easy remote detection of a running tripwire for webpages system

[johncybpk () gmx net]

Hi all,

when i played arround with tripwire for webpages, i noticed
that it is very easy to detect if this tool is running on a remote
machine. just type :

telnet <remote-host> 80
HEAD / HTTP/1.0

The Output looks as follows :

HTTP/1.1 200 OK
Date: Tue, 28 Aug 2001 15:41:33 GMT
Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 Intrusion/1.0.3  
Last-Modified: Fri, 13 Jul 2001 11:32:48 GMT
ETag: "c7a3-6f-3b4edc60"
Accept-Ranges: bytes
Content-Length: 111
Connection: close
Content-Type: text/html


The text 'Intrusion/1.0.3' in the 'Server:' line tells me that Tripwire for
Webpages 1.0.3 is running.

This output is caused by the module : libmod_tripwire.so

The gathered information could be used by an attacker to be more
careful when trying to deface the content of the site running TWP.

Because then the attacker tries first to disable the TWP mechanism coz of
no alerting to the admin and second the defacement appears on the
screen of the surfers who visit the site.

cheers

johnny.cyberpunk () illegalaccess org
 

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net