6997179 2001-08-28 16:08 +0200 /49 rader/ <johncybpk@gmx.net> Sänt av: joel@lysator.liu.se Importerad: 2001-08-29 05:57 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <18986> Ärende: easy remote detection of a running tripwire for webpages system ------------------------------------------------------------ From: johncybpk@gmx.net To: bugtraq@securityfocus.com Message-ID: <14731.999007702@www25.gmx.net> Hi all, when i played arround with tripwire for webpages, i noticed that it is very easy to detect if this tool is running on a remote machine. just type : telnet <remote-host> 80 HEAD / HTTP/1.0 The Output looks as follows : HTTP/1.1 200 OK Date: Tue, 28 Aug 2001 15:41:33 GMT Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 Intrusion/1.0.3 Last-Modified: Fri, 13 Jul 2001 11:32:48 GMT ETag: "c7a3-6f-3b4edc60" Accept-Ranges: bytes Content-Length: 111 Connection: close Content-Type: text/html The text 'Intrusion/1.0.3' in the 'Server:' line tells me that Tripwire for Webpages 1.0.3 is running. This output is caused by the module : libmod_tripwire.so The gathered information could be used by an attacker to be more careful when trying to deface the content of the site running TWP. Because then the attacker tries first to disable the TWP mechanism coz of no alerting to the admin and second the defacement appears on the screen of the surfers who visit the site. cheers johnny.cyberpunk@illegalaccess.org -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net (6997179) / <johncybpk@gmx.net>/----------(Ombruten) 7002397 2001-08-28 20:28 -0700 /65 rader/ Gabriel Lawrence <gabe@landq.org> Sänt av: joel@lysator.liu.se Importerad: 2001-08-29 18:30 av Brevbäraren Extern mottagare: johncybpk@gmx.net Extern kopiemottagare: bugtraq@securityfocus.com Externa svar till: gabe@landq.org Mottagare: Bugtraq (import) <18989> Kommentar till text 6997179 av <johncybpk@gmx.net> Ärende: Re: easy remote detection of a running tripwire for webpages system ------------------------------------------------------------ From: Gabriel Lawrence <gabe@landq.org> To: johncybpk@gmx.net Cc: bugtraq@securityfocus.com Message-ID: <3B8C6171.9040305@landq.org> This capability is controlled by the ServerTokens directive in apache. You can turn off the overly informative server line using this directive: ServerTokens Prod As a side note, if you don't do this the server line will contain other useful tidbits like what version of PHP, mod_jk and mod_jrun your Apache server is running (if you are running these things of course.) All of this information is something a crafty program could use to find a vulnerable server assuming a specific version of one of these things has a vulnerability of interest. -gabe johncybpk@gmx.net wrote: > Hi all, > > when i played arround with tripwire for webpages, i noticed > that it is very easy to detect if this tool is running on a remote > machine. just type : > > telnet <remote-host> 80 > HEAD / HTTP/1.0 > > The Output looks as follows : > > HTTP/1.1 200 OK > Date: Tue, 28 Aug 2001 15:41:33 GMT > Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 Intrusion/1.0.3 > Last-Modified: Fri, 13 Jul 2001 11:32:48 GMT > ETag: "c7a3-6f-3b4edc60" > Accept-Ranges: bytes > Content-Length: 111 > Connection: close > Content-Type: text/html > > > The text 'Intrusion/1.0.3' in the 'Server:' line tells me that Tripwire for > Webpages 1.0.3 is running. > > This output is caused by the module : libmod_tripwire.so > > The gathered information could be used by an attacker to be more > careful when trying to deface the content of the site running TWP. > > Because then the attacker tries first to disable the TWP mechanism coz of > no alerting to the admin and second the defacement appears on the > screen of the surfers who visit the site. > > cheers > > johnny.cyberpunk@illegalaccess.org > -- There is a fine line between coincidence and destiny. (7002397) /Gabriel Lawrence <gabe@landq.org>/(Ombruten) 7002454 2001-08-29 08:47 -0400 /48 rader/ Bennett Samowich <brs@ben-tech.com> Sänt av: joel@lysator.liu.se Importerad: 2001-08-29 18:39 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <18990> Kommentar till text 6997179 av <johncybpk@gmx.net> Ärende: RE: easy remote detection of a running tripwire for webpages system ------------------------------------------------------------ From: "Bennett Samowich" <brs@ben-tech.com> To: <bugtraq@securityfocus.com> Message-ID: <NDBBLLLFMLABCIHGKMMGIELKEBAA.brs@ben-tech.com> This can be avoided by setting the "ServerSignature" directive to "Off" in the Apache configuration. Once turned off Apache will only send the line "Server: Apache". This should be done anyways as an attacker can always use version information gathered from reconnaissance to develop an attack plan. See the following link for more information on this directive: http://httpd.apache.org/docs/mod/core.html#serversignature Unfortunately I can't say for sure how to accomplish the same in other web servers but I have to imagine that there is a way... or at least there should be. Cheers, - Bennett > -----Original Message----- > Hi all, > > when i played arround with tripwire for webpages, i noticed > that it is very easy to detect if this tool is running on a remote > machine. just type : > > telnet <remote-host> 80 > HEAD / HTTP/1.0 > > The Output looks as follows : > > HTTP/1.1 200 OK > Date: Tue, 28 Aug 2001 15:41:33 GMT > Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 Intrusion/1.0.3 > Last-Modified: Fri, 13 Jul 2001 11:32:48 GMT > ETag: "c7a3-6f-3b4edc60" > Accept-Ranges: bytes > Content-Length: 111 > Connection: close > Content-Type: text/html > > > The text 'Intrusion/1.0.3' in the 'Server:' line tells me that > Tripwire for > Webpages 1.0.3 is running. ...snip... (7002454) /Bennett Samowich <brs@ben-tech.com>/(Ombruten) 7012604 2001-08-29 09:27 +0100 /35 rader/ Jonathan Sartin <jonathan.sartin@rubus.com> Sänt av: joel@lysator.liu.se Importerad: 2001-08-31 02:00 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19013> Ärende: RE: easy remote detection of a running tripwire for webpages syst ------------------------------------------------------------ em From: Jonathan Sartin <jonathan.sartin@rubus.com> To: bugtraq@securityfocus.com Message-ID: <D127B0EC0B57D41182880008C71EB3A24F61E8@lonmail.rubus.com> You need to set the ServerTokens directive in httpd.conf to reveal only those things that you feel appropriate about the server. Options are: min - will return the product and version (i.e. Apache/1.3.0) os - will return product version and operating system. full - will return everything, including the installed modules (as you noted, and probably a bad thing). product_only - will return just the product (i.e. Apache) default seems to be full. Examples: ServerTokens Prod[uctOnly] Server sends (e.g.): Server: Apache ServerTokens Min[imal] Server sends (e.g.): Server: Apache/1.3.0 ServerTokens OS Server sends (e.g.): Server: Apache/1.3.0 (Unix) ServerTokens Full (or not specified) Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2 Note that this works on the server config level and therefore cannot be set for individual virtualhosts. Cheers .... J (7012604) /Jonathan Sartin <jonathan.sartin@rubus.com>/(Ombruten) 7016823 2001-08-31 08:17 -0400 /48 rader/ Jordan K Wiens <jwiens@nersp.nerdc.ufl.edu> Sänt av: joel@lysator.liu.se Importerad: 2001-08-31 16:50 av Brevbäraren Extern mottagare: Jonathan Sartin <jonathan.sartin@rubus.com> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19016> Kommentar till text 7012604 av Jonathan Sartin <jonathan.sartin@rubus.com> Ärende: RE: easy remote detection of a running tripwire for webpages syst ------------------------------------------------------------ em From: Jordan K Wiens <jwiens@nersp.nerdc.ufl.edu> To: Jonathan Sartin <jonathan.sartin@rubus.com> Cc: <bugtraq@securityfocus.com> Message-ID: <Pine.A41.4.33.0108310815020.34494-100000@spnode43.nerdc.ufl.edu> Know of any good links to documentation or source patches for completely modifying or removing the banner? Note also that the Prod option only works with versions strictly greater than 1.3.12. :-( -- Jordan Wiens UF Network Incident Response Team (352)392-2061 On Wed, 29 Aug 2001, Jonathan Sartin wrote: > You need to set the ServerTokens directive in httpd.conf to reveal only > those things that you feel appropriate about the server. > > Options are: > > min - will return the product and version (i.e. Apache/1.3.0) > os - will return product version and operating system. > full - will return everything, including the installed modules (as you > noted, and probably a bad thing). > product_only - will return just the product (i.e. Apache) > > default seems to be full. > > Examples: > > ServerTokens Prod[uctOnly] > Server sends (e.g.): Server: Apache > ServerTokens Min[imal] > Server sends (e.g.): Server: Apache/1.3.0 > ServerTokens OS > Server sends (e.g.): Server: Apache/1.3.0 (Unix) > ServerTokens Full (or not specified) > Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2 > > Note that this works on the server config level and therefore cannot be set > for individual virtualhosts. > > Cheers .... J > (7016823) /Jordan K Wiens <jwiens@nersp.nerdc.ufl.edu>/(Ombruten) 7017226 2001-08-31 15:56 +0100 /41 rader/ Fernando Cardoso <fernando.cardoso@whatevernet.com> Sänt av: joel@lysator.liu.se Importerad: 2001-08-31 18:01 av Brevbäraren Extern mottagare: Jordan K Wiens <jwiens@nersp.nerdc.ufl.edu> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19018> Kommentar till text 7016823 av Jordan K Wiens <jwiens@nersp.nerdc.ufl.edu> Ärende: RE: easy remote detection of a running tripwire for webpages syst em ------------------------------------------------------------ From: "Fernando Cardoso" <fernando.cardoso@whatevernet.com> To: "Jordan K Wiens" <jwiens@nersp.nerdc.ufl.edu> Cc: <bugtraq@securityfocus.com> Message-ID: <NLEALDDOMLPPILFMEEJACEFMCGAA.fernando.cardoso@whatevernet.com> Just edit #define SERVER_BASEVERSION "Whatever you want" in src/include/httpd.h and compile it. Fernando -- Fernando Cardoso - Security Consultant WhatEverNet Computing, S.A. Phone : +351 21 7994200 Praca de Alvalade, 6 - Piso 6 Fax : +351 21 7994242 1700-036 Lisboa - Portugal email : fernando.cardoso@whatevernet.com http://www.whatevernet.com/ > > > Know of any good links to documentation or source patches for completely > modifying or removing the banner? Note also that the Prod option only > works with versions strictly greater than 1.3.12. :-( > > -- _____________________________________________________________________ INTERNET MAIL FOOTER A presente mensagem pode conter informação considerada confidencial. Se o receptor desta mensagem não for o destinatário indicado, fica expressamente proibido de copiar ou endereçar a mensagem a terceiros. Em tal situação, o receptor deverá destruir a presente mensagem e por gentileza informar o emissor de tal facto. --------------------------------------------------------------------- Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. --------------------------------------------------------------------- (7017226) /Fernando Cardoso <fernando.cardoso@whatevernet.com>/