Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » "Hijack attempt"
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Anybody got an idea what the below log lines mean? These appeared yesterday in the Security log and worry me a bit. "Hijack attempt" doesn't sound very nice...

(All connections from outside of the LAN are required to be secure.)


[01/Aug/2005 12:04:58] Attempt to hijack Webmail session dff9e729a5aed0ee4b39a38686f9f862 (created for IP=81.207.96.36, secure=yes) by connection from IP=62.133.78.151, secure=yes
[01/Aug/2005 20:11:03] Attempt to hijack Webmail session ee734cc15f1a44cae94c121f49521ab7 (created for IP=81.207.96.36, secure=yes) by connection from IP=62.133.84.13, secure=yes
[01/Aug/2005 20:13:43] Attempt to hijack Webmail session ec8630ea20ca51884aa651c0f8c391d4 (created for IP=62.133.84.13, secure=yes) by connection from IP=81.207.96.36, secure=yes
[01/Aug/2005 20:13:50] Attempt to hijack Webmail session ec8630ea20ca51884aa651c0f8c391d4 (created for IP=62.133.84.13, secure=yes) by connection from IP=81.207.96.36, secure=yes
[01/Aug/2005 20:19:47] Attempt to hijack Webmail session e8a6c87ae238cf32d60047bbfcdf8e9c (created for IP=81.207.96.36, secure=yes) by connection from IP=62.133.84.13, secure=yes
  •  
RPC_Admin

Messages: 128
Karma: 0
Send a private message to this user
I had never seen this message until today when I saw it in my logs. In my case it was my routers internal IP address being highjacked by itself.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
This is strange then. Why would your router have anything to do with the Kerio Mail Server? And even so: why would it 'hijack' itself (whatever that means)?

I wonder what triggers this security log entry. Under what circumstances does KMS think hijacking is taking place? Anyone?
  •  
desquinn

Messages: 145
Karma: 0
Send a private message to this user
could be the use of squid or some other web proxy

Des Quinn
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
After investigating deeper I think I now understand what happened:

It happened when a user was in a secure webmail session (over ADSL) but then disconnected his ADSL so the connection went to a mobile GPRS connection (obviously getting assigned a different IP address). I can see why the KMS would not allow a secure connection to 'shift' to a different IP address...
  •  
Nicholas.Yong

Messages: 9
Karma: 0
Send a private message to this user
so do you have any solution for this issue ? because i received a lot of webmail user complaint that they can't login to thier account.. an warning message '..session expire..' prompted but at the same time i found 'Attempt to hijack Webmail session' in my security logs ..

pls help.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Well, I did not really 'need' a solution, since over here there were no problems. It was just the log entry that got my attention, no users were/are complaining about issues related to this.

So I can't help you, sorry.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
I got some more "hijack attempts" and this time the reason is obvious (and not an issue):

I have a user on a laptop with a docking station. Docked, it uses cabled ethernet, undocked it uses WiFi. When undocking the network connection changes IP address (from fixed adapter to WiFi adapter) and to the KMS this looks like 'someone else' may be trying to "hijack" the secure connection.

So: no problem in these cases.
  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
This can also happen if:

- You have dynamic IP addresses from you ISP and they get changed during a session for whatever reason

- You use a proxy and the proxy goes out with different IP addresses for load balancing reasons

- You use a program like "Multi-Proxy" that lets you surf through multiple proxies

It would be cool if you could configure KMS with a switch like "Don't detect Browser Hijacks", but I haven't found this yet :-(

Regards, Pascal

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Yes, I would be nice if you could specify what kind of events you want to get logged and what not. My log files are now swamped with info that is not of interest to me (but may of of interest in other companies).

A well, better to log too much than too litte :-)
  •  
Kerio_jthomas

Messages: 511
Karma: 1
Send a private message to this user
freakinvibe wrote on Wed, 10 August 2005 03:27


It would be cool if you could configure KMS with a switch like "Don't detect Browser Hijacks", but I haven't found this yet Sad

Regards, Pascal


Today is your lucky day Very Happy

Edit mailserver.cfg and find:

<table name="Http">
<variable name="SessionExpireTimeout">3600</variable>
<variable name="MaxPostSize">20</variable>
<variable name="CheckSessionClientIp">1</variable>

Change CheckSessionClientIp to 0 and you will stop recieving this error.

Cheers,
Joshua

Joshua Thomas
Technical Support Manager
2350 Mission College Blvd, Suite 400
Santa Clara, CA 95054
Phone: (408) 496-4500
Fax: (408) 496-6902
http://www.kerio.com/support.html

  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
Cool!

Thanks, Joshua

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
Previous Topic: Can you use KOC 6.0.10 with KMS 6.1.0 ?????
Next Topic: How can I edit the auto reply messages?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 22:12:04 CET 2017

Total time taken to generate the page: 0.00540 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.