Re: easy remote detection of a running tripwire for webpages system

[Gabriel Lawrence <gabe () landq org>]

This capability is controlled by the ServerTokens directive in apache. 
You can turn off the overly informative server line using this directive:

ServerTokens Prod

As a side note, if you don't do this the server line will contain other 
useful tidbits like what version of PHP, mod_jk and mod_jrun your Apache 
server is running (if you are running these things of course.) All of 
this information is something a crafty program could use to find a 
vulnerable server assuming a specific version of one of these things has 
a vulnerability of interest.

-gabe

johncybpk () gmx net wrote:

> Hi all,
>
> when i played arround with tripwire for webpages, i noticed
> that it is very easy to detect if this tool is running on a remote
> machine. just type :
>
> telnet <remote-host> 80
> HEAD / HTTP/1.0
>
> The Output looks as follows :
>
> HTTP/1.1 200 OK
> Date: Tue, 28 Aug 2001 15:41:33 GMT
> Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 Intrusion/1.0.3  
> Last-Modified: Fri, 13 Jul 2001 11:32:48 GMT
> ETag: "c7a3-6f-3b4edc60"
> Accept-Ranges: bytes
> Content-Length: 111
> Connection: close
> Content-Type: text/html
>
>
> The text 'Intrusion/1.0.3' in the 'Server:' line tells me that Tripwire for
> Webpages 1.0.3 is running.
>
> This output is caused by the module : libmod_tripwire.so
>
> The gathered information could be used by an attacker to be more
> careful when trying to deface the content of the site running TWP.
>
> Because then the attacker tries first to disable the TWP mechanism coz of
> no alerting to the admin and second the defacement appears on the
> screen of the surfers who visit the site.
>
> cheers
>
> johnny.cyberpunk () illegalaccess org
>  


--
There is a fine line between coincidence and destiny.