On 12 juil. 2011, at 21:40, Frank Bonnet wrote: > I think effectivelly users's requests have been redirected > to the hacked servers ...
so it's not a phishing, it's more like a man-in-the-middle, or a DNS cache poisoning... The only way for you to know what happens is to act as victims do (doing exactly what they do, and land on the pirate server) while you perform some forensic analysis (tcpdump/wireshark on port 53, 80 and 443 should be enough). > Gosh ... HOW ??? find a victim, use his/her computer and account, with a tcpdump running How's that, posting in english, but absolutely off topic now. good luck, Patrick PRONIEWSKI -- Administrateur Système - DSI - Université Lumière Lyon 2
smime.p7s
Description: S/MIME cryptographic signature
