[22450] in bugtraq
Re: easy remote detection of a running tripwire for webpages system
daemon@ATHENA.MIT.EDU (Gabriel Lawrence)
Wed Aug 29 12:29:17 2001
Message-ID: <3B8C6171.9040305@landq.org>
Date: Tue, 28 Aug 2001 20:28:49 -0700
From: Gabriel Lawrence <gabe@landq.org>
Reply-To: gabe@landq.org
MIME-Version: 1.0
To: johncybpk@gmx.net
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
This capability is controlled by the ServerTokens directive in apache.
You can turn off the overly informative server line using this directive:
ServerTokens Prod
As a side note, if you don't do this the server line will contain other
useful tidbits like what version of PHP, mod_jk and mod_jrun your Apache
server is running (if you are running these things of course.) All of
this information is something a crafty program could use to find a
vulnerable server assuming a specific version of one of these things has
a vulnerability of interest.
-gabe
johncybpk@gmx.net wrote:
> Hi all,
>
> when i played arround with tripwire for webpages, i noticed
> that it is very easy to detect if this tool is running on a remote
> machine. just type :
>
> telnet <remote-host> 80
> HEAD / HTTP/1.0
>
> The Output looks as follows :
>
> HTTP/1.1 200 OK
> Date: Tue, 28 Aug 2001 15:41:33 GMT
> Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 Intrusion/1.0.3
> Last-Modified: Fri, 13 Jul 2001 11:32:48 GMT
> ETag: "c7a3-6f-3b4edc60"
> Accept-Ranges: bytes
> Content-Length: 111
> Connection: close
> Content-Type: text/html
>
>
> The text 'Intrusion/1.0.3' in the 'Server:' line tells me that Tripwire for
> Webpages 1.0.3 is running.
>
> This output is caused by the module : libmod_tripwire.so
>
> The gathered information could be used by an attacker to be more
> careful when trying to deface the content of the site running TWP.
>
> Because then the attacker tries first to disable the TWP mechanism coz of
> no alerting to the admin and second the defacement appears on the
> screen of the surfers who visit the site.
>
> cheers
>
> johnny.cyberpunk@illegalaccess.org
>
--
There is a fine line between coincidence and destiny.
