Hi all, when i played arround with tripwire for webpages, i noticed that it is very easy to detect if this tool is running on a remote machine. just type : telnet <remote-host> 80 HEAD / HTTP/1.0 The Output looks as follows : HTTP/1.1 200 OK Date: Tue, 28 Aug 2001 15:41:33 GMT Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 Intrusion/1.0.3 Last-Modified: Fri, 13 Jul 2001 11:32:48 GMT ETag: "c7a3-6f-3b4edc60" Accept-Ranges: bytes Content-Length: 111 Connection: close Content-Type: text/html The text 'Intrusion/1.0.3' in the 'Server:' line tells me that Tripwire for Webpages 1.0.3 is running. This output is caused by the module : libmod_tripwire.so The gathered information could be used by an attacker to be more careful when trying to deface the content of the site running TWP. Because then the attacker tries first to disable the TWP mechanism coz of no alerting to the admin and second the defacement appears on the screen of the surfers who visit the site. cheers johnny.cyberpunkat_private -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
This archive was generated by hypermail 2b30 : Tue Aug 28 2001 - 20:29:45 PDT