I will agree with Brian in that Netcraft is not send requests that would determine whether or not an IIS web server is vulnerable to a specific exploit. They are rather hitting as many web sites as possible to see how many of what vendors web servers are being used. ___________________________________________ Kris Quinby, CISSP Systems Engineer - Data Center Operations GE Medical Systems Information Technologies Email: kris.quinby@private Phone: 503-531-7190 Fax: 503-531-7003 -----Original Message----- From: brvarin@private [mailto:brvarin@private] Sent: Friday, June 21, 2002 7:19 AM To: crime@private Subject: Re: CRIME Netcraft Ethics I'm fine with it. They aren't searching your box specifically to find out if you have a vulnerable machine, they are compiling stats on who runs what. If you don't like it, you can always remove header information and patch your machine. Does anyone have a problem with my IDS supplying me with a giant list of vulnerable IIS servers? With IIS, you don't need to scan to find vulnerable machines...they will come to you. From: "Jimmy S." <jimmys@private>@cs.pdx.edu on 06/20/2002 07:38 PM Sent by: owner-crime@private To: <crime@private> cc: bcc: Subject: CRIME Netcraft Ethics Hi all, I would like to pose a question? Does anyone else have a problem with Netcraft sweeping the web looking vulnerable servers to latest IIS buffer overflow? Now I know that they are company that compiles statistics on internet usage but still, the idea of them having a huge database of IP addresses of vulnerable IIS servers reminds me of the purpose of most root kits once they are installed. Which is to scan other servers looking for vulnerable IP's. Maybe I'm too paranoid or off base here but with the proper reverse DNS I can become an netcraft scanning agent myself. If we are going to rely on reverse DNS to tell who is ok and who isn't then we will obviously get some with maliciously configured reverse DNS. Below is the hit I received in my web server log: 22:20:13 195.92.95.61 - 80 GET /nonexistent.htr - 500 2148007941 471 161 90550 HTTP/1.0 www.myesn.com Mozilla/4.0+(compatible;+Netcraft+Webserver+Survey) - http://www.netcraft.com/Survey/ Is anyone else ok with this practice? ================================================ Jimmy Sadri CISSP jimmys@private Systems Administrator/Webmaster webmaster@private Network Engineer/Security Consultant Myesn.com
This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 11:45:29 PDT