Answers inline -----Original Message----- From: Patrick Proniewski [mailto:patrick.proniewski@xxxxxxxxxxxxx] Sent: Wednesday, July 13, 2011 2:34 AM To: users@xxxxxxxxxxxxxxxx Subject: Re: Re: phishing problem On 12 juil. 2011, at 21:40, Frank Bonnet wrote: > I think effectivelly users's requests have been redirected > to the hacked servers ... so it's not a phishing, it's more like a man-in-the-middle, or a DNS cache poisoning... The only way for you to know what happens is to act as victims do (doing exactly what they do, and land on the pirate server) while you perform some forensic analysis (tcpdump/wireshark on port 53, 80 and 443 should be enough). And make sure it is not a case access to your server having httpd is compromised ? look though the apache httpd conf files and its included files and look for the parameter redirect ..... or some url rewite rule through mod_rewrite rules. Did you access log recorded any redirect http code, I think the http code is 3xx. Instead of thinking at big things like DNS cache poisioning, first make sure something under your nose is missed. HTH --ashwin --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx