Bugtraq mailing list archives
easy remote detection of a running tripwire for webpages system
From: johncybpk () gmx net
Date: Tue, 28 Aug 2001 16:08:22 +0200 (MEST)
Hi all, when i played arround with tripwire for webpages, i noticed that it is very easy to detect if this tool is running on a remote machine. just type : telnet <remote-host> 80 HEAD / HTTP/1.0 The Output looks as follows : HTTP/1.1 200 OK Date: Tue, 28 Aug 2001 15:41:33 GMT Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 Intrusion/1.0.3 Last-Modified: Fri, 13 Jul 2001 11:32:48 GMT ETag: "c7a3-6f-3b4edc60" Accept-Ranges: bytes Content-Length: 111 Connection: close Content-Type: text/html The text 'Intrusion/1.0.3' in the 'Server:' line tells me that Tripwire for Webpages 1.0.3 is running. This output is caused by the module : libmod_tripwire.so The gathered information could be used by an attacker to be more careful when trying to deface the content of the site running TWP. Because then the attacker tries first to disable the TWP mechanism coz of no alerting to the admin and second the defacement appears on the screen of the surfers who visit the site. cheers johnny.cyberpunk () illegalaccess org -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
Current thread:
- easy remote detection of a running tripwire for webpages system johncybpk (Aug 28)
- Re: easy remote detection of a running tripwire for webpages system Gabriel Lawrence (Aug 29)
- RE: easy remote detection of a running tripwire for webpages system Bennett Samowich (Aug 29)