httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Proniewski <>
Subject Re: [users@httpd] Re: phishing problem
Date Wed, 13 Jul 2011 10:53:33 GMT
On 13 juil. 2011, at 12:18, Ashwin Kesavan wrote:

> There are huge befits of doing this if I were a hacker. First I don't invoke the suspicion
of the admin. B'cos I am making minimal changes to config server, so that I delay his notice.
Then by diverting to my website I have the huge advantage of doing anything I want and getting
them to do what I want to do with them. I have user on my web server for which I have total
control and best of all the user/actual admin suspicion is not raised or delayed till I can
make my damage. Second most important point of diverting traffic. In case the admin suspects
a compromise or a policy to change passwd every x days then I have do the hack all over again
to gain access and this time the same hack may or may not work. So it is always make sense
to divert traffic to your server. Is that enough reason to cracker to divert traffic instead
of using the compromised server.

Or you just don't divert traffic, thus avoiding to raise suspicion. You just modify the login
page of the webmail very slightly to log login/passwd in plain text somewhere on the server,
and you can harvest user accounts and email content without beeing noticed.

You can't do anything valuable by diverting users on a remote server if you already have (reasonable)
access to the genuine server. There is no point doing so if all you want is to gain access
to their webmail account (and Frank said that was the purpose of the attack).
2 lines of php hidden in an include of the webmail login process function is way harder to
detect than an http redirect. You don't even need to log back to the server later, as your
hack can just write down hacked data into a file available through the apache server (ie.

Administrateur Système - DSI - Université Lumière Lyon 2

View raw message