This capability is controlled by the ServerTokens directive in apache. You can turn off the overly informative server line using this directive: ServerTokens Prod As a side note, if you don't do this the server line will contain other useful tidbits like what version of PHP, mod_jk and mod_jrun your Apache server is running (if you are running these things of course.) All of this information is something a crafty program could use to find a vulnerable server assuming a specific version of one of these things has a vulnerability of interest. -gabe johncybpkat_private wrote: > Hi all, > > when i played arround with tripwire for webpages, i noticed > that it is very easy to detect if this tool is running on a remote > machine. just type : > > telnet <remote-host> 80 > HEAD / HTTP/1.0 > > The Output looks as follows : > > HTTP/1.1 200 OK > Date: Tue, 28 Aug 2001 15:41:33 GMT > Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 Intrusion/1.0.3 > Last-Modified: Fri, 13 Jul 2001 11:32:48 GMT > ETag: "c7a3-6f-3b4edc60" > Accept-Ranges: bytes > Content-Length: 111 > Connection: close > Content-Type: text/html > > > The text 'Intrusion/1.0.3' in the 'Server:' line tells me that Tripwire for > Webpages 1.0.3 is running. > > This output is caused by the module : libmod_tripwire.so > > The gathered information could be used by an attacker to be more > careful when trying to deface the content of the site running TWP. > > Because then the attacker tries first to disable the TWP mechanism coz of > no alerting to the admin and second the defacement appears on the > screen of the surfers who visit the site. > > cheers > > johnny.cyberpunkat_private > -- There is a fine line between coincidence and destiny.
This archive was generated by hypermail 2b30 : Wed Aug 29 2001 - 09:27:49 PDT