Am 12.07.2011 21:40, schrieb Frank Bonnet:
I think effectivelly users's requests have been redirected to the hacked servers ...
Checked the access logs? If it's another server issuing the requests you could notice by the the request IP addresses. Otherwise, use only a HTTPS login - don't offer HTTP. Also - your application should send a random validation token with the login form, which the user agent has to send back on submit (via POST data). Also, check the referer header. I think you could use mod_security for that. Read http://en.wikipedia.org/wiki/CSRF for more details. Users might also be subject to a XSS attack or social engineering. Use the latest versions of the software, ask their forums/list and check the net for CSRF and XSS vulnerabilities. Delve into the details of this attacks to get a better understanding on how this attacks might have happend and what countermeasures you can establish. You could set HTTP Strict Transport Security Headers - e.g. via mod_headers to defend against embedding via (i)frames. Hope this helps. Regards, Edgar
I wonder how they do that because users access directly to those servers ... they do not click in a fake email or anything like that , those servers are well known of our users , the extranet and one webmail hacked router ? hacked DNS ? Does it comes from INSIDE ? Our main routers seems OK and I have cautiously checked our primary DNS Gosh ... HOW ??? Le 12/07/2011 19:20, DW a écrit :I have provided a translation. See my message. I agree he should have continued in the language of this newsgroup. Sander Temme wrote:On Jul 12, 2011, at 1:37 AM, Patrick Proniewski wrote:Hi, Apache servers are not victims of phishing attacks. Users are victims of phishing attacks. As the OP is french, I'm continuing in french:Patrick, remember that one of the reasons we have these conversations on a mailinglist is that others can also benefit from the information exchanged. You're not just talking to Frank, you're talking to all of us. Keeping the conversation in English will ensure maximum benefit. Thank you, S.Comme je ne dis plus haut, tes serveurs ne peuvent pas être victimes d'une attaque de phishing. Un phishing c'est une attaque par abus de confiance (ou de bêtise), et ça se situe donc directement au niveau de l'utilisateur. Le seul moyen de lutter contre le phishing c'est d'éduquer les utilisateurs. Tu peux toujours proposer des services en https, si les utilisateurs se moquent de la validité des certificats, c'est mort. Tu ne donnes pas assez de détails pour qu'on puisse comprendre ce qu'il s'est passé, donc impossible de te donner des pointeurs vers de la doc. Quoi qu'il en soit, si les utilisateurs ont été dirigés à leur insu vers un serveur "pirate", il n'existe aucune configuration d'apache qui peut les protéger, puisque par définition, les utilisateurs arrivent sur un serveur qui n'est pas le tien. On 12 juil. 2011, at 10:20, Frank Bonnet wrote:Hello Few weeks ago we discovered that two of our apache servers has been victims of phishing attack. The first one is running squirrelmail webmail and the second one in running our extranet services for students and professors. Both of them are using https and require authentication. The two phising pages had the same look and feel than original servers of course ! The "traps" has been used to grab users's login and passwords as usual. The attack has been performed by "real" hackers that have been paid by some students to hack passwords of "interresting" people. maybe some hacked DNS or Internet routers has been compromised/used ? I would be VERY interrested by ANY documentation about that kind of phising techniques and HOW to fight them ( if possible ) also I would be interrested by any apache gurus advices ... Would it be possible to configure something in apache to track down that kind of problem ? any log analyzer that could help ? Thank you very muchPatrick PRONIEWSKI -- Administrateur Système - DSI - Université Lumière Lyon 2--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See<URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See<URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|