Mohon Analisa File .htacces berikut

Discussion in 'Masalah Teknik dan Keamanan' started by xphones, 11 May 2012.

Thread Status:
Not open for further replies.
  1. xphones

    xphones Expert 1.0

    Messages:
    747
    Likes Received:
    41
    Trophy Points:
    28
    Beberapa hari yang lalu saya perhatikan tampilan web salah satu client ada iframe dan sisipan javascript yang sepertinya disisipi oleh orang luar.

    Saya menemukan baris kode2 aneh seperti berikut.

    Code:
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} (GET) [NC]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)https(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)https%3a(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)http(%3A|:)(/|%2F){2}(.*)$ [NC]
    RewriteRule (.*) /huwad/blocker/blocker1.php   [L]
    
    RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]
    RewriteCond %{QUERY_STRING} ^(.*)(%20SELECT%20|%20INSERT%20|CHAR\(|%20UPDATE%20|%20REPLACE%20)(.*)$ [NC]
    RewriteRule (.*) /huwad/blocker/blocker1.php   [L]
    
    RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]
    RewriteCond %{QUERY_STRING} ^(.*)(%3C|<)/?script(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=)?javascript(%3A|:)(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)document\.location\.href(.*)$ [OR]
    
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)http%3a(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)ftp(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)ht%20tp(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)htt%20p(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)http%20(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)h%20ttp(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    
    RewriteCond %{QUERY_STRING} ^(.*)base64_encode(.*)$ [OR]
    RewriteCond %{QUERY_STRING} ^(.*)GLOBALS(=|[|%[0-9A-Z]{0,2})(.*)$ [OR]
    RewriteCond %{QUERY_STRING} ^(.*)_REQUEST(=|[|%[0-9A-Z]{0,2})(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)_vti(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)MSOffice(.*)$ [OR]
    RewriteCond %{QUERY_STRING} ^(.*)/etc/passwd(.*)$ [OR]
    RewriteCond %{QUERY_STRING} ^(.*)//(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)ShellAdresi.TXT(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)\[evil_root\]?(.*)$ [OR]
    RewriteCond %{QUERY_STRING} ^(.*)\.\./\.\./\.\./(.*)$ [OR]
    RewriteCond %{QUERY_STRING} ^(.*)/proc/self/environ(.*)$
    RewriteRule (.*) /huwad/blocker/blocker1.php   [L]
    
    RewriteCond %{HTTP_USER_AGENT} @nonymouse|ADSARobot|amzn_assoc|Anarchie|ASPSeek|Atomz|^[^?]*addresses\.com|Advanced\ Email\ Extractor|ah-ha|aktuelles|almaden|Art-Online|AspiWeb|ASSORT|ATHENS|attach|attache|autoemailspider|BackWeb|Bandit|BatchFTP|bdfetch|big.brother|BlackWidow|bmclient|Boston\ Project|Bot\ mailto:(INISAYASMARKAN)@yahoo.com|BravoBrian\ SpiderEngine\ MarcoPolo|Buddy|Bullseye|bumblebee|capture|CherryPicker|ChinaClaw|CICC|clipping|Crescent\ Internet\ ToolPack|cURL|Custo|cyberalert|Deweb|diagem|Digger|Digimarc|DIIbot|DirectUpdate|DISCo|Download\ Accelerator|Download\ Demon|Download\ Wonder|Downloader|Drip|DSurf15a|DTS.Agent|EasyDL|eCatch|echo\ extense|ecollector|efp@gmx\.net|EirGrabber|EmailCollector|Email\ Extractor|EmailSiphon|EmailWolf|Express\ WebPictures|ExtractorPro|EyeNetIE|fastlwspider|FavOrg|Favorites\ Sweeper|Fetch\ API\ Request|FEZhead|FileHound|FlashGet|FlickBot|fluffy|frontpage|GalaxyBot|Generic|Getleft|GetRight|GetSmart|GetWeb!|GetWebPage|gigabaz|Girafabot|Go!Zilla|Go-Ahead-Got-It|GornKer|Grabber|GrabNet|Grafula|Green\ Research|Harvest|hhjhj@yahoo|hloader|HMView|HomePageSearch|HTTP\ agent|HTTPConnect|httpdown|http\ generic|HTTrack|^[^?]*iaea\.org|IBM_Planetwide|^[^?]*\.ideography\.co\.uk|Image\ Stripper|Image\ Sucker|imagefetch|IncyWincy|Indy\ Library|informant|Ingelin|InterGET|Internet\ Ninja|InternetLinkAgent|InternetSeer\.com|Iria|Irvine|iOpus|IPiumBot\ laurion(dot)com|Jakarta|JBH*Agent|JetCar|JustView|Kapere|KWebGet|Lachesis|larbin|LeechFTP|LexiBot|lftp|libwww|likse|Link*Sleuth|LINKS\ ARoMATIZED|LinkWalker|LWP|lwp-trivial|Magnet|Mac\ Finder|Mag-Net|Mass\ Downloader|MemoWeb|MCspider|Microsoft\ URL\ Control|MIDown\ tool|minibot\(NaverRobot\)|Mirror|Missigua\ Locator|Mister\ PiX|MMMtoCrawl\/UrlDispatcherLLL|MSProxy|multithreaddb|nationaldirectory|Navroad|NearSite|NetAnts|NetCarta|netfactual|netcraft|NetMechanic|netprospector|NetResearchServer|NetSpider|Net\ Vampire|NetZIP|NEWT|nicerspro|NPBot|Octopus|Offline\ Explorer|Offline\ Navigator|OpaL|Openfind|OpenTextSiteCrawler|OutWit|PackRat|PageGrabber|Papa\ Foto|pavuk|pcBrowser|PersonaPilot|PingALink|Pockey|Program\ Shareware|psbot|PSurf|puf|Pump|PushSite|QRVA|QuepasaCreep|RealDownload|Reaper|Recorder|ReGet|replacer|RepoMonkey|Robozilla|Rover|RPT-HTTPClient|Rsync|SearchExpress|searchhippo|searchterms\.it|Second\ Street\ Research|Shai|sitecheck|SiteMapper|SiteSnagger|SlySearch|SmartDownload|snagger|SpaceBison|Spegla|SpiderBot|SqWorm|Star\ Downloader|Stripper|Sucker|SuperBot|SuperHTTP|Surfbot|SurfWalker|Szukacz|tAkeOut|tarspider|Teleport\ Pro|Telesoft|Templeton|traffixer|TrueRobot|TuringOS|TurnitinBot|TV33_Mercator|UIowaCrawler|URL_Spider_Pro|UtilMind|Vacuum|vagabondo|vayala|visibilitygap|vobsub|VoidEYE|vspider|w3mir|web\.by\.mail|Web\ Data\ Extractor|Web\ Downloader|Web\ Image\ Collector|Web\ Sucker|WebAuto|webbandit|Webclipping|webcollector|webcollage|WebCopier|webcraft@bea|WebDAV|webdevil|webdownloader|Webdup|WebEmailExtractor|WebFetch|WebGo\ IS|WebHook|Webinator|WebLeacher|WebMiner|WebMirror|webmole|WebReaper|WebSauger|WEBsaver|Website\ eXtractor|Website\ Quester|WebSnake|Webster|WebStripper|websucker|webvac|webwalk|webweasel|WebWhacker|WebZIP|Wget|whizbang|WhosTalking|Widow|WISEbot|WUMPUS|Wweb|WWWOFFLE|Wysigot|Xaldon\ WebSpider|XGET|x-Tractor|Zeus.* [OR]
    RewriteCond %{HTTP_REFERER} ^XXX
    RewriteRule  (.*)  /huwad/blocker/blocker2.php  [L]
    
    RewriteEngine On
    RewriteCond %{REQUEST_URI} .*((php|my)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*)\.(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR]
    RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]
    RewriteCond %{QUERY_STRING} ^(.*)=/home(.+)?/(.*)/(.*)$ [OR]
    RewriteCond %{QUERY_STRING} ^work_dir=.*$ [OR]
    RewriteCond %{QUERY_STRING} ^command=.*&output.*$ [OR]
    RewriteCond %{QUERY_STRING} ^nts_[a-z0-9_]{0,10}=.*$ [OR]
    RewriteCond %{QUERY_STRING} ^c=(t|setup|codes)$ [OR]
    RewriteCond %{QUERY_STRING} ^act=((about|cmd|selfremove|chbd|trojan|backc|massbrowsersploit|exploits|grablogins|upload.*)|((chmod|f)&f=.*))$ [OR]
    RewriteCond %{QUERY_STRING} ^act=(ls|search|fsbuff|encoder|tools|processes|ftpquickbrute|security|sql|eval|update|feedback|cmd|gofile|mkfile)&d=.*$ [OR]
    RewriteCond %{QUERY_STRING} ^&?c=(l?v?i?&d=|v&fnot=|setup&ref=|l&r=|d&d=|tree&d|t&d=|e&d=|i&d=|codes|md5crack).*$ [OR]
    RewriteCond %{QUERY_STRING} ^(.*)([-_a-z]{1,15})=(ls|cd|cat|rm|mv|vim|chmod|chdir|mkdir|rmdir|pwd|clear|whoami|uname|tar|zip|unzip|tar|gzip|gunzip|grep|more|ln|umask|telnet|ssh|ftp|head|tail|which|mkmode|touch|logname|edit_file|search_text|find_text|php_eval|download_file|ftp_file_down|ftp_file_up|ftp_brute|mail_file|mysql|mysql_dump|db_query)([^a-zA-Z0-9].+)*$ [OR]
    RewriteCond %{QUERY_STRING} ^(.*)(wget|shell_exec|passthru|system|exec|popen|proc_open)(.*)$
    RewriteRule  (.*)  /huwad/blocker/blocker3.php  [L]
    Yang pasti baris2 tersebut jauh dari default .htacces dari script yang digunakan oleh web yang bersangkutan.
    Nah kira2 ada unsur apa dibalik file .htacces ini??
     
  2. jaapns

    jaapns Hosting Guru Web Hosting

    Messages:
    3,264
    Likes Received:
    443
    Trophy Points:
    83
    sepertinya webnya di pake untuk autblog sejenis amazon , narik produk
     
  3. vkios01

    vkios01 Expert 1.0

    Messages:
    749
    Likes Received:
    18
    Trophy Points:
    18
    semua mengarah ke file ini ya? /huwad/blocker/blocker1 s/d 3.php
    isinya apa itu om filenya? kayanya jika ada aksi khusus, mengirim lognya ke file tersebut.
    misal ada buat method requestnya..
     
  4. lutfiutama

    lutfiutama Apprentice 1.0

    Messages:
    355
    Likes Received:
    13
    Trophy Points:
    18
  5. xphones

    xphones Expert 1.0

    Messages:
    747
    Likes Received:
    41
    Trophy Points:
    28
    Wah wah wah... saya cek lebih lanjut folder dan file tujuan dari htaccess diatas ternyata didalamnya ada banyak log sql injector dll... ini ada apa ya kira2, client yang kebobolan atau jangan2 dia sendiri yang sengaja pasang script2 aneh tersebut...
     
  6. lutfiutama

    lutfiutama Apprentice 1.0

    Messages:
    355
    Likes Received:
    13
    Trophy Points:
    18
    kebobolan :D

    suruh install ulang aja wordpress nya, kalo kaya gitu mau di perbaikin kaya apa juga susah
    hole nya udah kelihatan sama si attacker
     
  7. JOGLOMedia

    JOGLOMedia Poster 1.0

    Messages:
    88
    Likes Received:
    4
    Trophy Points:
    8
    segera beri tahu klien utk menghapus code tsbt dan install ulang wordpressnya :)
     
  8. bantuemak

    bantuemak Banned!

    Messages:
    93
    Likes Received:
    7
    Trophy Points:
    0
    setahu saya itu securty httacces bukan kebobolan :D

    misal bagian

    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)https(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)https%3a(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)http(%3A|:)(/|%2F){2}(.*)$ [NC]

    itu fungsi diatas buat nutup website biar gak di sql injection jika ada yang akses maka akan di lempar ke ke RewriteRule (.*) /huwad/blocker/blocker1.php [L] atau ke file blocker1.php
     
  9. BolaNaga

    BolaNaga Apprentice 1.0

    Messages:
    448
    Likes Received:
    45
    Trophy Points:
    28
    Yang pastinya gak ada masalah dengan kode .htaccess itu, kodenya itu sebagai pengaman webnya dia :D
    Kalau ada yang mo coba coba injeksi database, klo mo coba akses file penting yang ada dalam hosting semuanya ke tendang ke file yang ada di subdirektori /huwad/blocker/ :D
    Kalau mau tau lebih jelas kode .htaccess diatas itu fungsinya untuk apa mampir ajah kesini
    http://www.askapache.com/htaccess/htaccess.html
     
  10. xphones

    xphones Expert 1.0

    Messages:
    747
    Likes Received:
    41
    Trophy Points:
    28
    Terimakasih untuk semua masukannya. Setelah kemarin saya perhatikan lebih lanjut sepertinya memang benar apa yang dikatakan mas bantuemak dan mas bolanaga, ternyata file huwad yang dimaksud sebenarnya justru untuk membentengi web yang bersangkutan.
    Melihat log yang tersimpan disana ngeri juga... ternyata banyak bener yang mau nyoba iseng sama web klien tersebut...

    Kayaknya lumayan bagus file ini :)
     
Loading...
Thread Status:
Not open for further replies.

Share This Page

Loading...