Yesterday I wanted to check my bank balance. Clicked on the my bank's ebanking interface but I was presented to what looks like a self-signed certificate warning. Not a good sign as this means a possible MITM. For comparison the self-signed certificate is here. A legit certificate from the bank is here.
I proceed to accept the self-signed certificate to see if it's really a MITM. To my disappointment it was not. Actually it's a Squirrelmail installation at 125.212.46.13 which has a self-signed certificate. A bad practice nonetheless.
Must be a typo in one of their nameservers as 125.212.46.18 is the correct host. Normal response should be:
At first I suspected it was a MITM because 125.212.46.13 is an old CentOS 4.x installation with PHP 4.3.9 and Apache 2.0.52. Probably compromised I said to myself, along with an A record it makes a good MITM host. Apparently the mis-configured nameserver is 210.14.7.216.
.
As of today 125.212.46.13 is dropping connections but 210.14.7.216 still is returning it as an A record for ebanking.unionbankph.com.
Search
Recent entries
Tags
- advisory (6)
- analysis (9)
- botnets (1)
- code (9)
- crypto (1)
- ddos (5)
- dns (3)
- dragonfly (1)
- fail (4)
- fraud (2)
- freebsd (1)
- gambling (5)
- games (4)
- gcc (2)
- glibc (2)
- hardware (1)
- icc (1)
- ios (1)
- linux (11)
- logs (2)
- mac (1)
- malware (5)
- microsoft (1)
- netbsd (1)
- offbeat (3)
- openbsd (2)
- pax (2)
- pwned (1)
- rant (2)
- recon (1)
- ssl (2)
- tcp (1)
- vm (2)
- vulndev (4)
- web (11)
- wifi (1)
- windows (2)
Links
1 comments:
3/4/08 11:26 PM
An interesting scenario to face and it's great that you knew enough to check it out. What scares me is that websites like that are what cause most users to just accept self-signed, expired and incorrect SSL certs. This can cause pain an anguish in the long run when their information is stolen or worse, their identity.
Post a Comment