httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frank Bonnet <f.bon...@esiee.fr>
Subject Re: [users@httpd] Re: phishing problem
Date Wed, 13 Jul 2011 13:01:37 GMT
On 07/13/2011 12:53 PM, Patrick Proniewski wrote:
> On 13 juil. 2011, at 12:18, Ashwin Kesavan wrote:
>
>> There are huge befits of doing this if I were a hacker. First I don't invoke the
suspicion of the admin. B'cos I am making minimal changes to config server, so that I delay
his notice. Then by diverting to my website I have the huge advantage of doing anything I
want and getting them to do what I want to do with them. I have user on my web server for
which I have total control and best of all the user/actual admin suspicion is not raised or
delayed till I can make my damage. Second most important point of diverting traffic. In case
the admin suspects a compromise or a policy to change passwd every x days then I have do the
hack all over again to gain access and this time the same hack may or may not work. So it
is always make sense to divert traffic to your server. Is that enough reason to cracker to
divert traffic instead of using the compromised server.
>
>
> Or you just don't divert traffic, thus avoiding to raise suspicion. You just modify the
login page of the webmail very slightly to log login/passwd in plain text somewhere on the
server, and you can harvest user accounts and email content without beeing noticed.
>
> You can't do anything valuable by diverting users on a remote server if you already have
(reasonable) access to the genuine server. There is no point doing so if all you want is to
gain access to their webmail account (and Frank said that was the purpose of the attack).
> 2 lines of php hidden in an include of the webmail login process function is way harder
to detect than an http redirect. You don't even need to log back to the server later, as your
hack can just write down hacked data into a file available through the apache server (ie.
http://webmail/.hidden/userdb.txt)
>
> Patrick PRONIEWSKI

we have VERY cautiously checked the configuration of the servers , 
config files are the originals
( the webmaster keep backups of the configuration files with a 
versionning system )
So I think the server has not been compromised.

the truth is elsewhere ...




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message