Kalau sesiapa yang mengikut blog ini tentu perasan tentang post saya sebelum ini tentang serangan hackers melalui FTP. Kali ini kena lagi. Serangan kali ini adalah dari India jika mengikut IP hackers. Mungkin betul IP hackers tersebut, mungkin juga hackers menggunakan proxy. Tapi apa pun kesan kali ini adalah lebih teruk. Lebih teruk dari Hurulaini.net.
Terpaksa reset hosting dan upload balik. Sedih betul.
Tak tahulah macam mana hackers tu boleh sniff password. Password dah tukar pun masih lagi boleh di hack. Langkah terakhir adalah reset hosting dan gunakan https untuk login ke Cpanel.
Cpanel login
218.248.69.30 – inertz [08/11/2009:05:45:12 -0000] “GET /frontend/x3/images/delete.jpg HTTP/1.1” 200 0 “http://inertz.org:2082/frontend/x3/cron/advcron.html?” “Opera/9.62 (Windows NT 5.1; U; en) Presto/2.1.1”
218.248.69.30 – inertz [08/11/2009:05:45:15 -0000] “GET /cPanel_magic_revision_96249075938.833/frontend/x3/branding/icon_sprites_img_scale_60percent.png HTTP/1.1” 200 0 “http://inertz.org:2082/frontend/x3/cron/advcron.html?” “Opera/9.62 (Windows NT 5.1; U; en) Presto/2.1.1”218.248.69.23 – inertz [08/10/2009:01:57:37 -0000] “POST /frontend/x3/cron/editcron.html HTTP/1.1” 200 0 “http://inertz.org:2082/frontend/x3/cron/advcron.html?” “Opera/9.62 (Windows NT 5.1; U; en) Presto/2.1.1”
218.248.69.23 – inertz [08/10/2009:01:57:41 -0000] “GET /frontend/x3/cron/index.html HTTP/1.1” 200 0 “http://inertz.org:2082/frontend/x3/cron/editcron.html” “Opera/9.62 (Windows NT 5.1; U; en) Presto/2.1.1”218.248.69.33 – inertz [08/08/2009:16:04:29 -0000] “GET /frontend/x3/cron/index.html HTTP/1.1” 200 0 “http://inertz.org:2082/frontend/x3/cron/editcron.html” “Opera/9.62 (Windows NT 5.1; U; en) Presto/2.1.1”
218.248.69.33 – inertz [08/08/2009:16:04:35 -0000] “GET /frontend/x3/cron/advcron.html? HTTP/1.1” 200 0 “http://inertz.org:2082/frontend/x3/cron/index.html” “Opera/9.62 (Windows NT 5.1; U; en) Presto/2.1.1”
FTP login
Aug 9 12:50:59 svr pure-ftpd: (?@218.248.69.31) [INFO] inertz is now logged in
Aug 9 12:51:55 svr pure-ftpd: (inertz@218.248.69.31) [NOTICE] /home/inertz//session/Cookies/7874490 uploaded (236 bytes, 0.32KB/sec)
Aug 9 12:51:59 svr pure-ftpd: (inertz@218.248.69.31) [NOTICE] /home/inertz//session/Cookies/145987 uploaded (236 bytes, 0.23KB/sec)
Aug 9 12:52:17 svr pure-ftpd: (inertz@218.248.69.31) [INFO] Logout.
Aug 9 19:18:11 svr pure-ftpd: (?@218.248.69.31) [INFO] inertz is now logged in
Aug 9 19:18:44 svr pure-ftpd: (inertz@218.248.69.31) [NOTICE] /home/inertz//session/Cookies/10065454 uploaded (236 bytes, 0.32KB/sec)
Aug 9 19:18:48 svr pure-ftpd: (inertz@218.248.69.31) [NOTICE] /home/inertz//session/Cookies/10100112 uploaded (236 bytes, 0.30KB/sec)
Aug 9 19:34:02 svr pure-ftpd: (inertz@218.248.69.31) [INFO] Timeout – try typing a little faster next time
Aug 9 19:38:55 svr pure-ftpd: (?@218.248.69.31) [INFO] inertz is now logged in
Aug 9 19:39:07 svr pure-ftpd: (inertz@218.248.69.31) [INFO] Logout.
Aug 9 20:25:55 svr pure-ftpd: (?@218.248.69.31) [INFO] inertz is now logged in
Aug 9 20:26:41 svr pure-ftpd: (inertz@218.248.69.31) [NOTICE] /home/inertz//session/Cookies/hondaclub uploaded (236 bytes, 0.27KB/sec)
Aug 9 20:30:36 svr pure-ftpd: (inertz@218.248.69.31) [INFO] Logout.Aug 10 10:31:49 svr pure-ftpd: (inertz@218.248.69.23) [NOTICE] Deleted Internet_tips.rar.64
Aug 10 10:31:49 svr pure-ftpd: (inertz@218.248.69.23) [NOTICE] Deleted anti_spam.rar.64
Aug 10 10:31:50 svr pure-ftpd: (inertz@218.248.69.23) [NOTICE] Deleted black.mp3.180Aug 10 19:27:10 svr pure-ftpd: (inertz@218.248.69.24) [NOTICE] Deleted 8050140
Aug 10 19:31:36 svr pure-ftpd: (inertz@218.248.69.24) [NOTICE] /home/inertz//session/Cookies/6162540 uploaded (204 bytes, 0.26KB/sec)
Aug 10 19:31:40 svr pure-ftpd: (inertz@218.248.69.24) [NOTICE] /home/inertz//session/Cookies/8050140 uploaded (204 bytes, 0.19KB/sec)
Saat-saat terakhir sebelum hackers di blok.
Aug 11 13:20:51 svr pure-ftpd: (?@218.248.69.30) [INFO] New connection from 218.248.69.30
Aug 11 13:21:10 svr pure-ftpd: (?@218.248.69.30) [INFO] New connection from 218.248.69.30
Aug 11 13:27:15 svr pure-ftpd: (?@218.248.69.30) [INFO] New connection from 218.248.69.30
Aug 11 13:27:16 svr pure-ftpd: (?@218.248.69.30) [WARNING] Authentication failed for user [inertz]
Aug 11 13:27:21 svr pure-ftpd: (?@218.248.69.30) [INFO] Logout.
Aug 11 13:27:25 svr pure-ftpd: (?@218.248.69.30) [INFO] New connection from 218.248.69.30
Aug 11 13:27:26 svr pure-ftpd: (?@218.248.69.30) [WARNING] Authentication failed for user [inertz]
Aug 11 13:27:31 svr pure-ftpd: (?@218.248.69.30) [INFO] Logout.
Aug 11 13:28:12 svr pure-ftpd: (?@218.248.69.30) [INFO] New connection from 218.248.69.30
Aug 11 13:28:16 svr pure-ftpd: (?@218.248.69.30) [WARNING] Authentication failed for user [inertz]
Aug 11 13:28:21 svr pure-ftpd: (?@218.248.69.30) [INFO] Logout.
Aug 11 13:28:46 svr pure-ftpd: (?@218.248.69.30) [INFO] New connection from 218.248.69.30
Aug 11 13:28:47 svr pure-ftpd: (?@218.248.69.30) [WARNING] Authentication failed for user [inertz]
Aug 11 13:28:52 svr pure-ftpd: (?@218.248.69.30) [INFO] Logout.
Aug 11 13:29:07 svr pure-ftpd: (?@218.248.69.30) [INFO] New connection from 218.248.69.30
Aug 11 13:29:09 svr pure-ftpd: (?@218.248.69.30) [WARNING] Authentication failed for user [inertz]
Aug 11 13:29:12 svr pure-ftpd: (?@218.248.69.30) [INFO] Logout.
Aug 11 13:42:38 svr pure-ftpd: (?@218.248.69.30) [INFO] New connection from 218.248.69.30
Aug 11 13:42:40 svr pure-ftpd: (?@218.248.69.30) [WARNING] Authentication failed for user [tested]
Aug 11 13:42:44 svr pure-ftpd: (?@218.248.69.30) [INFO] Logout.
Maklumat IP hackers
root@svr [~]# whois 218.248.69.30
[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net node-2]
% Whois data copyright terms   http://www.apnic.net/db/dbcopyright.htmlinetnum:     218.248.0.0 – 218.248.255.255
netname:Â Â Â Â Â BSNLNET
descr:Â Â Â Â Â Â Â National Internet Backbone
descr:Â Â Â Â Â Â Â Bharat Sanchar Nigam Limited
descr:Â Â Â Â Â Â Â Sanchar Bhawan, 20, Ashoka Road, New Delhi-110001, India
country:Â Â Â Â Â IN
admin-c:Â Â Â Â Â NC83-AP
tech-c:Â Â Â Â Â Â CDN1-AP
mnt-by:Â Â Â Â Â Â APNIC-HM
mnt-lower:Â Â Â MAINT-IN-DOT
changed:Â Â Â Â Â hostmaster@apnic.net 20011227
status:Â Â Â Â Â Â ALLOCATED PORTABLE
source:Â Â Â Â Â Â APNICroot@svr [~]# whois 218.248.69.23
[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net node-1]
% Whois data copyright terms   http://www.apnic.net/db/dbcopyright.htmlinetnum:     218.248.0.0 – 218.248.255.255
netname:Â Â Â Â Â BSNLNET
descr:Â Â Â Â Â Â Â National Internet Backbone
descr:Â Â Â Â Â Â Â Bharat Sanchar Nigam Limited
descr:Â Â Â Â Â Â Â Sanchar Bhawan, 20, Ashoka Road, New Delhi-110001, India
country:Â Â Â Â Â IN
admin-c:Â Â Â Â Â NC83-AP
tech-c:Â Â Â Â Â Â CDN1-AP
mnt-by:Â Â Â Â Â Â APNIC-HM
mnt-lower:Â Â Â MAINT-IN-DOT
changed:Â Â Â Â Â hostmaster@apnic.net 20011227
status:Â Â Â Â Â Â ALLOCATED PORTABLE
source:      APNICHostname     Country Code     Country Name     Region     Region Name     City     Postal Code     Latitude     Longitude     ISP     Organization     Metro Code     Area Code
218.248.69.23    IN    India    13    Kerala    Palakkad       10.7725    76.6513    National Internet Backbone    National Internet BackboneHostname     Country Code     Country Name     Region     Region Name     City     Postal Code     Latitude     Longitude     ISP     Organization     Metro Code     Area Code
218.248.69.31    IN    India    07    Delhi    New Delhi       28.6000    77.2000    National Internet Backbone    National Internet BackboneHostname     Country Code     Country Name     Region     Region Name     City     Postal Code     Latitude     Longitude     ISP     Organization     Metro Code     Area Code
218.248.69.24    IN    India    07    Delhi    New Delhi       28.6000    77.2000    National Internet Backbone    National Internet BackboneHostname     Country Code     Country Name     Region     Region Name     City     Postal Code     Latitude     Longitude     ISP     Organization     Metro Code     Area Code
218.248.69.30    IN    India    07    Delhi    New Delhi       28.6000    77.2000    National Internet Backbone    National Internet Backbone