Re: CRIME Netcraft Ethics

From: Zot O'Connor (zot@private)
Date: Sun Jun 23 2002 - 03:14:40 PDT

  • Next message: Alan: "Re: CRIME Netcraft Ethics"

    On Fri, 2002-06-21 at 07:19, brvarin@private wrote:
    > I'm fine with it. They aren't searching your box specifically to find out
    > if you have a vulnerable machine, they are compiling stats on who runs
    > what. If you don't like it, you can always remove header information and
    > patch your machine. 
    
    This is an assumption that is basically wrong.  Try it with varous
    version of IIS.  Even apache I had to edit the binary (Yes I know I can
    recompile it, but editing a binary gives you so much more of a rush).
    
    Apache 2.0 supposedly allows this to be fixed, I have not tested.
    
    
    
    Does anyone have a problem with my IDS supplying me
    > with a giant list of vulnerable IIS servers? With IIS, you don't need to
    > scan to find vulnerable machines...they will come to you.
    > 
    > 
    > 
    > 
    > 
    > 
    > From: "Jimmy S." <jimmys@private>@cs.pdx.edu on 06/20/2002 07:38 PM
    > 
    > Sent by:  owner-crime@private
    > 
    > 
    > 
    > To:   <crime@private>
    > cc:
    > bcc:
    > 
    > 
    > Subject:  CRIME Netcraft Ethics
    > 
    > 
    > Hi all,
    > 
    >    I would like to pose a question?  Does anyone else have a problem with
    > Netcraft sweeping the web looking vulnerable servers to latest IIS buffer
    > overflow?   Now I know that they are company that compiles statistics on
    > internet usage but still, the idea of them having a huge database of IP
    > addresses
    > of vulnerable IIS servers reminds me of the purpose of most root kits once
    > they
    > are installed.  Which is to scan other servers looking for vulnerable IP's.
    > Maybe I'm too
    > paranoid or off base here but with the proper reverse DNS I can become an
    > netcraft
    > scanning agent myself.  If we are going to rely on reverse DNS to tell who
    > is ok
    > and
    > who isn't then we will obviously get some with maliciously configured
    > reverse
    > DNS.
    > 
    > Below is the hit I received in my web server log:
    > 
    > 22:20:13 195.92.95.61 - 80 GET /nonexistent.htr - 500 2148007941 471 161
    > 90550
    > HTTP/1.0 www.myesn.com Mozilla/4.0+(compatible;+Netcraft+Webserver+Survey)
    > -
    > http://www.netcraft.com/Survey/
    > 
    > 
    > Is anyone else ok with this practice?
    > 
    > ================================================
    > Jimmy Sadri  CISSP
    > jimmys@private
    > Systems Administrator/Webmaster                  webmaster@private
    > Network Engineer/Security Consultant                      Myesn.com
    > 
    > 
    > 
    > 
    -- 
    Zot O'Connor
    
    http://www.ZotConsulting.com
    http://www.WhiteKnightHackers.com
    



    This archive was generated by hypermail 2b30 : Sun Jun 23 2002 - 04:38:30 PDT