On 13 juil. 2011, at 12:18, Ashwin Kesavan wrote: > There are huge befits of doing this if I were a hacker. First I don't invoke > the suspicion of the admin. B'cos I am making minimal changes to config > server, so that I delay his notice. Then by diverting to my website I have > the huge advantage of doing anything I want and getting them to do what I > want to do with them. I have user on my web server for which I have total > control and best of all the user/actual admin suspicion is not raised or > delayed till I can make my damage. Second most important point of diverting > traffic. In case the admin suspects a compromise or a policy to change passwd > every x days then I have do the hack all over again to gain access and this > time the same hack may or may not work. So it is always make sense to divert > traffic to your server. Is that enough reason to cracker to divert traffic > instead of using the compromised server.
Or you just don't divert traffic, thus avoiding to raise suspicion. You just modify the login page of the webmail very slightly to log login/passwd in plain text somewhere on the server, and you can harvest user accounts and email content without beeing noticed. You can't do anything valuable by diverting users on a remote server if you already have (reasonable) access to the genuine server. There is no point doing so if all you want is to gain access to their webmail account (and Frank said that was the purpose of the attack). 2 lines of php hidden in an include of the webmail login process function is way harder to detect than an http redirect. You don't even need to log back to the server later, as your hack can just write down hacked data into a file available through the apache server (ie. http://webmail/.hidden/userdb.txt) Patrick PRONIEWSKI -- Administrateur Système - DSI - Université Lumière Lyon 2
smime.p7s
Description: S/MIME cryptographic signature
