Re: Unusual Web Server

From: Bill Pennington (billpat_private)
Date: Tue Jul 08 2003 - 12:37:20 PDT

Next message: Noonan, Wesley: "RE: Unusual Web Server"

Previous message: Keith Pachulski: "RE: Unusual Web Server"
In reply to: charrin2at_private: "Unusual Web Server"
Next in thread: Noonan, Wesley: "RE: Unusual Web Server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I am pretty sure that is a Domino web server though I am not 100% sure.

I would try using netcat  
http://www.atstake.com/research/tools/network_utilities/ instead of  
telnet. Many versions of telnet try to send a userid as part of the  
connection and I think that is why you are getting the "400 Bad  
Request" initially.

A request to try:

OPTIONS * HTTP/1.1
Host: host.foobar.com

This will generally spill the beans.


On Tuesday, July 8, 2003, at 11:45 AM, "" <charrin2at_private> wrote:

> All,
>
> I have found a web server that I cannot identify. It is listening on  
> port
> 5050. When I telnet to it I get:
>
> telnet host.foobar.com 5050
> Trying 10.10.10.10...
> Connected to host.foobar.com.
> Escape character is '^]'.
>
> HTTP/1.1 400 Bad Request
> Date: Tue,  8 July 2003 14:59:05
> Server: Web/R5_2_2
>
> 400 Bad Request
> Connection closed by foreign host.
>
>
> If I try to browse to it I am prompted for a username / password. After
> entering the wrong password I get the ususal 401 unauthorized. The  
> default
> page is layout.html
>
> Any help would be appreciated.
>
> --Chris
>
>
>
> ----------------------------------------------------------------------- 
> ----
> The Lightning Console aggregates IDS events, correlates them with
> vulnerability info, reduces false positives with the click of a  
> button, anddistributes this information to hundreds of users.
>
> Visit Tenable Network Security at http://www.tenablesecurity.com to  
> learn
> more.
> ----------------------------------------------------------------------- 
> -----
>
>

---
Bill Pennington, CISSP, CCNA
Chief Technology Officer
WhiteHat Security Inc.
http://www.whitehatsec.com


---------------------------------------------------------------------------
The Lightning Console aggregates IDS events, correlates them with 
vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users.

Visit Tenable Network Security at http://www.tenablesecurity.com to learn 
more.
----------------------------------------------------------------------------

Next message: Noonan, Wesley: "RE: Unusual Web Server"
Previous message: Keith Pachulski: "RE: Unusual Web Server"
In reply to: charrin2at_private: "Unusual Web Server"
Next in thread: Noonan, Wesley: "RE: Unusual Web Server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 14:26:59 PDT