[22444] in bugtraq
easy remote detection of a running tripwire for webpages system
daemon@ATHENA.MIT.EDU (johncybpk@gmx.net)
Tue Aug 28 23:37:50 2001
Date: Tue, 28 Aug 2001 16:08:22 +0200 (MEST)
From: johncybpk@gmx.net
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Message-ID: <14731.999007702@www25.gmx.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Hi all,
when i played arround with tripwire for webpages, i noticed
that it is very easy to detect if this tool is running on a remote
machine. just type :
telnet <remote-host> 80
HEAD / HTTP/1.0
The Output looks as follows :
HTTP/1.1 200 OK
Date: Tue, 28 Aug 2001 15:41:33 GMT
Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 Intrusion/1.0.3
Last-Modified: Fri, 13 Jul 2001 11:32:48 GMT
ETag: "c7a3-6f-3b4edc60"
Accept-Ranges: bytes
Content-Length: 111
Connection: close
Content-Type: text/html
The text 'Intrusion/1.0.3' in the 'Server:' line tells me that Tripwire for
Webpages 1.0.3 is running.
This output is caused by the module : libmod_tripwire.so
The gathered information could be used by an attacker to be more
careful when trying to deface the content of the site running TWP.
Because then the attacker tries first to disable the TWP mechanism coz of
no alerting to the admin and second the defacement appears on the
screen of the surfers who visit the site.
cheers
johnny.cyberpunk@illegalaccess.org
--
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net
