RE: easy remote detection of a running tripwire for webpages system

["Bennett Samowich" <brs () ben-tech com>]

This can be avoided by setting the "ServerSignature" directive to "Off" in
the Apache configuration.  Once turned off Apache will only send the line
"Server: Apache".  This should be done anyways as an attacker can always use
version information gathered from reconnaissance to develop an attack plan.

See the following link for more information on this directive:
http://httpd.apache.org/docs/mod/core.html#serversignature

Unfortunately I can't say for sure how to accomplish the same in other web
servers but I have to imagine that there is a way... or at least there
should be.

Cheers,
- Bennett

> -----Original Message-----
> Hi all,
>
> when i played arround with tripwire for webpages, i noticed
> that it is very easy to detect if this tool is running on a remote
> machine. just type :
>
> telnet <remote-host> 80
> HEAD / HTTP/1.0
>
> The Output looks as follows :
>
> HTTP/1.1 200 OK
> Date: Tue, 28 Aug 2001 15:41:33 GMT
> Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 Intrusion/1.0.3
> Last-Modified: Fri, 13 Jul 2001 11:32:48 GMT
> ETag: "c7a3-6f-3b4edc60"
> Accept-Ranges: bytes
> Content-Length: 111
> Connection: close
> Content-Type: text/html
>
>
> The text 'Intrusion/1.0.3' in the 'Server:' line tells me that
> Tripwire for
> Webpages 1.0.3 is running.
...snip...