6997179 2001-08-28 16:08 +0200 /49 rader/ <johncybpk@gmx.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-29 05:57 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18986>
Ärende: easy remote detection of a running tripwire for webpages system
------------------------------------------------------------
From: johncybpk@gmx.net
To: bugtraq@securityfocus.com
Message-ID: <14731.999007702@www25.gmx.net>
Hi all,
when i played arround with tripwire for webpages, i noticed
that it is very easy to detect if this tool is running on a remote
machine. just type :
telnet <remote-host> 80
HEAD / HTTP/1.0
The Output looks as follows :
HTTP/1.1 200 OK Date: Tue, 28 Aug 2001 15:41:33 GMT Server:
Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 Intrusion/1.0.3
Last-Modified: Fri, 13 Jul 2001 11:32:48 GMT ETag: "c7a3-6f-3b4edc60"
Accept-Ranges: bytes Content-Length: 111 Connection: close
Content-Type: text/html
The text 'Intrusion/1.0.3' in the 'Server:' line tells me that
Tripwire for Webpages 1.0.3 is running.
This output is caused by the module : libmod_tripwire.so
The gathered information could be used by an attacker to be more
careful when trying to deface the content of the site running TWP.
Because then the attacker tries first to disable the TWP mechanism
coz of no alerting to the admin and second the defacement appears on
the screen of the surfers who visit the site.
cheers
johnny.cyberpunk@illegalaccess.org
--
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net
(6997179) / <johncybpk@gmx.net>/----------(Ombruten)
7002397 2001-08-28 20:28 -0700 /65 rader/ Gabriel Lawrence <gabe@landq.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-29 18:30 av Brevbäraren
Extern mottagare: johncybpk@gmx.net
Extern kopiemottagare: bugtraq@securityfocus.com
Externa svar till: gabe@landq.org
Mottagare: Bugtraq (import) <18989>
Kommentar till text 6997179 av <johncybpk@gmx.net>
Ärende: Re: easy remote detection of a running tripwire for webpages system
------------------------------------------------------------
From: Gabriel Lawrence <gabe@landq.org>
To: johncybpk@gmx.net
Cc: bugtraq@securityfocus.com
Message-ID: <3B8C6171.9040305@landq.org>
This capability is controlled by the ServerTokens directive in
apache. You can turn off the overly informative server line using
this directive:
ServerTokens Prod
As a side note, if you don't do this the server line will contain
other useful tidbits like what version of PHP, mod_jk and mod_jrun
your Apache server is running (if you are running these things of
course.) All of this information is something a crafty program could
use to find a vulnerable server assuming a specific version of one
of these things has a vulnerability of interest.
-gabe
johncybpk@gmx.net wrote:
> Hi all,
>
> when i played arround with tripwire for webpages, i noticed
> that it is very easy to detect if this tool is running on a remote
> machine. just type :
>
> telnet <remote-host> 80
> HEAD / HTTP/1.0
>
> The Output looks as follows :
>
> HTTP/1.1 200 OK
> Date: Tue, 28 Aug 2001 15:41:33 GMT
> Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 Intrusion/1.0.3
> Last-Modified: Fri, 13 Jul 2001 11:32:48 GMT
> ETag: "c7a3-6f-3b4edc60"
> Accept-Ranges: bytes
> Content-Length: 111
> Connection: close
> Content-Type: text/html
>
>
> The text 'Intrusion/1.0.3' in the 'Server:' line tells me that Tripwire for
> Webpages 1.0.3 is running.
>
> This output is caused by the module : libmod_tripwire.so
>
> The gathered information could be used by an attacker to be more
> careful when trying to deface the content of the site running TWP.
>
> Because then the attacker tries first to disable the TWP mechanism coz of
> no alerting to the admin and second the defacement appears on the
> screen of the surfers who visit the site.
>
> cheers
>
> johnny.cyberpunk@illegalaccess.org
>
--
There is a fine line between coincidence and destiny.
(7002397) /Gabriel Lawrence <gabe@landq.org>/(Ombruten)
7002454 2001-08-29 08:47 -0400 /48 rader/ Bennett Samowich <brs@ben-tech.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-29 18:39 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18990>
Kommentar till text 6997179 av <johncybpk@gmx.net>
Ärende: RE: easy remote detection of a running tripwire for webpages system
------------------------------------------------------------
From: "Bennett Samowich" <brs@ben-tech.com>
To: <bugtraq@securityfocus.com>
Message-ID: <NDBBLLLFMLABCIHGKMMGIELKEBAA.brs@ben-tech.com>
This can be avoided by setting the "ServerSignature" directive to
"Off" in the Apache configuration. Once turned off Apache will only
send the line "Server: Apache". This should be done anyways as an
attacker can always use version information gathered from
reconnaissance to develop an attack plan.
See the following link for more information on this directive:
http://httpd.apache.org/docs/mod/core.html#serversignature
Unfortunately I can't say for sure how to accomplish the same in
other web servers but I have to imagine that there is a way... or at
least there should be.
Cheers,
- Bennett
> -----Original Message-----
> Hi all,
>
> when i played arround with tripwire for webpages, i noticed
> that it is very easy to detect if this tool is running on a remote
> machine. just type :
>
> telnet <remote-host> 80
> HEAD / HTTP/1.0
>
> The Output looks as follows :
>
> HTTP/1.1 200 OK
> Date: Tue, 28 Aug 2001 15:41:33 GMT
> Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 Intrusion/1.0.3
> Last-Modified: Fri, 13 Jul 2001 11:32:48 GMT
> ETag: "c7a3-6f-3b4edc60"
> Accept-Ranges: bytes
> Content-Length: 111
> Connection: close
> Content-Type: text/html
>
>
> The text 'Intrusion/1.0.3' in the 'Server:' line tells me that
> Tripwire for
> Webpages 1.0.3 is running.
...snip...
(7002454) /Bennett Samowich <brs@ben-tech.com>/(Ombruten)
7012604 2001-08-29 09:27 +0100 /35 rader/ Jonathan Sartin <jonathan.sartin@rubus.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-31 02:00 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19013>
Ärende: RE: easy remote detection of a running tripwire for webpages syst
------------------------------------------------------------
em
From: Jonathan Sartin <jonathan.sartin@rubus.com>
To: bugtraq@securityfocus.com
Message-ID: <D127B0EC0B57D41182880008C71EB3A24F61E8@lonmail.rubus.com>
You need to set the ServerTokens directive in httpd.conf to reveal
only those things that you feel appropriate about the server.
Options are:
min - will return the product and version (i.e. Apache/1.3.0)
os - will return product version and operating system.
full - will return everything, including the installed modules (as you
noted, and probably a bad thing).
product_only - will return just the product (i.e. Apache)
default seems to be full.
Examples:
ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/1.3.0
ServerTokens OS
Server sends (e.g.): Server: Apache/1.3.0 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2
Note that this works on the server config level and therefore cannot
be set for individual virtualhosts.
Cheers .... J
(7012604) /Jonathan Sartin <jonathan.sartin@rubus.com>/(Ombruten)
7016823 2001-08-31 08:17 -0400 /48 rader/ Jordan K Wiens <jwiens@nersp.nerdc.ufl.edu>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-31 16:50 av Brevbäraren
Extern mottagare: Jonathan Sartin <jonathan.sartin@rubus.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19016>
Kommentar till text 7012604 av Jonathan Sartin <jonathan.sartin@rubus.com>
Ärende: RE: easy remote detection of a running tripwire for webpages syst
------------------------------------------------------------
em From: Jordan K Wiens <jwiens@nersp.nerdc.ufl.edu> To: Jonathan
Sartin <jonathan.sartin@rubus.com> Cc: <bugtraq@securityfocus.com>
Message-ID:
<Pine.A41.4.33.0108310815020.34494-100000@spnode43.nerdc.ufl.edu>
Know of any good links to documentation or source patches for
completely modifying or removing the banner? Note also that the Prod
option only works with versions strictly greater than 1.3.12. :-(
--
Jordan Wiens
UF Network Incident Response Team
(352)392-2061
On Wed, 29 Aug 2001, Jonathan Sartin wrote:
> You need to set the ServerTokens directive in httpd.conf to reveal only
> those things that you feel appropriate about the server.
>
> Options are:
>
> min - will return the product and version (i.e. Apache/1.3.0)
> os - will return product version and operating system.
> full - will return everything, including the installed modules (as you
> noted, and probably a bad thing).
> product_only - will return just the product (i.e. Apache)
>
> default seems to be full.
>
> Examples:
>
> ServerTokens Prod[uctOnly]
> Server sends (e.g.): Server: Apache
> ServerTokens Min[imal]
> Server sends (e.g.): Server: Apache/1.3.0
> ServerTokens OS
> Server sends (e.g.): Server: Apache/1.3.0 (Unix)
> ServerTokens Full (or not specified)
> Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2
>
> Note that this works on the server config level and therefore cannot be set
> for individual virtualhosts.
>
> Cheers .... J
>
(7016823) /Jordan K Wiens <jwiens@nersp.nerdc.ufl.edu>/(Ombruten)
7017226 2001-08-31 15:56 +0100 /41 rader/ Fernando Cardoso <fernando.cardoso@whatevernet.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-31 18:01 av Brevbäraren
Extern mottagare: Jordan K Wiens <jwiens@nersp.nerdc.ufl.edu>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19018>
Kommentar till text 7016823 av Jordan K Wiens <jwiens@nersp.nerdc.ufl.edu>
Ärende: RE: easy remote detection of a running tripwire for webpages syst em
------------------------------------------------------------
From: "Fernando Cardoso" <fernando.cardoso@whatevernet.com>
To: "Jordan K Wiens" <jwiens@nersp.nerdc.ufl.edu>
Cc: <bugtraq@securityfocus.com>
Message-ID: <NLEALDDOMLPPILFMEEJACEFMCGAA.fernando.cardoso@whatevernet.com>
Just edit #define SERVER_BASEVERSION "Whatever you want" in
src/include/httpd.h and compile it.
Fernando
--
Fernando Cardoso - Security Consultant WhatEverNet Computing, S.A.
Phone : +351 21 7994200 Praca de Alvalade, 6 - Piso 6
Fax : +351 21 7994242 1700-036 Lisboa - Portugal
email : fernando.cardoso@whatevernet.com http://www.whatevernet.com/
>
>
> Know of any good links to documentation or source patches for completely
> modifying or removing the banner? Note also that the Prod option only
> works with versions strictly greater than 1.3.12. :-(
>
> --
_____________________________________________________________________
INTERNET MAIL FOOTER
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------
(7017226) /Fernando Cardoso <fernando.cardoso@whatevernet.com>/