Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Bogotá, Colombia Ver 4.0 04-08
GARS
INFORME DE INCIDENTE
Incidente No IM626153 Avance de Informe No FINAL
Zona de Evento B...
Bogotá, Colombia Ver 4.0 04-08
GARS
D
í
a
H
or
a
Descripción del Avance
1. Levantamiento de la evidencia.
Se inicia el lev...
Bogotá, Colombia Ver 4.0 04-08
GARS
110.45.146.219 - - [18/Sep/2013:02:44:35 -0500] "POST http://210.166.214.92:6667/ HTTP...
Bogotá, Colombia Ver 4.0 04-08
GARS
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_ima...
Bogotá, Colombia Ver 4.0 04-08
GARS
81f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 303 -
134.3.82.219 - ...
Bogotá, Colombia Ver 4.0 04-08
GARS
images/default.php
En donde se puede observar la interfaz de un Web Shell.
Se realiza ...
Bogotá, Colombia Ver 4.0 04-08
GARS
complemento quedan guardados en la ruta
/htdocs/portalsnr/components/com_jnews/include...
Bogotá, Colombia Ver 4.0 04-08
GARS
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-18 10:47:04.000000000 -050...
Bogotá, Colombia Ver 4.0 04-08
GARS
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-image...
Bogotá, Colombia Ver 4.0 04-08
GARS
Modify: 2013-09-12 10:53:42.000000000 -0500
Change: 2013-09-12 10:53:42.000000000 -050...
Bogotá, Colombia Ver 4.0 04-08
GARS
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-...
Bogotá, Colombia Ver 4.0 04-08
GARS
/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/botol...
Bogotá, Colombia Ver 4.0 04-08
GARS
tech-c: HM444-AP
status: ASSIGNED NON-PORTABLE
mnt-by: MAINT-TELKOMNET
mnt-irt: IRT-ID...
Bogotá, Colombia Ver 4.0 04-08
GARS
e-mail: ip-admin@telkom.net.id
admin-c: HM444-AP
tech-c: HM444-AP
nic-hdl: AR165-AP
no...
Bogotá, Colombia Ver 4.0 04-08
GARS
descr: JAKARTA
country: ID
origin: AS17974
mnt-by: MAINT-TELKOMNET
changed: hostmaster...
Bogotá, Colombia Ver 4.0 04-08
GARS
fax-no: +13022950953
admin-c: CY77-RIPE
admin-c: FB3777-RIPE
mnt-ref: NIOBE-MNT
mnt-re...
Bogotá, Colombia Ver 4.0 04-08
GARS
source: RIPE #Filtered
% This query was served by the RIPE Database Query Service vers...
Bogotá, Colombia Ver 4.0 04-08
GARS
person: Alexander Ilyin
address: Communist str. 33
address: Saransk, Russia
phone: +7 ...
Bogotá, Colombia Ver 4.0 04-08
GARS
person: Enrica Paoletti
address: Gobit S.r.l.
address: V.le Lombardia n.30
address: 53...
Bogotá, Colombia Ver 4.0 04-08
GARS
% This query was served by the RIPE Database Query Service version 1.68.1 (WHOIS3)
Se ...
Upcoming SlideShare
Loading in …5
×

Informe de incidentes 18 09-2013

1,577 views

Published on

  • Be the first to comment

  • Be the first to like this

Informe de incidentes 18 09-2013

  1. 1. Bogotá, Colombia Ver 4.0 04-08 GARS INFORME DE INCIDENTE Incidente No IM626153 Avance de Informe No FINAL Zona de Evento BOGOTA Fecha y Hora de Evento 18-09-2013 Evento Reportado por ETB Fecha y Hora de Solución 19-09-2013 Tipo de Evento Reporte Análisis Forense Descripción de Evento El día 18 de Septiembre de 2013 hacia las 09:50 AM, se reporta que el portal Web ha sido modificado, sin que se hayan realizado maniobras sobre el mismo: www.supernotariado.gov.co A continuación se muestra la imagen de la evidencia en la que se observa que al abrir la página del cliente aparece un aviso de que el sitio fue atacado: Avances Servicios Afectados Superintendencia de Notariado y Registro
  2. 2. Bogotá, Colombia Ver 4.0 04-08 GARS D í a H or a Descripción del Avance 1. Levantamiento de la evidencia. Se inicia el levantamiento de la evidencia con la extracción de los siguientes datos: - Log de acceso de los sitios atacados. - Logs de errores de los sitios atacados. - Información y copia de los archivos subidos al portal. - Información y copia de los archivos modificados en el portal. 2. Análisis del caso Se realiza la respectiva verificación de los logs de acceso para el día 18 de Septiembre, encontrando la siguiente evidencia: [seguridad@snrportal2 apacheSSL]$ grep POST saccess_log | grep --v ChartSBNR | grep -v 404 103.6.96.26 - - [18/Sep/2013:00:01:11 -0500] "POST /portalsnr/index.php%3foption=com_jnews %26act=mailing%26task=view%26listid=18%26mailingid=8%26listype=1%26Itemid=999/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a79 81f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 400 226 103.6.96.26 - - [18/Sep/2013:00:01:14 -0500] "POST /portalsnr/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 303 - 103.6.96.26 - - [18/Sep/2013:00:01:14 -0500] "POST /portalsnr/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a79 81f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 303 - 188.40.17.97 - - [18/Sep/2013:02:44:17 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=indo.php HTTP/1.1" 200 51 188.40.17.97 - - [18/Sep/2013:02:44:18 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=botol.php HTTP/1.1" 200 52 188.40.17.97 - - [18/Sep/2013:02:44:18 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=botol.php HTTP/1.1" 200 52 188.40.17.97 - - [18/Sep/2013:02:44:18 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=bokek.php HTTP/1.1" 200 52 188.40.17.97 - - [18/Sep/2013:02:44:19 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=bokek.php HTTP/1.1" 200 52
  3. 3. Bogotá, Colombia Ver 4.0 04-08 GARS 110.45.146.219 - - [18/Sep/2013:02:44:35 -0500] "POST http://210.166.214.92:6667/ HTTP/1.0" 200 88 188.40.17.97 - - [18/Sep/2013:02:55:44 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=indo.php HTTP/1.1" 200 51 188.40.17.97 - - [18/Sep/2013:02:55:44 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=botol.php HTTP/1.1" 200 52 188.40.17.97 - - [18/Sep/2013:02:58:45 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=bokek.php HTTP/1.1" 200 52 188.40.17.97 - - [18/Sep/2013:02:58:45 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=bokek.php HTTP/1.1" 200 52 90.188.238.17 - - [18/Sep/2013:03:21:56 -0500] "POST /portalsnr/index.php? option=com_jnews&act=mailing&task=view&listid=18&mailingid=8&listype=1&am p;Itemid=999/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 303 - 90.188.238.17 - - [18/Sep/2013:03:21:57 -0500] "POST /portalsnr/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 303 - 90.188.238.17 - - [18/Sep/2013:03:21:56 -0500] "POST /portalsnr/index.php? option=com_jnews&act=mailing&task=view&listid=18&mailingid=8&listype=1&am p;Itemid=999/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a79 81f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 303 - 90.188.238.17 - - [18/Sep/2013:03:21:56 -0500] "POST /portalsnr/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a79 81f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 303 - 77.245.151.239 - - [18/Sep/2013:06:20:08 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=indo.php HTTP/1.1" 200 51 77.245.151.239 - - [18/Sep/2013:06:20:09 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=botol.php HTTP/1.1" 200 52 77.245.151.239 - - [18/Sep/2013:06:20:09 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=bokek.php HTTP/1.1" 200 52 77.245.151.239 - - [18/Sep/2013:06:28:15 -0500] "POST
  4. 4. Bogotá, Colombia Ver 4.0 04-08 GARS /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=indo.php HTTP/1.1" 200 51 77.245.151.239 - - [18/Sep/2013:06:28:16 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=botol.php HTTP/1.1" 200 52 77.245.151.239 - - [18/Sep/2013:06:28:16 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=bokek.php HTTP/1.1" 200 52 31.172.251.234 - - [18/Sep/2013:08:15:31 -0500] "POST /portalsnr//components//contact.php HTTP/1.1" 200 114934 81.130.21.114 - - [18/Sep/2013:08:32:26 -0500] "POST /portalsnr//components//contact.php HTTP/1.1" 200 86351 81.130.21.114 - - [18/Sep/2013:08:36:57 -0500] "POST /portalsnr//components//contact.php HTTP/1.1" 200 85764 81.130.21.114 - - [18/Sep/2013:08:39:42 -0500] "POST /portalsnr//components//contact.php HTTP/1.1" 200 60158 188.40.17.97 - - [18/Sep/2013:08:47:31 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=indo.php HTTP/1.1" 200 51 188.40.17.97 - - [18/Sep/2013:08:47:31 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=botol.php HTTP/1.1" 200 52 188.40.17.97 - - [18/Sep/2013:08:47:31 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=botol.php HTTP/1.1" 200 52 188.40.17.97 - - [18/Sep/2013:08:47:32 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=bokek.php HTTP/1.1" 200 52 188.40.17.97 - - [18/Sep/2013:08:47:35 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=bokek.php HTTP/1.1" 200 52 110.45.146.219 - - [18/Sep/2013:08:48:15 -0500] "POST http://210.166.214.92:6667/ HTTP/1.0" 200 88 134.3.82.219 - - [18/Sep/2013:08:56:41 -0500] "POST /supernotariado/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 303 - 134.3.82.219 - - [18/Sep/2013:08:56:41 -0500] "POST /supernotariado/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a79
  5. 5. Bogotá, Colombia Ver 4.0 04-08 GARS 81f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 303 - 134.3.82.219 - - [18/Sep/2013:08:56:42 -0500] "POST /supernotariado/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 303 - 134.3.82.219 - - [18/Sep/2013:08:56:46 -0500] "POST /supernotariado/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a79 81f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 303 - 91.221.0.124 - - [18/Sep/2013:09:12:44 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=default.php HTTP/1.1" 200 54 118.97.212.185 - - [18/Sep/2013:09:26:38 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/default.php HTTP/1.1" 200 475 118.97.212.185 - - [18/Sep/2013:09:30:09 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/store.php?act=ls&d= %2Fhtdocs%2Fportalsnr%2F&sort=0a HTTP/1.1" 200 6737 77.245.151.239 - - [18/Sep/2013:10:05:00 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=indo.php HTTP/1.1" 200 51 77.245.151.239 - - [18/Sep/2013:10:05:05 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=botol.php HTTP/1.1" 200 52 77.245.151.239 - - [18/Sep/2013:10:05:19 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=bokek.php HTTP/1.1" 200 52 77.245.151.239 - - [18/Sep/2013:10:47:03 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=indo.php HTTP/1.1" 200 51 77.245.151.239 - - [18/Sep/2013:10:47:04 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=botol.php HTTP/1.1" 200 52 77.245.151.239 - - [18/Sep/2013:10:47:05 -0500] "POST /portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php? name=bokek.php HTTP/1.1" 200 52 En donde se observa que se realizaron peticiones POST al servidor, que hacen referencia a un archivo llamado con extensión .php. Al realizar la resolución de la URL: https://surpenotariado.gov.co/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-
  6. 6. Bogotá, Colombia Ver 4.0 04-08 GARS images/default.php En donde se puede observar la interfaz de un Web Shell. Se realiza prueba subiendo un archivo de texto llamado Prueba.txt. Se realiza la resolución de la URL: supernotariado.gov.co/portalsnr/components/com_jnews/includes/openflashchart/php-ofc- library/ofc_upload_image.php?name=prueba.txt En donde se observa un mensaje dando aviso que el archivo se está siendo guardando en la ruta …/tmp- upload-images/prueba.txt, con lo cual se concluye que el atacante aprovecho una de las vulnerabilidades de un complemento llamado ofc_upload_image.php del Open Flash Chart para crear el archivo default.php y acceder al sitio para instalar los archivos maliciosos. Estos archivos creados a través de este
  7. 7. Bogotá, Colombia Ver 4.0 04-08 GARS complemento quedan guardados en la ruta /htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/* A continuación se realiza la revisión de los accesos a la ruta: /htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/* encontrando la siguiente evidencia: stat /htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/* File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/abc.php' Size: 431 Blocks: 8 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281260 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:29.000000000 -0500 Modify: 2013-08-06 13:54:26.000000000 -0500 Change: 2013-08-06 13:54:26.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/admin.php' Size: 61830 Blocks: 136 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281585 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-12 11:10:36.000000000 -0500 Change: 2013-09-12 11:10:36.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/aka.php' Size: 240709 Blocks: 480 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281391 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-03 04:31:32.000000000 -0500 Change: 2013-09-03 04:31:32.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/a.php' Size: 2070 Blocks: 8 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281381 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-13 10:52:53.000000000 -0500 Change: 2013-09-13 10:52:53.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/bokek.php' Size: 17044 Blocks: 40 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281551 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-18 10:47:05.000000000 -0500 Change: 2013-09-18 10:47:05.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/botis.php' Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fd08h/64776dInode: 24281605 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-17 15:51:37.000000000 -0500 Change: 2013-09-17 15:51:37.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/botol.php' Size: 776 Blocks: 8 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281606 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
  8. 8. Bogotá, Colombia Ver 4.0 04-08 GARS Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-18 10:47:04.000000000 -0500 Change: 2013-09-18 10:47:04.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/bot.php' Size: 770 Blocks: 8 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281604 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:29.000000000 -0500 Modify: 2013-09-17 15:46:37.000000000 -0500 Change: 2013-09-17 15:46:37.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/cal.php' Size: 478 Blocks: 8 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281382 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-16 06:42:55.000000000 -0500 Change: 2013-09-16 06:42:55.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/cams.php' Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fd08h/64776dInode: 24281598 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-17 00:00:32.000000000 -0500 Change: 2013-09-17 00:00:32.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/default.php' Size: 613 Blocks: 8 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281392 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:17:10.000000000 -0500 Modify: 2013-09-18 09:12:44.000000000 -0500 Change: 2013-09-18 09:12:44.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/edit.php' Size: 61634 Blocks: 136 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281363 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-08-16 18:56:21.000000000 -0500 Change: 2013-08-16 18:56:21.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/ ();eval(base64_decode(JHM9cGhwX3VuYW1lKCk7CmVjaG8gJzxicj4nLiRzOwoKZWNobyAnPGJyPic7Cn Bhc3N0aHJ1KGlkKTsK));error' Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fd08h/64776dInode: 24281343 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-08-21 08:28:51.000000000 -0500 Change: 2013-08-21 08:28:51.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/home.php' Size: 73380 Blocks: 152 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281597 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-13 23:54:30.000000000 -0500 Change: 2013-09-13 23:54:30.000000000 -0500
  9. 9. Bogotá, Colombia Ver 4.0 04-08 GARS File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/hun2.php' Size: 68437 Blocks: 144 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281271 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-08-15 03:41:41.000000000 -0500 Change: 2013-08-15 03:41:41.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/inbox.php' Size: 12062 Blocks: 24 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281559 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-03 23:31:20.000000000 -0500 Change: 2013-09-03 23:31:20.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/indo.php' Size: 1524 Blocks: 8 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281599 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-18 10:47:03.000000000 -0500 Change: 2013-09-18 10:47:03.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/ipays.php' Size: 240131 Blocks: 480 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281600 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-15 14:23:54.000000000 -0500 Change: 2013-09-15 14:23:54.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/ip.txt' Size: 66 Blocks: 8 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281577 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-06 23:00:52.000000000 -0500 Change: 2013-09-06 23:00:52.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/kliverz.php' Size: 3957 Blocks: 8 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281570 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:29.000000000 -0500 Modify: 2013-09-17 18:12:34.000000000 -0500 Change: 2013-09-17 18:12:34.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/load.php' Size: 2442 Blocks: 8 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281576 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-06 22:59:10.000000000 -0500 Change: 2013-09-06 22:59:10.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/localhost.php' Size: 3973 Blocks: 8 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281580 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:29.000000000 -0500
  10. 10. Bogotá, Colombia Ver 4.0 04-08 GARS Modify: 2013-09-12 10:53:42.000000000 -0500 Change: 2013-09-12 10:53:42.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/menu.php' Size: 73195 Blocks: 152 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281550 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-18 09:26:40.000000000 -0500 Change: 2013-09-18 09:26:40.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/own.php' Size: 62587 Blocks: 136 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281560 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-04 00:22:10.000000000 -0500 Change: 2013-09-04 00:22:10.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/pass.php' Size: 41080 Blocks: 88 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281601 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-16 14:31:33.000000000 -0500 Change: 2013-09-16 14:31:33.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/php.ini' Size: 373 Blocks: 8 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281325 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-08-13 15:47:48.000000000 -0500 Change: 2013-08-13 15:48:08.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/pload.php' Size: 474 Blocks: 8 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281305 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-15 14:09:22.000000000 -0500 Change: 2013-09-15 14:09:22.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/proc.php' Size: 134566 Blocks: 272 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281578 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-06 23:00:52.000000000 -0500 Change: 2013-09-06 23:00:52.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/prueba.txt' Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fd08h/64776dInode: 24281553 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:25:08.000000000 -0500 Modify: 2013-09-18 11:25:08.000000000 -0500 Change: 2013-09-18 11:25:08.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/Prueba.txt' Size: 19 Blocks: 8 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281552 Links: 1
  11. 11. Bogotá, Colombia Ver 4.0 04-08 GARS Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-18 10:51:13.000000000 -0500 Change: 2013-09-18 10:51:13.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/readme.php' Size: 73766 Blocks: 160 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281331 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-08-27 23:53:37.000000000 -0500 Change: 2013-08-27 23:53:37.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/shell.php' Size: 1524 Blocks: 8 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281602 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-17 15:43:36.000000000 -0500 Change: 2013-09-17 15:43:36.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/store.php' Size: 73780 Blocks: 160 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281281 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-07 09:04:09.000000000 -0500 Change: 2013-09-07 09:04:09.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/tux.php' Size: 58128 Blocks: 128 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281320 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-08-13 15:43:39.000000000 -0500 Change: 2013-08-13 15:43:39.000000000 -0500 File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/wp-app.php' Size: 101722 Blocks: 208 IO Block: 4096 regular file Device: fd08h/64776dInode: 24281590 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado) Access: 2013-09-18 11:15:30.000000000 -0500 Modify: 2013-09-13 10:53:09.000000000 -0500 Change: 2013-09-13 10:53:09.000000000 -0500 En donde se observa que en esta carpeta se están guardando los archivos que a través del webshell y de la vulnerabilidad del Open Flash Chart se están subiendo al sitio. Como se evidencia, los archivos default.php y prueba.txt se encuentran en esta carpeta. De igual manera se realizó la búsqueda de los últimos archivos modificados en el sitio del cliente encontrando las siguientes referencias: /htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/kliverz.php /htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/bot.php /htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/indo.php /htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/shell.php /htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/menu.php /htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/bokek.php /htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/botis.php
  12. 12. Bogotá, Colombia Ver 4.0 04-08 GARS /htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/botol.php /htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/default.php 3. Resultados y conclusiones A partir de la investigación se encontró que la modificación de los archivos fue posible a través de una vulnerabilidad de un complemento llamado Open Flash Chart, con el cual se procedió a crear un archivo que permitió el ingreso al sitio y por ende que el atacante haya podido subir archivos maliciosos a este. El complemento Open Flash Chart se encuentra instalado por solicitud de SNR y dando cumplimiento a lo requerido por los manuales de GEL en cuanto a información continúa hacia los ciudadanos De acuerdo a las validaciones realizadas y ya que se cuenta con la última versión del complemento Open Flash Chart, se realizo el bloqueo de este subsanando la vulnerabilidad presentada y se procede a realizar la búsqueda de un parche de seguridad que blinde a dicho componente. Se recomienda a SNR la implementación de un control de acceso y subida de información al portal web por parte de sus Gestores con el fin de contar con un histórico de todos estos archivos permitiendo con esto la instalación de un software antivirus, (se realizaron pruebas con el antivirus ClamAV logrando la detección y erradicación de archivos maliciosos), el cual escaneara cada hora los archivos creados en esta para que en caso de explotarse una vulnerabilidad y que el atacante suba un archivo malicioso al servidor, este pueda ser detectado y notificado, y de esta manera se puedan tomar acciones de manera inmediata. 1. ANEXO 1. INFORMACIÓN DE LAS DIRECCIONES IP RELACIONADAS CON EL ATAQUE 118.97.212.185 % APNIC found the following authoritative answer from: whois.apnic.net % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '118.97.208.0 - 118.97.223.255' inetnum: 118.97.208.0 - 118.97.223.255 netname: TLKM_NAS_AST_CUSTOMER country: ID descr: PT TELKOM INDONESIA descr: Menara Multimedia Lt. 7 descr: Jl. Kebonsirih No.12 descr: JAKARTA admin-c: AR165-AP
  13. 13. Bogotá, Colombia Ver 4.0 04-08 GARS tech-c: HM444-AP status: ASSIGNED NON-PORTABLE mnt-by: MAINT-TELKOMNET mnt-irt: IRT-IDTELKOM-ID changed: hostmaster@telkom.net.id 20101202 source: APNIC irt: IRT-IDTELKOM-ID address: PT. TELKOM INDONESIA address: Menara Multimedia Lt. 7 address: Jl. Kebon sirih No.12 address: JAKARTA e-mail: abuse@telkom.net.id abuse-mailbox: abuse@telkom.net.id admin-c: DF99-AP tech-c: AR165-AP mnt-by: MAINT-TELKOMNET changed: abuse@telkom.net.id 20120420 changed: hm-changed@apnic.net 20120420 source: APNIC role: PT Telkom Indonesia APNIC Resources Management address: PT. TELKOM INDONESIA address: Menara Multimedia Lt. 7 address: Jl. Kebonsirih No.12 address: JAKARTA country: ID phone: +62-21-3860500 fax-no: +62-21-3861215
  14. 14. Bogotá, Colombia Ver 4.0 04-08 GARS e-mail: ip-admin@telkom.net.id admin-c: HM444-AP tech-c: HM444-AP nic-hdl: AR165-AP notify: hostmaster@telkom.net.id mnt-by: MAINT-TELKOMNET changed: hostmaster@telkom.net.id 20060105 source: APNIC person: PT Telkom Indonesia Hostmaster nic-hdl: HM444-AP e-mail: hostmaster@telkom.net.id address: PT. TELKOM INDONESIA address: Menara Multimedia Lt. 7 address: Jl. Kebonsirih No.12 address: JAKARTA phone: +62-21-3860500 fax-no: +62-21-3861215 country: ID notify: hostmaster@telkom.net.id mnt-by: MAINT-TELKOMNET changed: hostmaster@telkom.net.id 20060105 source: APNIC % Information related to '118.97.208.0/20AS17974' route: 118.97.208.0/20 descr: PT. TELKOM INDONESIA descr: Menara Multimedia Lt. 7 descr: Jln. Kebonsirih No.12
  15. 15. Bogotá, Colombia Ver 4.0 04-08 GARS descr: JAKARTA country: ID origin: AS17974 mnt-by: MAINT-TELKOMNET changed: hostmaster@telkom.net.id 20130612 source: APNIC % This query was served by the APNIC Whois Service version 1.68 (UNDEFINED) 77.245.151.239 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '77.245.144.0 - 77.245.159.255' inetnum: 77.245.144.0 - 77.245.159.255 netname: TR-NIOBE-20070427 descr: Niobe Bilisim Teknolojileri Yazilim San. Tic. Ltd. Sti. country: US org: ORG-NB14-RIPE admin-c: CY77-RIPE tech-c: FB3777-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: NIOBE-MNT mnt-routes: NIOBE-MNT source: RIPE #Filtered organisation: ORG-NB14-RIPE org-name: Niobe Bilisim Teknolojileri Yazilim San. Tic. Ltd. Sti. org-type: LIR phone: +13022950953
  16. 16. Bogotá, Colombia Ver 4.0 04-08 GARS fax-no: +13022950953 admin-c: CY77-RIPE admin-c: FB3777-RIPE mnt-ref: NIOBE-MNT mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT source: RIPE #Filtered address: Niobe Hosting LLC address: Fatih BIBEROGLU address: 501 Silverside Road ste 105 address: 19809 Wilmington DE address: UNITED STATES person: Cuneyt Yagiz org: ORG-NB14-RIPE address: 501 Silverside Road ste 105 address: Wilmington DE 19809 address: USA mnt-by: NIOBE-MNT phone: +1-3022950953 remarks: ################################### remarks: Abuse & intrusion reports should remarks: be sent to: abuse@nw.com.tr remarks: ################################### nic-hdl: CY77-RIPE source: RIPE #Filtered person: Fatih BIBEROGLU org: ORG-NB14-RIPE address: 501 Silverside Rd Ste 105 address: Wilmington DE 19809 USA mnt-by: NIOBE-MNT phone: +1 302-2950953 remarks: ################################### remarks: Abuse and intrusion reports should remarks: be sent to: abuse@nw.com.tr remarks: ################################### nic-hdl: FB3777-RIPE source: RIPE #Filtered % Information related to '77.245.144.0/20AS42868' route: 77.245.144.0/20 descr: CMBM origin: AS42868 mnt-by: NIOBE-MNT
  17. 17. Bogotá, Colombia Ver 4.0 04-08 GARS source: RIPE #Filtered % This query was served by the RIPE Database Query Service version 1.68.1 (WHOIS3) 91.221.0.124 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '91.221.0.0 - 91.221.1.255' inetnum: 91.221.0.0 - 91.221.1.255 netname: E-MORDOVIA descr: SUE of RM "SPC of Informatization and New Technologies" country: RU org: ORG-SIaN1-RIPE admin-c: AI1814-RIPE tech-c: AI1814-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-lower: RIPE-NCC-END-MNT mnt-by: MNT-INTRM mnt-routes: MNT-INTRM mnt-domains: MNT-INTRM source: RIPE #Filtered organisation: ORG-SIaN1-RIPE org-name: SUE of RM "SPC of Informatization and New Technologies" org-type: OTHER address: Communist str. 13 address: Saransk, 430000, Russia mnt-ref: MNT-INTRM mnt-by: MNT-INTRM source: RIPE #Filtered
  18. 18. Bogotá, Colombia Ver 4.0 04-08 GARS person: Alexander Ilyin address: Communist str. 33 address: Saransk, Russia phone: +7 8342 242276 nic-hdl: AI1814-RIPE source: RIPE #Filtered % Information related to '91.221.0.0/23AS51635' route: 91.221.0.0/23 descr: route object origin: AS51635 mnt-by: MNT-INTRM source: RIPE #Filtered % This query was served by the RIPE Database Query Service version 1.68.1 (WHOIS3) 188.40.17.97 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '188.40.17.97 - 188.40.17.97' % Abuse contact for '188.40.17.97 - 188.40.17.97' is 'abuse@hetzner.de' inetnum: 188.40.17.97 - 188.40.17.97 netname: GOBIT-SRL descr: Gobit S.r.l. country: DE admin-c: EP4807-RIPE tech-c: EP4807-RIPE status: ASSIGNED PA mnt-by: HOS-GUN source: RIPE #Filtered
  19. 19. Bogotá, Colombia Ver 4.0 04-08 GARS person: Enrica Paoletti address: Gobit S.r.l. address: V.le Lombardia n.30 address: 53042 Chianciano Terme (Siena) address: ITALY phone: +39057863007 fax-no: +39057863007 nic-hdl: EP4807-RIPE mnt-by: HOS-GUN source: RIPE #Filtered % Information related to '188.40.0.0/16AS24940' route: 188.40.0.0/16 descr: HETZNER-RZ-FKS-BLK1 origin: AS24940 org: ORG-HOA1-RIPE mnt-by: HOS-GUN source: RIPE #Filtered organisation: ORG-HOA1-RIPE org-name: Hetzner Online AG org-type: LIR address: Hetzner Online AG address: Attn. Martin Hetzner address: Stuttgarter Str. 1 address: 91710 address: Gunzenhausen address: GERMANY phone: +49 9831 610061 fax-no: +49 9831 610062 admin-c: TF2013-RIPE admin-c: MF1400-RIPE admin-c: GM834-RIPE admin-c: HOAC1-RIPE admin-c: MH375-RIPE admin-c: SK8441-RIPE admin-c: SK2374-RIPE mnt-ref: HOS-GUN mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT abuse-c: HOAC1-RIPE source: RIPE #Filtered
  20. 20. Bogotá, Colombia Ver 4.0 04-08 GARS % This query was served by the RIPE Database Query Service version 1.68.1 (WHOIS3) Se realizaron depuraciones debido a los bloqueos y encolamiento generado por los procesos mencionados, luego de esto fue necesario realizar labores adicionales sobre el nodo 2 con el fin de solucionar el inconveniente presentado y que no permitía recibir sesiones de la aplicaciones, luego de ser solucionado el aplicativo funciono correctamente. ACCIONES DE MEJORA Es necesario realizar pruebas en ambiente controlado con el soporte de los fabricantes ya que se detecto que al presentarse un evento sobre alguno de los tres nodos de Base de Datos que impacte su funcionamiento normal se presenta desconexión total de la aplicación presentándose afectación total del servicio, lo cual no es un comportamiento normal ya que se cuenta con un RAC de Oracle. Estado Actual: Resuelto Evento Atendido por: ETB - INTEK VoBo Ingeniero: Luis E. Muñoz. Disponibilidad: En la Cultura ETB, ¡Entendemos las necesidades de nuestros clientes y les ofrecemos soluciones integrales, buscando relaciones de largo plazo!

×