[users@httpd] phishing problem

[Frank Bonnet <f....@esiee.fr>]

Hello

Few weeks ago we discovered that two of our apache servers
has been victims of phishing attack.

The first one is running squirrelmail webmail and the second one
in running our extranet services for students and professors.

Both of them are using https and require authentication.

The two phising pages had the same look and feel than original servers
of course !

The "traps" has been used to grab users's login and passwords as usual.

The attack has been performed by "real" hackers that have been paid
by some students to hack passwords of "interresting" people.
maybe some hacked DNS or Internet routers has been compromised/used ?

I would be VERY interrested by ANY documentation about that kind
of phising techniques and HOW to fight them ( if possible ) also
I would be interrested by any apache gurus advices ...
Would it be possible to configure something in apache to track down
that kind of problem ? any log analyzer that could help ?

Thank you very much


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: phishing problem

[Frank Bonnet <f....@esiee.fr>]

On 07/13/2011 12:53 PM, Patrick Proniewski wrote:
> On 13 juil. 2011, at 12:18, Ashwin Kesavan wrote:
>
>> There are huge befits of doing this if I were a hacker. First I don't invoke the suspicion of the admin. B'cos I am making minimal changes to config server, so that I delay his notice. Then by diverting to my website I have the huge advantage of doing anything I want and getting them to do what I want to do with them. I have user on my web server for which I have total control and best of all the user/actual admin suspicion is not raised or delayed till I can make my damage. Second most important point of diverting traffic. In case the admin suspects a compromise or a policy to change passwd every x days then I have do the hack all over again to gain access and this time the same hack may or may not work. So it is always make sense to divert traffic to your server. Is that enough reason to cracker to divert traffic instead of using the compromised server.
>
>
> Or you just don't divert traffic, thus avoiding to raise suspicion. You just modify the login page of the webmail very slightly to log login/passwd in plain text somewhere on the server, and you can harvest user accounts and email content without beeing noticed.
>
> You can't do anything valuable by diverting users on a remote server if you already have (reasonable) access to the genuine server. There is no point doing so if all you want is to gain access to their webmail account (and Frank said that was the purpose of the attack).
> 2 lines of php hidden in an include of the webmail login process function is way harder to detect than an http redirect. You don't even need to log back to the server later, as your hack can just write down hacked data into a file available through the apache server (ie. http://webmail/.hidden/userdb.txt)
>
> Patrick PRONIEWSKI

we have VERY cautiously checked the configuration of the servers , 
config files are the originals
( the webmaster keep backups of the configuration files with a 
versionning system )
So I think the server has not been compromised.

the truth is elsewhere ...




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: phishing problem

[Patrick Proniewski <pa...@univ-lyon2.fr>]

On 13 juil. 2011, at 12:18, Ashwin Kesavan wrote:

> There are huge befits of doing this if I were a hacker. First I don't invoke the suspicion of the admin. B'cos I am making minimal changes to config server, so that I delay his notice. Then by diverting to my website I have the huge advantage of doing anything I want and getting them to do what I want to do with them. I have user on my web server for which I have total control and best of all the user/actual admin suspicion is not raised or delayed till I can make my damage. Second most important point of diverting traffic. In case the admin suspects a compromise or a policy to change passwd every x days then I have do the hack all over again to gain access and this time the same hack may or may not work. So it is always make sense to divert traffic to your server. Is that enough reason to cracker to divert traffic instead of using the compromised server.



Or you just don't divert traffic, thus avoiding to raise suspicion. You just modify the login page of the webmail very slightly to log login/passwd in plain text somewhere on the server, and you can harvest user accounts and email content without beeing noticed.

You can't do anything valuable by diverting users on a remote server if you already have (reasonable) access to the genuine server. There is no point doing so if all you want is to gain access to their webmail account (and Frank said that was the purpose of the attack).
2 lines of php hidden in an include of the webmail login process function is way harder to detect than an http redirect. You don't even need to log back to the server later, as your hack can just write down hacked data into a file available through the apache server (ie. http://webmail/.hidden/userdb.txt)

Patrick PRONIEWSKI
-- 
Administrateur Système - DSI - Université Lumière Lyon 2

RE: [users@httpd] Re: phishing problem

[Ashwin Kesavan <as...@yahoo-inc.com>]

Answers inline

-----Original Message-----
From: Patrick Proniewski [mailto:patrick.proniewski@univ-lyon2.fr] 
Sent: Wednesday, July 13, 2011 12:54 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Re: phishing problem

On 13 juil. 2011, at 07:23, Ashwin Kesavan wrote:

> And make sure it is not a case access to your server having httpd is compromised ? look though the apache httpd conf files and its included files and look for the parameter redirect ..... or some url rewite rule through mod_rewrite rules. Did you access log recorded any redirect http code, I think the http code is 3xx. Instead of thinking at big things like DNS cache poisioning, first make sure something under your nose is missed.

Say you are the hacker: you gain access to the real server, with privileges high enough to change apache config and restart the daemon. What is the point in redirecting users to your own server when you can gain access to user data (webmail login and password, then mailbox content) without anybody noticing? 
-----


My replies>>>>

There are huge befits of doing this if I were a hacker. First I don't invoke the suspicion of the admin. B'cos I am making minimal changes to config server, so that I delay his notice. Then by diverting to my website I have the huge advantage of doing anything I want and getting them to do what I want to do with them. I have user on my web server for which I have total control and best of all the user/actual admin suspicion is not raised or delayed till I can make my damage. Second most important point of diverting traffic. In case the admin suspects a compromise or a policy to change passwd every x days then I have do the hack all over again to gain access and this time the same hack may or may not work. So it is always make sense to divert traffic to your server. Is that enough reason to cracker to divert traffic instead of using the compromised server.

HTH

--ashwin

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: phishing problem

[Frank Bonnet <f....@esiee.fr>]

On 07/13/2011 09:23 AM, Patrick Proniewski wrote:
> On 13 juil. 2011, at 07:23, Ashwin Kesavan wrote:
>
>> And make sure it is not a case access to your server having httpd is compromised ? look though the apache httpd conf files and its included files and look for the parameter redirect ..... or some url rewite rule through mod_rewrite rules. Did you access log recorded any redirect http code, I think the http code is 3xx. Instead of thinking at big things like DNS cache poisioning, first make sure something under your nose is missed.
> Say you are the hacker: you gain access to the real server, with privileges high enough to change apache config and restart the daemon. What is the point in redirecting users to your own server when you can gain access to user data (webmail login and password, then mailbox content) without anybody noticing?
>
> I think Franck has no idea what's going on, and he should really investigate, gather evidence and technical facts before we continue to enumerate every kind of possible compromise :/
>
> Patrick PRONIEWSKI

In fact I do know what is going on ! some hackers grab login/passwd of 
our users  !

In the mean time we have completely reinstall the extranet from scratch
on a new machine, passwords changed , etc etc .

Now the webmail which is "untouched" will serve to try to trap the "vilain"

The "event" happen on every new scholar year ( september ) at this time
the  "software" run to grab passwds of naive users.

we have time to prepare "something" as we know now which machine
is the target.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: phishing problem

[Patrick Proniewski <pa...@univ-lyon2.fr>]

On 13 juil. 2011, at 07:23, Ashwin Kesavan wrote:

> And make sure it is not a case access to your server having httpd is compromised ? look though the apache httpd conf files and its included files and look for the parameter redirect ..... or some url rewite rule through mod_rewrite rules. Did you access log recorded any redirect http code, I think the http code is 3xx. Instead of thinking at big things like DNS cache poisioning, first make sure something under your nose is missed.

Say you are the hacker: you gain access to the real server, with privileges high enough to change apache config and restart the daemon. What is the point in redirecting users to your own server when you can gain access to user data (webmail login and password, then mailbox content) without anybody noticing? 

I think Franck has no idea what's going on, and he should really investigate, gather evidence and technical facts before we continue to enumerate every kind of possible compromise :/

Patrick PRONIEWSKI
-- 
Administrateur Système - DSI - Université Lumière Lyon 2

RE: [users@httpd] Re: phishing problem

[Ashwin Kesavan <as...@yahoo-inc.com>]

Answers inline

-----Original Message-----
From: Patrick Proniewski [mailto:patrick.proniewski@univ-lyon2.fr] 
Sent: Wednesday, July 13, 2011 2:34 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Re: phishing problem

On 12 juil. 2011, at 21:40, Frank Bonnet wrote:

> I think effectivelly users's requests have been redirected
> to the hacked servers ...

so it's not a phishing, it's more like a man-in-the-middle, or a DNS cache poisoning...
The only way for you to know what happens is to act as victims do (doing exactly what they do, and land on the pirate server) while you perform some forensic analysis (tcpdump/wireshark on port 53, 80 and 443 should be enough).

And make sure it is not a case access to your server having httpd is compromised ? look though the apache httpd conf files and its included files and look for the parameter redirect ..... or some url rewite rule through mod_rewrite rules. Did you access log recorded any redirect http code, I think the http code is 3xx. Instead of thinking at big things like DNS cache poisioning, first make sure something under your nose is missed.

HTH

--ashwin

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: phishing problem

[Patrick Proniewski <pa...@univ-lyon2.fr>]

On 12 juil. 2011, at 21:40, Frank Bonnet wrote:

> I think effectivelly users's requests have been redirected
> to the hacked servers ...

so it's not a phishing, it's more like a man-in-the-middle, or a DNS cache poisoning...
The only way for you to know what happens is to act as victims do (doing exactly what they do, and land on the pirate server) while you perform some forensic analysis (tcpdump/wireshark on port 53, 80 and 443 should be enough).


> Gosh ... HOW ???


find a victim, use his/her computer and account, with a tcpdump running
How's that, posting in english, but absolutely off topic now.

good luck,

Patrick PRONIEWSKI
-- 
Administrateur Système - DSI - Université Lumière Lyon 2

Re: [users@httpd] Re: phishing problem

[Edgar Frank <ef...@email.de>]

Am 12.07.2011 21:40, schrieb Frank Bonnet:
> I think effectivelly users's requests have been redirected
> to the hacked servers ...

Checked the access logs? If it's another server issuing the requests
you could notice by the the request IP addresses. Otherwise, use
only a HTTPS login - don't offer HTTP. Also - your application
should send a random validation token with the login form, which
the user agent has to send back on submit (via POST data).
Also, check the referer header. I think you could use mod_security
for that.

Read http://en.wikipedia.org/wiki/CSRF for more details.

Users might also be subject to a XSS attack or social engineering.
Use the latest versions of the software, ask their forums/list and check
the net for CSRF and XSS vulnerabilities.

Delve into the details of this attacks to get a better understanding
on how this attacks might have happend and what countermeasures you
can establish.

You could set HTTP Strict Transport Security Headers - e.g.
via mod_headers to defend against embedding via (i)frames.

Hope this helps.

Regards,
Edgar

> I wonder how they do that because users access directly to
> those servers ... they do not click in a fake email or anything
> like that , those servers are well known of our users ,
> the extranet and one webmail
>
> hacked router ? hacked DNS ? Does it comes from INSIDE ?
>
> Our main routers seems OK and I have cautiously checked
> our primary DNS
>
> Gosh ... HOW ???
>
> Le 12/07/2011 19:20, DW a écrit :
>>
>>
>> I have provided a translation. See my message. I agree he should have
>> continued in the language of this newsgroup.
>>
>>
>>
>> Sander Temme wrote:
>>> On Jul 12, 2011, at 1:37 AM, Patrick Proniewski wrote:
>>>
>>>> Hi,
>>>>
>>>> Apache servers are not victims of phishing attacks.
>>>> Users are victims of phishing attacks.
>>>>
>>>> As the OP is french, I'm continuing in french:
>>>
>>> Patrick, remember that one of the reasons we have these conversations
>>> on a mailinglist is that others can also benefit from the information
>>> exchanged. You're not just talking to Frank, you're talking to all of
>>> us. Keeping the conversation in English will ensure maximum benefit.
>>>
>>> Thank you,
>>>
>>> S.
>>>
>>>> Comme je ne dis plus haut, tes serveurs ne peuvent pas être victimes
>>>> d'une attaque de phishing. Un phishing c'est une attaque par abus de
>>>> confiance (ou de bêtise), et ça se situe donc directement au niveau
>>>> de l'utilisateur.
>>>> Le seul moyen de lutter contre le phishing c'est d'éduquer les
>>>> utilisateurs. Tu peux toujours proposer des services en https, si
>>>> les utilisateurs se moquent de la validité des certificats, c'est mort.
>>>>
>>>> Tu ne donnes pas assez de détails pour qu'on puisse comprendre ce
>>>> qu'il s'est passé, donc impossible de te donner des pointeurs vers
>>>> de la doc.
>>>> Quoi qu'il en soit, si les utilisateurs ont été dirigés à leur insu
>>>> vers un serveur "pirate", il n'existe aucune configuration d'apache
>>>> qui peut les protéger, puisque par définition, les utilisateurs
>>>> arrivent sur un serveur qui n'est pas le tien.
>>>>
>>>> On 12 juil. 2011, at 10:20, Frank Bonnet wrote:
>>>>
>>>>> Hello
>>>>>
>>>>> Few weeks ago we discovered that two of our apache servers
>>>>> has been victims of phishing attack.
>>>>>
>>>>> The first one is running squirrelmail webmail and the second one
>>>>> in running our extranet services for students and professors.
>>>>>
>>>>> Both of them are using https and require authentication.
>>>>>
>>>>> The two phising pages had the same look and feel than original servers
>>>>> of course !
>>>>>
>>>>> The "traps" has been used to grab users's login and passwords as
>>>>> usual.
>>>>>
>>>>> The attack has been performed by "real" hackers that have been paid
>>>>> by some students to hack passwords of "interresting" people.
>>>>> maybe some hacked DNS or Internet routers has been compromised/used ?
>>>>>
>>>>> I would be VERY interrested by ANY documentation about that kind
>>>>> of phising techniques and HOW to fight them ( if possible ) also
>>>>> I would be interrested by any apache gurus advices ...
>>>>> Would it be possible to configure something in apache to track down
>>>>> that kind of problem ? any log analyzer that could help ?
>>>>>
>>>>> Thank you very much
>>>> Patrick PRONIEWSKI
>>>> --
>>>> Administrateur Système - DSI - Université Lumière Lyon 2
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See<URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See<URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: phishing problem

[DW <xf...@hotmail.com>]

Frank Bonnet wrote:
> I think effectivelly users's requests have been redirected
> to the hacked servers ...
> 
> I wonder how they do that because users access directly to
> those servers ... they do not click in a fake email or anything
> like that , those servers are well known of our users ,
> the extranet and one webmail
> 
> hacked router ? hacked DNS ? Does it comes from INSIDE ?
> 
> Our main routers seems OK and I have cautiously checked
> our primary DNS
> 
> Gosh ... HOW ???
> 

I suspect some hackers managed to hijack their website and changed the
links on the webpage.  It is very simple to do this on servers managed
by companies that have no expertise of security matters.  I have seen
many websites taken over by spammers supplying viagra and other medical
stuff and all they are interested to do is to paste their html/CSS code
on somebody's website.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: phishing problem

[Frank Bonnet <f....@esiee.fr>]

I think effectivelly users's requests have been redirected
to the hacked servers ...

I wonder how they do that because users access directly to
those servers ... they do not click in a fake email or anything
like that , those servers are well known of our users ,
the extranet and one webmail

hacked router ? hacked DNS ? Does it comes from INSIDE ?

Our main routers seems OK and I have cautiously checked
our primary DNS

Gosh ... HOW ???

Le 12/07/2011 19:20, DW a écrit :
>
>
> I have provided a translation.  See my message.  I agree he should have
> continued in the language of this newsgroup.
>
>
>
> Sander Temme wrote:
>> On Jul 12, 2011, at 1:37 AM, Patrick Proniewski wrote:
>>
>>> Hi,
>>>
>>> Apache servers are not victims of phishing attacks.
>>> Users are victims of phishing attacks.
>>>
>>> As the OP is french, I'm continuing in french:
>>
>> Patrick, remember that one of the reasons we have these conversations on a mailinglist is that others can also benefit from the information exchanged.  You're not just talking to Frank, you're talking to all of us.  Keeping the conversation in English will ensure maximum benefit.
>>
>> Thank you,
>>
>> S.
>>
>>> Comme je ne dis plus haut, tes serveurs ne peuvent pas être victimes d'une attaque de phishing. Un phishing c'est une attaque par abus de confiance (ou de bêtise), et ça se situe donc directement au niveau de l'utilisateur.
>>> Le seul moyen de lutter contre le phishing c'est d'éduquer les utilisateurs. Tu peux toujours proposer des services en https, si les utilisateurs se moquent de la validité des certificats, c'est mort.
>>>
>>> Tu ne donnes pas assez de détails pour qu'on puisse comprendre ce qu'il s'est passé, donc impossible de te donner des pointeurs vers de la doc.
>>> Quoi qu'il en soit, si les utilisateurs ont été dirigés à leur insu vers un serveur "pirate", il n'existe aucune configuration d'apache qui peut les protéger, puisque par définition, les utilisateurs arrivent sur un serveur qui n'est pas le tien.
>>>
>>> On 12 juil. 2011, at 10:20, Frank Bonnet wrote:
>>>
>>>> Hello
>>>>
>>>> Few weeks ago we discovered that two of our apache servers
>>>> has been victims of phishing attack.
>>>>
>>>> The first one is running squirrelmail webmail and the second one
>>>> in running our extranet services for students and professors.
>>>>
>>>> Both of them are using https and require authentication.
>>>>
>>>> The two phising pages had the same look and feel than original servers
>>>> of course !
>>>>
>>>> The "traps" has been used to grab users's login and passwords as usual.
>>>>
>>>> The attack has been performed by "real" hackers that have been paid
>>>> by some students to hack passwords of "interresting" people.
>>>> maybe some hacked DNS or Internet routers has been compromised/used ?
>>>>
>>>> I would be VERY interrested by ANY documentation about that kind
>>>> of phising techniques and HOW to fight them ( if possible ) also
>>>> I would be interrested by any apache gurus advices ...
>>>> Would it be possible to configure something in apache to track down
>>>> that kind of problem ? any log analyzer that could help ?
>>>>
>>>> Thank you very much
>>> Patrick PRONIEWSKI
>>> --
>>> Administrateur Système - DSI - Université Lumière Lyon 2
>>>
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See<URL:http://httpd.apache.org/userslist.html>  for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>     "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See<URL:http://httpd.apache.org/userslist.html>  for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>     "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: phishing problem

[DW <xf...@hotmail.com>]

I have provided a translation.  See my message.  I agree he should have
continued in the language of this newsgroup.



Sander Temme wrote:
> On Jul 12, 2011, at 1:37 AM, Patrick Proniewski wrote:
> 
>> Hi,
>>
>> Apache servers are not victims of phishing attacks.
>> Users are victims of phishing attacks.
>>
>> As the OP is french, I'm continuing in french:
> 
> Patrick, remember that one of the reasons we have these conversations on a mailinglist is that others can also benefit from the information exchanged.  You're not just talking to Frank, you're talking to all of us.  Keeping the conversation in English will ensure maximum benefit.
> 
> Thank you, 
> 
> S.
> 
>> Comme je ne dis plus haut, tes serveurs ne peuvent pas être victimes d'une attaque de phishing. Un phishing c'est une attaque par abus de confiance (ou de bêtise), et ça se situe donc directement au niveau de l'utilisateur.
>> Le seul moyen de lutter contre le phishing c'est d'éduquer les utilisateurs. Tu peux toujours proposer des services en https, si les utilisateurs se moquent de la validité des certificats, c'est mort.
>>
>> Tu ne donnes pas assez de détails pour qu'on puisse comprendre ce qu'il s'est passé, donc impossible de te donner des pointeurs vers de la doc. 
>> Quoi qu'il en soit, si les utilisateurs ont été dirigés à leur insu vers un serveur "pirate", il n'existe aucune configuration d'apache qui peut les protéger, puisque par définition, les utilisateurs arrivent sur un serveur qui n'est pas le tien.
>>
>> On 12 juil. 2011, at 10:20, Frank Bonnet wrote:
>>
>>> Hello
>>>
>>> Few weeks ago we discovered that two of our apache servers
>>> has been victims of phishing attack.
>>>
>>> The first one is running squirrelmail webmail and the second one
>>> in running our extranet services for students and professors.
>>>
>>> Both of them are using https and require authentication.
>>>
>>> The two phising pages had the same look and feel than original servers
>>> of course !
>>>
>>> The "traps" has been used to grab users's login and passwords as usual.
>>>
>>> The attack has been performed by "real" hackers that have been paid
>>> by some students to hack passwords of "interresting" people.
>>> maybe some hacked DNS or Internet routers has been compromised/used ?
>>>
>>> I would be VERY interrested by ANY documentation about that kind
>>> of phising techniques and HOW to fight them ( if possible ) also
>>> I would be interrested by any apache gurus advices ...
>>> Would it be possible to configure something in apache to track down
>>> that kind of problem ? any log analyzer that could help ?
>>>
>>> Thank you very much
>> Patrick PRONIEWSKI
>> -- 
>> Administrateur Système - DSI - Université Lumière Lyon 2
>>
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] phishing problem

[Patrick Proniewski <pa...@univ-lyon2.fr>]

On 12 juil. 2011, at 18:49, Sander Temme wrote:

> 
> On Jul 12, 2011, at 1:37 AM, Patrick Proniewski wrote:
> 
>> Hi,
>> 
>> Apache servers are not victims of phishing attacks.
>> Users are victims of phishing attacks.
>> 
>> As the OP is french, I'm continuing in french:
> 
> Patrick, remember that one of the reasons we have these conversations on a mailinglist is that others can also benefit from the information exchanged.  You're not just talking to Frank, you're talking to all of us.  Keeping the conversation in English will ensure maximum benefit.


the french text was just a development of the too first english lines. This all thread is absolutely off topic: there is no sense in "ensuring maximum benefit" then, IMHO.

regards,

Patrick PRONIEWSKI
-- 
Administrateur Système - DSI - Université Lumière Lyon 2

Re: [users@httpd] phishing problem

[Sander Temme <sc...@apache.org>]

On Jul 12, 2011, at 1:37 AM, Patrick Proniewski wrote:

> Hi,
> 
> Apache servers are not victims of phishing attacks.
> Users are victims of phishing attacks.
> 
> As the OP is french, I'm continuing in french:

Patrick, remember that one of the reasons we have these conversations on a mailinglist is that others can also benefit from the information exchanged.  You're not just talking to Frank, you're talking to all of us.  Keeping the conversation in English will ensure maximum benefit.

Thank you, 

S.

> Comme je ne dis plus haut, tes serveurs ne peuvent pas être victimes d'une attaque de phishing. Un phishing c'est une attaque par abus de confiance (ou de bêtise), et ça se situe donc directement au niveau de l'utilisateur.
> Le seul moyen de lutter contre le phishing c'est d'éduquer les utilisateurs. Tu peux toujours proposer des services en https, si les utilisateurs se moquent de la validité des certificats, c'est mort.
> 
> Tu ne donnes pas assez de détails pour qu'on puisse comprendre ce qu'il s'est passé, donc impossible de te donner des pointeurs vers de la doc. 
> Quoi qu'il en soit, si les utilisateurs ont été dirigés à leur insu vers un serveur "pirate", il n'existe aucune configuration d'apache qui peut les protéger, puisque par définition, les utilisateurs arrivent sur un serveur qui n'est pas le tien.
> 
> On 12 juil. 2011, at 10:20, Frank Bonnet wrote:
> 
>> Hello
>> 
>> Few weeks ago we discovered that two of our apache servers
>> has been victims of phishing attack.
>> 
>> The first one is running squirrelmail webmail and the second one
>> in running our extranet services for students and professors.
>> 
>> Both of them are using https and require authentication.
>> 
>> The two phising pages had the same look and feel than original servers
>> of course !
>> 
>> The "traps" has been used to grab users's login and passwords as usual.
>> 
>> The attack has been performed by "real" hackers that have been paid
>> by some students to hack passwords of "interresting" people.
>> maybe some hacked DNS or Internet routers has been compromised/used ?
>> 
>> I would be VERY interrested by ANY documentation about that kind
>> of phising techniques and HOW to fight them ( if possible ) also
>> I would be interrested by any apache gurus advices ...
>> Would it be possible to configure something in apache to track down
>> that kind of problem ? any log analyzer that could help ?
>> 
>> Thank you very much
> 
> Patrick PRONIEWSKI
> -- 
> Administrateur Système - DSI - Université Lumière Lyon 2
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: phishing problem

[DW <xf...@hotmail.com>]

Translation:

As I say above, your servers can not be victims of a phishing attack. A
phishing attack is a breach of confidence (or stupidity), and it is
therefore directly at the user level.
The only way to fight against phishing is to educate users. You can
always offer services in https, if users make fun of the validity of
certificates is dead.

You do not give enough detail so that we can understand what happened,
so can not give you pointers to the doc.
Anyway, if users were unwittingly led to a server "pirate", there is no
apache configuration that can protect them, since by definition, users
arrive on a server that n 'is not yours.


Patrick Proniewski wrote:

> Comme je ne dis plus haut, tes serveurs ne peuvent pas être victimes d'une attaque de phishing. Un phishing c'est une attaque par abus de confiance (ou de bêtise), et ça se situe donc directement au niveau de l'utilisateur.
> Le seul moyen de lutter contre le phishing c'est d'éduquer les utilisateurs. Tu peux toujours proposer des services en https, si les utilisateurs se moquent de la validité des certificats, c'est mort.
> 
> Tu ne donnes pas assez de détails pour qu'on puisse comprendre ce qu'il s'est passé, donc impossible de te donner des pointeurs vers de la doc. 
> Quoi qu'il en soit, si les utilisateurs ont été dirigés à leur insu vers un serveur "pirate", il n'existe aucune configuration d'apache qui peut les protéger, puisque par définition, les utilisateurs arrivent sur un serveur qui n'est pas le tien.
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] phishing problem

[Patrick Proniewski <pa...@univ-lyon2.fr>]

Hi,

Apache servers are not victims of phishing attacks.
Users are victims of phishing attacks.

As the OP is french, I'm continuing in french:

Comme je ne dis plus haut, tes serveurs ne peuvent pas être victimes d'une attaque de phishing. Un phishing c'est une attaque par abus de confiance (ou de bêtise), et ça se situe donc directement au niveau de l'utilisateur.
Le seul moyen de lutter contre le phishing c'est d'éduquer les utilisateurs. Tu peux toujours proposer des services en https, si les utilisateurs se moquent de la validité des certificats, c'est mort.

Tu ne donnes pas assez de détails pour qu'on puisse comprendre ce qu'il s'est passé, donc impossible de te donner des pointeurs vers de la doc. 
Quoi qu'il en soit, si les utilisateurs ont été dirigés à leur insu vers un serveur "pirate", il n'existe aucune configuration d'apache qui peut les protéger, puisque par définition, les utilisateurs arrivent sur un serveur qui n'est pas le tien.

On 12 juil. 2011, at 10:20, Frank Bonnet wrote:

> Hello
> 
> Few weeks ago we discovered that two of our apache servers
> has been victims of phishing attack.
> 
> The first one is running squirrelmail webmail and the second one
> in running our extranet services for students and professors.
> 
> Both of them are using https and require authentication.
> 
> The two phising pages had the same look and feel than original servers
> of course !
> 
> The "traps" has been used to grab users's login and passwords as usual.
> 
> The attack has been performed by "real" hackers that have been paid
> by some students to hack passwords of "interresting" people.
> maybe some hacked DNS or Internet routers has been compromised/used ?
> 
> I would be VERY interrested by ANY documentation about that kind
> of phising techniques and HOW to fight them ( if possible ) also
> I would be interrested by any apache gurus advices ...
> Would it be possible to configure something in apache to track down
> that kind of problem ? any log analyzer that could help ?
> 
> Thank you very much

Patrick PRONIEWSKI
-- 
Administrateur Système - DSI - Université Lumière Lyon 2

Re: [users@httpd] phishing problem

[Frank Bonnet <f....@esiee.fr>]

On 07/12/2011 10:33 AM, Giles Coochey wrote:
> On Tue, July 12, 2011 10:20, Frank Bonnet wrote:
>> Hello
>>
>> Few weeks ago we discovered that two of our apache servers
>> has been victims of phishing attack.
>>
>> The first one is running squirrelmail webmail and the second one
>> in running our extranet services for students and professors.
>>
>> Both of them are using https and require authentication.
>>
>> The two phising pages had the same look and feel than original servers
>> of course !
>>
>> The "traps" has been used to grab users's login and passwords as usual.
>>
>> The attack has been performed by "real" hackers that have been paid
>> by some students to hack passwords of "interresting" people.
>> maybe some hacked DNS or Internet routers has been compromised/used ?
>>
>> I would be VERY interrested by ANY documentation about that kind
>> of phising techniques and HOW to fight them ( if possible ) also
>> I would be interrested by any apache gurus advices ...
>> Would it be possible to configure something in apache to track down
>> that kind of problem ? any log analyzer that could help ?
>>
> If you are saying that someone made a copy of your website and somehow
> lured people in to login to those websites under the guise that they were
> in fact your website then:
>
> The best defence against this is the education of your userbase. This
> attack is essentially a social engineering attack and your users need to
> be educated to mitigate the risk.
>
> When your user enters a password, make sure they take a look at the
> situation before doing so.
>
> 1. Is the connection HTTPS
> 2. Is the certificate provided correct
> 3. Does the URL look correct
>
> and so on.
>
> If anything looks a bit 'phishy' then they should call your helpdesk. You
> do have a helpdesk, don't you?
>
> As it is a social engineering attack there is relatively little you can do
> on the technical side to mitigate the risks here.
>

OK I understand .. there is nothing to do after all


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] phishing problem

[Giles Coochey <gi...@coochey.net>]

On Tue, July 12, 2011 10:20, Frank Bonnet wrote:
> Hello
>
> Few weeks ago we discovered that two of our apache servers
> has been victims of phishing attack.
>
> The first one is running squirrelmail webmail and the second one
> in running our extranet services for students and professors.
>
> Both of them are using https and require authentication.
>
> The two phising pages had the same look and feel than original servers
> of course !
>
> The "traps" has been used to grab users's login and passwords as usual.
>
> The attack has been performed by "real" hackers that have been paid
> by some students to hack passwords of "interresting" people.
> maybe some hacked DNS or Internet routers has been compromised/used ?
>
> I would be VERY interrested by ANY documentation about that kind
> of phising techniques and HOW to fight them ( if possible ) also
> I would be interrested by any apache gurus advices ...
> Would it be possible to configure something in apache to track down
> that kind of problem ? any log analyzer that could help ?
>
If you are saying that someone made a copy of your website and somehow
lured people in to login to those websites under the guise that they were
in fact your website then:

The best defence against this is the education of your userbase. This
attack is essentially a social engineering attack and your users need to
be educated to mitigate the risk.

When your user enters a password, make sure they take a look at the
situation before doing so.

1. Is the connection HTTPS
2. Is the certificate provided correct
3. Does the URL look correct

and so on.

If anything looks a bit 'phishy' then they should call your helpdesk. You
do have a helpdesk, don't you?

As it is a social engineering attack there is relatively little you can do
on the technical side to mitigate the risks here.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org