Bugtraq mailing list archives
RE: easy remote detection of a running tripwire for webpages system
From: "Bennett Samowich" <brs () ben-tech com>
Date: Wed, 29 Aug 2001 08:47:09 -0400
This can be avoided by setting the "ServerSignature" directive to "Off" in the Apache configuration. Once turned off Apache will only send the line "Server: Apache". This should be done anyways as an attacker can always use version information gathered from reconnaissance to develop an attack plan. See the following link for more information on this directive: http://httpd.apache.org/docs/mod/core.html#serversignature Unfortunately I can't say for sure how to accomplish the same in other web servers but I have to imagine that there is a way... or at least there should be. Cheers, - Bennett
-----Original Message----- Hi all, when i played arround with tripwire for webpages, i noticed that it is very easy to detect if this tool is running on a remote machine. just type : telnet <remote-host> 80 HEAD / HTTP/1.0 The Output looks as follows : HTTP/1.1 200 OK Date: Tue, 28 Aug 2001 15:41:33 GMT Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 Intrusion/1.0.3 Last-Modified: Fri, 13 Jul 2001 11:32:48 GMT ETag: "c7a3-6f-3b4edc60" Accept-Ranges: bytes Content-Length: 111 Connection: close Content-Type: text/html The text 'Intrusion/1.0.3' in the 'Server:' line tells me that Tripwire for Webpages 1.0.3 is running.
...snip...
Current thread:
- easy remote detection of a running tripwire for webpages system johncybpk (Aug 28)
- Re: easy remote detection of a running tripwire for webpages system Gabriel Lawrence (Aug 29)
- RE: easy remote detection of a running tripwire for webpages system Bennett Samowich (Aug 29)