[22477] in bugtraq
Re: easy remote detection of a running tripwire for webpages syst em
daemon@ATHENA.MIT.EDU (Johnny Cyberpunk)
Fri Aug 31 12:16:24 2001
Message-ID: <001801c13236$814833a0$2100a8c0@illegalaccess.de>
From: "Johnny Cyberpunk" <johncybpk@gmx.net>
To: "Jordan K Wiens" <jwiens@nersp.nerdc.ufl.edu>
Cc: <bugtraq@securityfocus.com>
Date: Fri, 31 Aug 2001 18:03:40 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Jordan,
i patch my servers by editing the binaries ( httpd and the modules i'm
using) with a hexeditor.
This works for me very well and i never had problems with that. If you're
using this way,
you have to patch on multiple offsets. Not only ' HEAD / HTTP/1.0 ' gives
information on
the used Apache version, ie. also a non valid request or non existing file
gives info.
Also be careful, while patching ! Don't use longer strings as the original
text !
Terminate the string with ' 00 ' and if you don't want to show any
information, the first byte
in the string should be ' 20 ' hex and the next ' 00 ' !
Another possibility is to find the program lines for a HEAD request to
modify its answers.
Or try to find every string where the servername or modulename is mentioned
in the sourcecode.
cheers
johnny cyberpunk
----- Original Message -----
From: "Jordan K Wiens" <jwiens@nersp.nerdc.ufl.edu>
To: "Jonathan Sartin" <jonathan.sartin@rubus.com>
Cc: <bugtraq@securityfocus.com>
Sent: Friday, August 31, 2001 2:17 PM
Subject: RE: easy remote detection of a running tripwire for webpages syst
em
> Know of any good links to documentation or source patches for completely
> modifying or removing the banner? Note also that the Prod option only
> works with versions strictly greater than 1.3.12. :-(
>
> --
> Jordan Wiens
> UF Network Incident Response Team
> (352)392-2061
>
> On Wed, 29 Aug 2001, Jonathan Sartin wrote:
>
> > You need to set the ServerTokens directive in httpd.conf to reveal only
> > those things that you feel appropriate about the server.
> >
> > Options are:
> >
> > min - will return the product and version (i.e. Apache/1.3.0)
> > os - will return product version and operating system.
> > full - will return everything, including the installed modules (as you
> > noted, and probably a bad thing).
> > product_only - will return just the product (i.e. Apache)
> >
> > default seems to be full.
> >
> > Examples:
> >
> > ServerTokens Prod[uctOnly]
> > Server sends (e.g.): Server: Apache
> > ServerTokens Min[imal]
> > Server sends (e.g.): Server: Apache/1.3.0
> > ServerTokens OS
> > Server sends (e.g.): Server: Apache/1.3.0 (Unix)
> > ServerTokens Full (or not specified)
> > Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2
> >
> > Note that this works on the server config level and therefore cannot be
set
> > for individual virtualhosts.
> >
> > Cheers .... J
> >
>
