|
|
I don't think that the session was hijacked [positive it wasn't]. What I believe happened was a customer clicked on a link that was an attachment [index.html] and that somehow directed them to an ebay/paypal form. That form took the http://mail.tbaytel.net/Sess........./index.html referrer and submitted mail.tbaytel.net to PhishTank.com.
My real beef is that it appears this one attachment created a request to a page that got out entire mail server blacklisted for customers of OpenDNS. Not cool.
Again, thank you for the insight on the session id values....much appreciated. As a side note, on cluster machines there appears to be an extra field at the end of the session id. This represents what back server the session is opened on.
Have a great day.
On 1/24/2012 2:06 PM, Philip Slater wrote:
Have the feeling it was not documented but probably made the correlation in session number with the web user-#### after a few restarts and noticed SessionID = Webuser entry sometime since CGP was released. Yeah yeah I have been trouble shooting CGP that long ;-)
If a session was hijacked you may want to advise users to use either https and ensure that "require fixed IP address" is enabled. If it is not enabled then anyone in the world with that URL can log in to the mail account while the session is open. If enabled then the only requests for that Session from the login IP address will be processed.
Phil
On Jan 24, 2012, at 10:13 AM, Jeff Wark wrote:
That is the most helpful piece of log scanning information I have received. I had no idea that was the correlation.
Did you find that in the documentation somewhere or did you discover it? If it is in the documentation, I believe I may have missed an interesting page. ;)
On 1/24/2012 12:51 PM, Philip Slater wrote:
Yes there is.
That number corresponds with the web user session entries in the logs.
Provided that your Session (Settings/Access/Session) log level is set to Majors& Failures you will be able to match up the item.
For example.
http://localhost:8100/Session/3-v7hTCUkpNrT8nrqUYZrC/frameset.wssp?
Session ID is #3
From the log
09:47:30.432 2 WEBUSER-000003(lolade) logged in(HTTP) from [127.0.0.1]:53290
Let me know what activity in webmail is giving you a problem in deciphering and I will gladly lend a hand.
Phil
On Jan 24, 2012, at 8:01 AM, Jeff Wark wrote:
Short version:
Is there any way to associate a webmail session ID [cluster based] such as
642898-X5NLTjVHRTD0FhGpaBgu-aodhhdz
with a username in the logs?
Long Version:
I have set my server [5.2.19] to log my IP address at the debug level. When I login to the webmail, I cannot see an immediately obvious connection to the username. I do find this:
10:48:54.504 5 HTTPC-153558 out: POST /ProxyLogin/jwark@tbaytel.net/aodhhdz.html HTTP/1.1\r\nReferer: http://mail.tbaytel.net/?restoreSessionPage=.html\r\nCookie: __utma=192908911.2112433454.1274466685.1326812208.1327419163.57; __utmc=192908911; __utmz=192908911.1327419163.57.22.utmccn=(referral)|ut
10:48:55.156 5 HTTPU-153558([10.2.26.250]) out: HTTP/1.1 301 Moved\r\nContent-Length: 577\r\nConnection: close\r\nDate: Tue, 24 Jan 2012 15:48:55 GMT\r\nContent-Type: text/html;charset=utf-8\r\nServer: CommuniGatePro/5.2.19\r\nLocation: http://mail.tbaytel.net/Session/642898-X5NLTjVHRTD0FhGpaBgu-aod
which mentions the username jwark in the HTTPC line and the session-ID in the HTTPU line [I have never seen an HTTPC entry as far as I can remember].
The reason I am asking is because one of our accounts got compromised and got our mail server listed a phishtank.com. The URL listed there has a session-ID in it and I would like to be able to track down the account that was compromised. Since the session ID is in the URL, I think that it could only have been valid for at most 12 hours [our session limit], but I could be wrong. I would just like to associate it with an account. I guess this is more of a feature request...to see a line like:
10:56:17.414 2 HTTPU-620430([1.2.3.4]) 'jwark@tbaytel.net' linked from [1.2.3.4]:61563 to [10.1.1.106]:110 with Session-ID 642898-X5NLTjVHRTD0FhGpaBgu-aodhhdz
That would give a direct link between an account and a session ID. I also do not want to log HTTP requests at "All Info" level. That level should be only for finding a problem and I cannot retroactively increase the log level.
As a side note, I have always found it difficult to associate webmail sessions with other events in the logs. It is almost like there is a piece of information lacking in a record or something. I have no problem with any SMTP/POP/IMAP, but Webmail always gives me a problem.
Thanks again.
CommuniGate Pro Training
If interested please contact sales@communigate.com
Learn more about Rich Internet Applications
http://www.communigate.com/pronto/
________________________________________________________
Philip Slater
Professional Services
CommuniGate Systems
p 1 415 383 7164 ext 201
p 1 800 262 4722 ext 201
f 1 415 383 7461
SIP& Email pslater@communigate.com
AIM: stalkersoftware
#############################################################
This message is sent to you because you are subscribed to
the mailing list<CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to:<CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to<CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to<CGatePro-index@mail.stalker.com>
Send administrative queries to<CGatePro-request@mail.stalker.com>
|
|