperti yang terlihat di log sebagai berikut :
221.7.11.23 – - [23/Jun/2013:19:17:09 +0700] ”GET http://kp**-kuning*****.go.id/includes/joomla.phpHTTP/1.1″ 200 3513 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36″ 221.7.11.23 – - [23/Jun/2013:19:19:00 +0700] ”POST http://kp**-kuning*****.go.id/includes/joomla.phpHTTP/1.1″ 200 3431 “http://kp**-kuning*****.go.id/includes/joomla.php” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36″ 221.7.11.23 – - [23/Jun/2013:19:19:13 +0700] ”POST http://kp**-kuning*****.go.id/includes/joomla.phpHTTP/1.1″ 200 5242 “http://kp**-kuning*****.go.id/includes/joomla.php” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36″ 221.7.11.23 – - [23/Jun/2013:19:19:18 +0700] ”POST http://kp**-kuning*****.go.id/includes/joomla.phpHTTP/1.1″ 200 3492 “http://kp**-kuning*****.go.id/includes/joomla.php” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36″
whois 221.7.11.23
[Querying whois.apnic.net] [whois.apnic.net] % [whois.apnic.net node-6] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 221.7.11.0 – 221.7.11.31 netname: Gegraphical-co country: cn descr: Geographical Engineering Co. descr: Urumqi admin-c: WF116-AP tech-c: WF116-AP status: ASSIGNED NON-PORTABLE changed: wangfj@xjcnc.net 20040814 mnt-by: MAINT-CNCGROUP-XJ source: APNIC route: 221.7.0.0/19 descr: CNC Group CHINA169 Xinjiang Province Network country: CN origin: AS4837 mnt-by: MAINT-CNCGROUP-RR changed: abuse@cnc-noc.net 20060118 source: APNIC person: wang fujiang nic-hdl: WF116-AP e-mail: apnic@xjcnc.net address: No.168 Huang He Road address: Urumqi 830000,China phone: +86 991 6119981 fax-no: +86 991 6119946 country: cn changed: apnic@xjcnc.net 20090108 mnt-by: MAINT-CNCGROUP-XJ source: APNIC
Cara Pengiriman Spam
sepertinya dieksekusi dari script PHP, dimana account nya mungkin sudah di take over orang lain atau kpudkun1 itu sendiri
2013-06-23 19:13:26 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id 2013-06-23 19:13:26 1UqjAc-004Jdw-Os <= onno@indo.net.id U=kpudkun1 P=local S=2324 id=20130623191326.7531.onno@indo.net.id T="TERKUTUKLAH SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for asosiasi-warnet@yahoogroups.com 2013-06-23 19:14:47 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id 2013-06-23 19:14:47 1UqjBv-004K6R-1T <= onno@indo.net.id U=kpudkun1 P=local S=2309 id=20130623191447.0279.onno@indo.net.id T="TERKUTUKLAH SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for orari-news@yahoogroups.com 2013-06-23 19:15:11 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id 2013-06-23 19:15:11 1UqjCJ-004K9s-M7 <= onno@indo.net.id U=kpudkun1 P=local S=2300 id=20130623191511.6626.onno@indo.net.id T="TERKUTUKLAH SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for indowli@yahoogroups.com 2013-06-23 19:15:50 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id 2013-06-23 19:15:51 1UqjCw-004KY9-Sw <= onno@indo.net.id U=kpudkun1 P=local S=2309 id=20130623191550.8739.onno@indo.net.id T="TERKUTUKLAH SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for telematika@yahoogroups.com 2013-06-23 19:16:25 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id 2013-06-23 19:16:26 1UqjDV-004KeA-Vl <= onno@indo.net.id U=kpudkun1 P=local S=2309 id=20130623191625.9609.onno@indo.net.id T="TERKUTUKLAH SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for telematika@yahoogroups.com 2013-06-23 19:16:39 cwd=/home/kpudkun1/public_html/includes 4 args: /usr/sbin/sendmail -t -i -fonno@indo.net.id 2013-06-23 19:16:40 1UqjDj-004Khb-Vv <= onno@indo.net.id U=kpudkun1 P=local S=2321 id=20130623191639.9656.onno@indo.net.id T="TERKUTUKLAH SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK!" for mastel-anggota@yahoogroups.com
Informasi dari header e-mail
Dari header e-mail terlihat dari kpudkun1 hosting bantulan.idwebhost.com
Received: from [98.137.0.80] by ng15.bullet.mail.gq1.yahoo.com with NNFMP; 23 Jun 2013 12:13:30 -0000 Received: from [10.193.39.27] by tg1.bullet.mail.gq1.yahoo.com with NNFMP; 23 Jun 2013 12:13:29 -0000 X-Yahoo-Newman-Id: 516887-m122712 X-Sender: onno@indo.net.id X-Apparently-To: asosiasi-warnet@yahoogroups.com X-Received: (qmail 79079 invoked by uid 102); 23 Jun 2013 12:13:28 -0000 X-Received: from unknown (HELO mtaq3.grp.bf1.yahoo.com) (10.193.84.142) by m10.grp.bf1.yahoo.com with SMTP; 23 Jun 2013 12:13:28 -0000 X-Received: (qmail 26718 invoked from network); 23 Jun 2013 12:13:28 -0000 X-Received: from unknown (HELO bantulan.idwebhost.com) (202.52.146.40) by mtaq3.grp.bf1.yahoo.com with SMTP; 23 Jun 2013 12:13:28 -0000 X-Received: from kpudkun1 by bantulan.idwebhost.com with local (Exim 4.80.1) (envelope-from <onno@indo.net.id>) id 1UqjAc-004Jdw-Os for asosiasi-warnet@yahoogroups.com; Sun, 23 Jun 2013 19:13:26 +0700 To: =?ISO-8859-1?q?asosiasi-warnet=40yahoogroups.com?= <asosiasi-warnet@yahoogroups.com> Errors-To: Onno W. Purbo <onno@indo.net.id> Message-ID: <20130623191326.7531.onno@indo.net.id> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - bantulan.idwebhost.com X-AntiAbuse: Original Domain - yahoogroups.com X-AntiAbuse: Originator/Caller UID/GID - [1120 1113] / [47 12] X-AntiAbuse: Sender Address Domain - indo.net.id X-Get-Message-Sender-Via: bantulan.idwebhost.com: authenticated_id: kpudkun1/only user confirmed/virtual account not confirmed X-Originating-IP: 10.193.84.142 X-eGroups-Msg-Info: 1:12:0:0:0 From: Onno W. Purbo <onno@indo.net.id> X-Yahoo-Profile: onnowpurbo Sender: asosiasi-warnet@yahoogroups.com MIME-Version: 1.0 Mailing-List: list asosiasi-warnet@yahoogroups.com; contact asosiasi-warnet- owner@yahoogroups.com Delivered-To: mailing list asosiasi-warnet@yahoogroups.com List-Id: <asosiasi-warnet.yahoogroups.com> Precedence: bulk List-Unsubscribe: <mailto:asosiasi-warnet-unsubscribe@yahoogroups.com> Date: Sun, 23 Jun 2013 19:13:26 +0700 Subject: [asosiasi-warnet] TERKUTUKLAH SUSILO BAMBANG YUDHOYONO! PRESIDEN INDONESIA JANCOK! Reply-To: asosiasi-warnet@yahoogroups.com X-Yahoo-Newman-Property: groups-email-tradt-m Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Tests: multi.surbl.org:OK Status: RO X-Status: A X-Keywords: