Karena kecerobohan saya sendiri yang tidak melakukan pengecekan extension dari file yang akan diupload di Desktop Project, someone berhasil mengupload file php.

Sebenernya saya udah melakukan pengecekan file yang diupload dengan fungsi getimagesize. Ternyata, attacker berhasil mem-bypass dengan meletakkan instruksi file png di atas file, dan dibawahnya di embbed dengan skrip PHP, dengan nama shell.png.php. Bagi fungsi getimagesize, file shell.png.php merupakan sebuah file image yang valid. Tetapi bagi apache, file shell.png.php adalah file skrip PHP yang setiap saat bisa dieksekusi dengan mudah.

Untungnya, Desktop Project mempunyai reporting tool yang mengirimkan e-mail ke saya setiap saat ada file yang diupload. Ketika saya mengetahuinya, skrip tersebut langsung saya rename, kemudian, saya patch skripnya. Iseng2 saya coba download access log apache. Dibawah adalah snippet lognya:

ferdhie@homebox:~/Desktop/data/misc$ grep shell accesslog_ferdianto.com_4_15_2007 | awk '{ print $1, $6, $7, $8 }'
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php HTTP/1.1"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=sql&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2Fdesktop%2Fuploaded%2F 

Hmm, dapet IP nya, coba saya cari apa aja yang dia lakukan, sekalian dari mana dia dateng

ferdhie@homebox:~/Desktop/data/misc$ grep 202.92.206.229 accesslog_ferdianto.com_4_15_2007 | awk '{ print $1, $6, $7, $8, $9, $10, $11 }'
202.92.206.229 "GET /demo/desktop/upload.php HTTP/1.1" 200 3938 "http://www.google.co.id/search?hl=id&q=inurl%3Aupload.php+site%3Acom&btnG=Telusuri&meta=cr%3DcountryID"

Ternyata dari mbah google. Terusin pencarian, setelah ngupload, ngapain lagi dia. Sambil memperkirakan berapa besar kerusakannya.

202.92.206.229 "POST /demo/desktop/upload.php HTTP/1.1" 200 3072 "http://ferdianto.com/demo/desktop/upload.php"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php HTTP/1.1" 200 8152 /demo/desktop/uploaded/shell.jpg.php?act=sql&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2Fdesktop%2Fuploaded%2F HTTP/1.1" 200 15736 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php? HTTP/1.1" 200 8152 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=sql&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2Fdesktop%2Fuploaded%2F"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2Fdesktop&sort=0a HTTP/1.1" 200 7658 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo&sort=0a HTTP/1.1" 200 7441 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2Fdesktop&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2F&sort=0a HTTP/1.1" 200 12625 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php? HTTP/1.1" 200 8152 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2F&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2Fdesktop%2F&sort=0a HTTP/1.1" 200 7658 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2F&sort=0a HTTP/1.1" 200 7441 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2Fdesktop%2F&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2F&sort=0a HTTP/1.1" 200 7263 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2Fdemo%2F&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2F&sort=0a HTTP/1.1" 200 12965 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2Fpublic_html%2F&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2F&sort=0a HTTP/1.1" 200 12965 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2F&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=eval&d=%2Fhome%2Fferdiant%2F HTTP/1.1" 200 13243 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2F&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=tools&d=%2Fhome%2Fferdiant%2F HTTP/1.1" 200 14479 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=ls&d=%2Fhome%2Fferdiant%2F&sort=0a"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=tools&d=%2Fhome%2Fferdiant%2F&bind%5Bport%5D=31373&bind%5Bpass%5D=c99&bind%5Bsrc%5D=c99sh_bindport.pl&bindsubmit=Bind HTTP/1.1" 200 14549 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=tools&d=%2Fhome%2Fferdiant%2F"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=encoder&d=%2Fhome%2Fferdiant%2F HTTP/1.1" 200 14882 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=tools&d=%2Fhome%2Fferdiant%2F"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=encoder&d=%2Fhome%2Fferdiant%2F HTTP/1.1" 200 14882 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=encoder&d=%2Fhome%2Fferdiant%2F"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=search&d=%2Fhome%2Fferdiant%2F HTTP/1.1" 200 13879 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=encoder&d=%2Fhome%2Fferdiant%2F"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php? HTTP/1.1" 200 8152 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?act=search&d=%2Fhome%2Fferdiant%2F"
202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php?act=phpinfo HTTP/1.1" 200 49753 "http://ferdianto.com/demo/desktop/uploaded/shell.jpg.php?"

Sepertinya dia mencoba tool2 shell nya. Terusin lagi ah…

202.92.206.229 "GET /demo/desktop/uploaded/shell.jpg.php HTTP/1.1" 404 2455 "http://ferdianto.com/demo/desktop/index.php?id=18"

Ups, 404, pasti karena udah saya pindah filenya.

202.92.206.229 "GET /demo/desktop/index.php HTTP/1.1" 401 430 "http://ferdianto.com/demo/desktop/upload.php"
202.92.206.229 "GET /demo/desktop/index.php HTTP/1.1" 401 430 "http://ferdianto.com/demo/desktop/upload.php"
202.92.206.229 "GET /demo/desktop/index.php HTTP/1.1" 401 430 "http://ferdianto.com/demo/desktop/upload.php"
202.92.206.229 "GET /demo/desktop/index.php HTTP/1.1" 401 430 "http://ferdianto.com/demo/desktop/upload.php"
202.92.206.229 "GET /demo/desktop/index.php HTTP/1.1" 401 430 "http://ferdianto.com/demo/desktop/upload.php"
202.92.206.229 "GET /demo/ HTTP/1.1" 403 594 "-"

Kok 403 sih, tadi kan udah bisa, sekarang kok minta password yah? Saya sempet blokir pake httpd auth bentar. (*panik*). Karena saya merasa udah aman, saya coba cek dia datang dari mana. Ping dulu…

ferdhie@homebox:~/Desktop/data/misc$ ping 202.92.206.229 
PING 202.92.206.229 (202.92.206.229) 56(84) bytes of data.
64 bytes from 202.92.206.229: icmp_seq=1 ttl=50 time=89.5 ms
64 bytes from 202.92.206.229: icmp_seq=2 ttl=50 time=78.2 ms
64 bytes from 202.92.206.229: icmp_seq=3 ttl=50 time=68.0 ms
64 bytes from 202.92.206.229: icmp_seq=4 ttl=50 time=88.8 ms
64 bytes from 202.92.206.229: icmp_seq=5 ttl=50 time=88.6 ms

Masuk, sekarang, coba trace pakai NMAP. Dari httpd log, saya tau kalau dia pake firefox, windows XP. user-agent lengkapnya: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3

ferdhie@homebox:~/Desktop/data/misc$ nmap -sS -P0 -A -v 202.92.206.229
TCP/IP fingerprint:
SInfo(V=4.10%P=i686-pc-linux-gnu%D=4/16%Tm=4623A40D%O=-1%C=-1)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

Hmm, linux? pasti ini router, karena tadi dia akses pakai win, dan ga ada port yang kebuka. Ngapain lagi yah, oh ya, whois aja

ferdhie@homebox:~/Desktop/data/misc$ whois 202.92.206.229
% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      202.92.192.0 - 202.92.207.255
netname:      GSMART-ID
descr:        PT. Bukit Mahligai Sentosa
descr:        GSMART.NET - Internet Service Provider
country:      ID
admin-c:      DT116-AP
tech-c:       DT116-AP
mnt-by:       MNT-APJII-ID
mnt-lower:    MAINT-ID-GSMARTNET
changed:      hostmaster@apjii.or.id 20020408
changed:      hostmaster@apjii.or.id 20021231
status:       ALLOCATED PORTABLE
remarks:      spam and abuse report : abuse@apjii.or.id
source:       APNIC

person:       Dirgantara R T
address:      Electrindo Building
address:      6th Floor Kuningan
address:      Jakarta Selatan
country:      ID
phone:        +62-21-5209060
fax-no:       +62-21-5209075
e-mail:       yd1eee@gsmart.net.id
nic-hdl:      DT116-AP
mnt-by:       MAINT-ID-GSMARTNET
changed:      yd1eee@gsmart.net.id 20020408
source:       APNIC

Ah, paling ISP. Coba gooling deh, siapa tau nemu. Dan waktu googling, saya nemu URL yang keren, ini hasil cached nya:
hasil cached.

Untuk patch dari Desktop Project, saya tambahin validasi dibawah:

$mime = strtolower($mime);
$ext = strtolower(strrchr($dest, '.'));

$validmime = array('image/jpg', 'image/jpeg', 'image/gif', 'image/png');
$validext = array('.jpg', '.gif', '.png');

if (!(in_array($mime, $validmime) && in_array($ext, $validext))) {
  seterrmsg("File uploaded is not an image");
  return 0;
}

Semoga cukup kuwat untuk nahan hacker2 yang semakin lama semangkin pandai. Thanks buat hacker pengunjung Ferdianto.com.