On 07/13/2011 12:53 PM, Patrick Proniewski wrote:
On 13 juil. 2011, at 12:18, Ashwin Kesavan wrote:
There are huge befits of doing this if I were a hacker. First I don't invoke
the suspicion of the admin. B'cos I am making minimal changes to config server,
so that I delay his notice. Then by diverting to my website I have the huge
advantage of doing anything I want and getting them to do what I want to do
with them. I have user on my web server for which I have total control and best
of all the user/actual admin suspicion is not raised or delayed till I can make
my damage. Second most important point of diverting traffic. In case the admin
suspects a compromise or a policy to change passwd every x days then I have do
the hack all over again to gain access and this time the same hack may or may
not work. So it is always make sense to divert traffic to your server. Is that
enough reason to cracker to divert traffic instead of using the compromised
server.
Or you just don't divert traffic, thus avoiding to raise suspicion. You just
modify the login page of the webmail very slightly to log login/passwd in plain
text somewhere on the server, and you can harvest user accounts and email
content without beeing noticed.
You can't do anything valuable by diverting users on a remote server if you
already have (reasonable) access to the genuine server. There is no point doing
so if all you want is to gain access to their webmail account (and Frank said
that was the purpose of the attack).
2 lines of php hidden in an include of the webmail login process function is
way harder to detect than an http redirect. You don't even need to log back to
the server later, as your hack can just write down hacked data into a file
available through the apache server (ie. http://webmail/.hidden/userdb.txt)
Patrick PRONIEWSKI
we have VERY cautiously checked the configuration of the servers ,
config files are the originals
( the webmaster keep backups of the configuration files with a
versionning system )
So I think the server has not been compromised.
the truth is elsewhere ...
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
