Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP attack looking for /sumthin ?

From: Patrick Oonk <patrick.oonk () pine nl>
Date: Fri, 18 Oct 2002 10:35:34 +0200
On Thu, Oct 17, 2002 at 07:37:29PM -0400, Johnny Calhoun wrote:

This looks to be a banner grabbing attempt on your webservers.  Alot of 
scanners/worms will do this in an attempt to find out what type of web server 
you are running and compare it against a list of vulnerable servers for some 
particular exploit.  The `"/sumthin" is placed within the GET command to 

 

[root@calsys root]# telnet 127.0.0.1 80

 

Notice how it revealed the Web Server type, Version and OS it runs on.


Add the lines

        ServerTokens prod
        ServerSignature no

to your Apache config (httpd.conf) to prevent the server from disclosing 
this information.
 

-- 
 Patrick Oonk    -   Pine Digital Security    -   patrick.oonk () pine nl
 T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl 
 PGPid A4E74BBF  fp A7CF 7611 E8C4 7B79 CA36  0BFD 2CB4 7283 A4E7 4BBF
 Excuse of the day: User was distributing pornography on server;
 system seized by FBI.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: