Re: easy remote detection of a running tripwire for webpages syst em

From: Johnny Cyberpunk (johncybpkat_private)
Date: Fri Aug 31 2001 - 09:03:40 PDT

Next message: Linux Mandrake Security Team: "MDKSA-2001:076 - xinetd update"

Previous message: Fernando Cardoso: "RE: easy remote detection of a running tripwire for webpages syst em"
In reply to: Jordan K Wiens: "RE: easy remote detection of a running tripwire for webpages syst em"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jordan,

i patch my servers by editing the binaries ( httpd and the modules i'm
using) with a hexeditor.
This works for me very well and i never had problems with that.  If you're
using this way,
you have to patch on multiple offsets. Not only ' HEAD / HTTP/1.0 ' gives
information on
the used Apache version, ie. also a non valid request or non existing file
gives info.
Also be careful, while patching ! Don't use longer strings as the original
text !
Terminate the string with ' 00 ' and if you don't want to show any
information, the first byte
in the string should be ' 20 '  hex and the next ' 00 ' !

Another possibility is to find the program lines for a HEAD request to
modify its answers.

Or try to find every string where the servername or modulename is mentioned
in the sourcecode.

cheers

johnny cyberpunk

----- Original Message -----
From: "Jordan K Wiens" <jwiensat_private>
To: "Jonathan Sartin" <jonathan.sartinat_private>
Cc: <bugtraqat_private>
Sent: Friday, August 31, 2001 2:17 PM
Subject: RE: easy remote detection of a running tripwire for webpages syst
em

> Know of any good links to documentation or source patches for completely
> modifying or removing the banner?  Note also that the Prod option only
> works with versions strictly greater than 1.3.12.  :-(
>
> --
> Jordan Wiens
> UF Network Incident Response Team
> (352)392-2061
>
> On Wed, 29 Aug 2001, Jonathan Sartin wrote:
>
> > You need to set the ServerTokens directive in httpd.conf to reveal only
> > those things that you feel appropriate about the server.
> >
> > Options are:
> >
> > min - will return the product and version (i.e. Apache/1.3.0)
> > os - will return product version and operating system.
> > full - will return everything, including the installed modules (as you
> > noted, and probably a bad thing).
> > product_only - will return just the product (i.e. Apache)
> >
> > default seems to be full.
> >
> > Examples:
> >
> > ServerTokens Prod[uctOnly]
> >      Server sends (e.g.): Server: Apache
> > ServerTokens Min[imal]
> >      Server sends (e.g.): Server: Apache/1.3.0
> > ServerTokens OS
> >      Server sends (e.g.): Server: Apache/1.3.0 (Unix)
> > ServerTokens Full (or not specified)
> >      Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2
> >
> > Note that this works on the server config level and therefore cannot be
set
> > for individual virtualhosts.
> >
> > Cheers .... J
> >
>

Next message: Linux Mandrake Security Team: "MDKSA-2001:076 - xinetd update"
Previous message: Fernando Cardoso: "RE: easy remote detection of a running tripwire for webpages syst em"
In reply to: Jordan K Wiens: "RE: easy remote detection of a running tripwire for webpages syst em"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 31 2001 - 09:14:36 PDT