[22451] in bugtraq
RE: easy remote detection of a running tripwire for webpages system
daemon@ATHENA.MIT.EDU (Bennett Samowich)
Wed Aug 29 12:38:55 2001
From: "Bennett Samowich" <brs@ben-tech.com>
To: <bugtraq@securityfocus.com>
Date: Wed, 29 Aug 2001 08:47:09 -0400
Message-ID: <NDBBLLLFMLABCIHGKMMGIELKEBAA.brs@ben-tech.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
In-Reply-To: <14731.999007702@www25.gmx.net>
This can be avoided by setting the "ServerSignature" directive to "Off" in
the Apache configuration. Once turned off Apache will only send the line
"Server: Apache". This should be done anyways as an attacker can always use
version information gathered from reconnaissance to develop an attack plan.
See the following link for more information on this directive:
http://httpd.apache.org/docs/mod/core.html#serversignature
Unfortunately I can't say for sure how to accomplish the same in other web
servers but I have to imagine that there is a way... or at least there
should be.
Cheers,
- Bennett
> -----Original Message-----
> Hi all,
>
> when i played arround with tripwire for webpages, i noticed
> that it is very easy to detect if this tool is running on a remote
> machine. just type :
>
> telnet <remote-host> 80
> HEAD / HTTP/1.0
>
> The Output looks as follows :
>
> HTTP/1.1 200 OK
> Date: Tue, 28 Aug 2001 15:41:33 GMT
> Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 Intrusion/1.0.3
> Last-Modified: Fri, 13 Jul 2001 11:32:48 GMT
> ETag: "c7a3-6f-3b4edc60"
> Accept-Ranges: bytes
> Content-Length: 111
> Connection: close
> Content-Type: text/html
>
>
> The text 'Intrusion/1.0.3' in the 'Server:' line tells me that
> Tripwire for
> Webpages 1.0.3 is running.
...snip...
