On Thu, Oct 17, 2002 at 07:37:29PM -0400, Johnny Calhoun wrote: > This looks to be a banner grabbing attempt on your webservers. Alot of > scanners/worms will do this in an attempt to find out what type of web server > you are running and compare it against a list of vulnerable servers for some > particular exploit. The `"/sumthin" is placed within the GET command to > [root@calsys root]# telnet 127.0.0.1 80 > Notice how it revealed the Web Server type, Version and OS it runs on. Add the lines ServerTokens prod ServerSignature no to your Apache config (httpd.conf) to prevent the server from disclosing this information. -- Patrick Oonk - Pine Digital Security - patrick.oonkat_private T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl PGPid A4E74BBF fp A7CF 7611 E8C4 7B79 CA36 0BFD 2CB4 7283 A4E7 4BBF Excuse of the day: User was distributing pornography on server; system seized by FBI. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 15:54:16 PDT