Nmap Development mailing list archives
Re: favicon survey script
From: Joao Correa <joao () livewire com br>
Date: Sun, 9 Aug 2009 05:48:15 -0300
Uff, Hello guys. Here follows the mapping of the top 50 websites sent by Brandon. I've merged his list with Klost's, so we have a 59 top sites list. I've made a few considerations about some of the favicons, that I could not be entirely sure about or had any other problem. I expect to send another list of favicon hashes soon, with some CMSs I've noticed that are missing but that I consider very common (at least in Brazil). 68B329DA9893E34099C7D8AD5CB9C940:Favicon is the website URL printed in an image [1] AF999538CD3D4D0370F3EA92E0A6070F:H-Sphere 10BD6AD7B318DF92D9E9BD03104D9B80:Plone cms [2] A34DEA4BD04BDB816BEA176619C29063:Confixx Professional 2C0067D9382A7F1751FED2D200F38DB7:Point2 Real State Websites 63B982EDDD64D44233BAA25066DB6BC1:Joomla! E9E6C56F63122FB05E6899E1DEDD0734:Worldsoft CMS Website F30B5ED270A57EABEA60BEB935E2B800:FC2 Blog/.fc2.com domain (http://blog.fc2.com/) [3] EC49973C1991BF39FCDB53260467F39F:Parallels H-Sphere 292B586171617B56E77EE694485B1052:directdomain.com/hover client [4] E52C40433AA5F9256E521D7C139A05BD:GovOffice (Governmental Office CMS) 4644F2D45601037B8423D45E13194C93:Apache Tomcat 2C338C26309E13987D315D85F499D7F2:e107 cms BEFCDED36AEC1E59EA624582FCB3225C:Speedtouch 61E029C99ABC5CF058ABC77562A69F98:SchoolCenter Pro (School CMS) D16A0DA12074DAE41980A6918D33F031:ST 605 EDAAEF7BBD3072A3A0C3FB3B29900BCB:Powered by Reynolds Web Solutions (Car sales CMS) A31552D4FCC0EA68D69153E458FE6AB2:Google pages 73778A17B0D22FFBB7D6C445A7947B92:Apple 7194D8AFD9E3A6DD0048149C3F66D60A:Blank Favicon [5] D99217782F41E71BCAA8E663E6302473:Apache on Red Hat/Fedora CA79ABA701B8ED97D4505BCD766DF6F3:Spam Website B25DBE60830705D98BA3AAF0568C456A:Netscape iPlanet 6.0 325472601571F31E1BF00674C368D335:XSite by a la mode, inc. 0C46689B7D84E977E3C3683C6F316122:phpBB hosted in Free Forum Services (forumotion.com, forumactif.fr and others) 81ED5FA6453CF406D1D82233BA355B9A:E-zekiel 226FFC5E483B85EC261654FE255E60BE:Netscape 4.1 FF2C8612B75B5F9A6175E016FE4AA609:Linux Tux (Apache on SuSE?) [6] 639B61409215D770A99667B446C80EA1:Lotus Notes 4EB846F1286AB4E7A399C851D7D84CCA:Plone cms [2] FA54DBF2F61BD2E0188E47F5F578F736:Wordpress C1201C47C81081C7F0930503CAE7F71A:vBulletin forum 389A8816C5B87685DE7D8D5FEC96C85B:XOOPS cms A5220EF442813C2FC6EE8CF13560278F:.republika.pl domain/hosted website [7] 59A0C7B6E4848CCDABCEA0636EFDA02B:Blogspot B7EBD6E8609ECBF0F053BAF5F550CB04:Blank Favicon [5] A28EBCAC852795FE30D8E99A23D377C1:SunOne 6.1 4EE75CA12A52425B9514EE6DE25D23FE:Hostmonster hosted website 6F767458B952D4755A795AF0E4E0AA17:Yahoo! 7DBE9ACC2AB6E64D59FA67637B1239DF:Lotus-Domino ECAA88F7FA0BF610A5A26CF545DCD3AA:3-byte invalid favicon: domain sellers 5B0E3B33AA166C88CEE57F83DE1D4E55:DotNetNuke (http://www.dotnetnuke.com) 1CE0C63F8BD1E5D3376EC0AE95A41C08:Parallels Plesk Panel E1E8BDC3CE87340AB6EBE467519CF245:bluehost hosted website A8FE5B8AE2C445A33AC41B33CCC9A120:Cannot find server(Access to this web page is currently unavailable.). Let us know - please submit! 5E1E9CC940D3BFAA59F51282D9FEC510:.free.fr domain/hosted website [7] 64CA706A50715E421B6C2FA0B32ED7EC:Parallels Plesk [8] DCEA02A5797CE9E36F19B7590752563E:Apache (seen on CentOS/Debian/Fedora) 9CEAE7A3C88FC451D59E24D8D5F6F166:Parallels Plesk D41D8CD98F00B204E9800998ECF8427E:Zero byte favicon 09B565A51E14B721A323F0BA44B2982A:Google web server 506190FC55CEAA132F1BC305ED8472CA:SocialText 2CC15CFAE55E2BB2D85B57E5B5BC3371:PHPwiki E6A9DC66179D8C9F34288B16A02F987E:Drupal cms F1876A80546B3986DBB79BAD727B0374:NetScreen WebUI 41E2C893098B3ED9FC14B821A2E14E73:Netscape 6.0 (AOL) 71E30C507CA3FA005E2D1322A5AA8FB2:Apache on Redhat 6CEC5A9C106D45E458FC680F70DF91B0:Wordpress - obsolete version E4A509E78AFCA846CD0E6C0672797DE5:i3micro VRG [1] Some websites do not show any favicon, anyway, when you try to explicitly get it using the browser, you find an image with the website URL printed inside. Even if the URL is different, the hashes are the same. Some are: http://www.motoexpert.fr/favicon.ico http://www.lordsofmetal.nl/favicon.ico http://www.hostingphpbb.com/favicon.ico [2] Two different hashes for the same favicon. Anyway, a diff shows that both files are different (but similar to eye). [3] I can't understand the languages of this webpage, but the pages contained buttons with information like FC2 Blog and are .fc2.com subdomains. [4] directdomain.com seems to no longer exist, and its website redirects to hover.com. The websites in the list use the same blue humming bird favicon, that is the hover's logo. Anyway, hover is now only a mail redirect service and all the websites are now hosted by domaindirecthosting.com. All the websites have the same IP number. [5] Some favicons are blank. I couldn't find any relation between the websites where these favicons were found. [6] I could notice that all these servers are running SuSE and apache. I believe that it is a default favicon for this specific apache, just like others mentioned in Klost's list. [7] I can't understand the languages of these webpages, but I believe that it is a hosting/internet access service. [8] I've found information about this favicon on a website, but I couldn't find any confirmation on the websites list. Anyway, the websites were running HTTP service on port 8443, what makes this information very probable. Worth Mentioning: I could notice that some hash collisions happened. One example is: E52C40433AA5F9256E521D7C139A05BD and http://www.xata.com/ Hope this helps =) João On Thu, Aug 6, 2009 at 10:00 PM, Joao Correa<joao () livewire com br> wrote:
On Thu, Aug 6, 2009 at 9:08 PM, kx<kxmail () gmail com> wrote:Sorry if this is duplicative, but I just googled for some of the hashes Brandon posted: 72702 hash/D41D8CD98F00B204E9800998ECF8427E - (empty file) - Kost had this 25779 hash/9CEAE7A3C88FC451D59E24D8D5F6F166 - "Plesk managed system" see: http://cirt.net/nikto/UPDATES/2.03/db_favicon Funny enough, when you google for several of these hashes, it turns up cached pages of phpshells that apparently md5 favicons. Based on the URLs Brandon gave, here is another: EC49973C1991BF39FCDB53260467F39F Parallels® H-Sphere www.parallels.com:80 I'll grab the file, and if I get time, I will try out a few more tomorrow. Cheers, kx On Fri, Aug 7, 2009 at 12:57 AM, David Fifield<david () bamsoftware com> wrote:On Thu, Aug 06, 2009 at 08:26:12PM +0000, Brandon Enright wrote:On Thu, 6 Aug 2009 11:49:03 -0600 David Fifield <david () bamsoftware com> wrote:On Thu, Aug 06, 2009 at 08:27:24AM +0200, Vlatko Kosturjak wrote:David Fifield wrote:Vlatko, did you ever finish mapping the hashes back to favicons in your research?Yes, I did. But extracted only top 10 from each survey done (dmoz,80,443) and have summarized that into favicon-db (just updated favicon-db in attachment to reflect survey done)....snip...Awesome. I would prefer to keep only the hashes that we have measured to be common. João Correa is going to do some scanning and Brandon Enright has been scanning as well. The hash A8FE5B8AE2C445A33AC41B33CCC9A120 is by far the most common one I found in my scanning, and I think in Brandon's too. Just like you noted, it is really HTML text:Indeed, I have been scanning ;-) Here is what I scanned: * 100M random IPs (small percentage actually listening on 80) * 450k IPs resolved from links in Wikipedia (>99% listening on 80) * 3M names (not IPs) from open directory/dmoz, (>99% listening on 80) I'm making a compressed (7Zip) tarball of the entire favicon directory available at: http://noh.ucsd.edu/~bmenrigh/favicon.tar.7zI'm downloading it now. João, are you getting a copy too? Brandon did a huge part of the work by scanning all these hosts. Now we have to find out the server software for each of the hashes, as Vlatko did in his scans. It should be pretty easy by visiting the sites in the hash/ directory; you can also look at the icon in the icon/ directory with an image viewer.David, I've scanned only a small set of hosts yet (due to some connection limitations I'm trying to work around). Anyway, I'll work on classifying the list and I'll return it to the list soon!50 initially strikes me as a pretty good number for the size of the database. When you're looking up software be sure to refer to the list Vlatko already made at http://seclists.org/nmap-dev/2009/q3/0475.html.great!David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: favicon survey script, (continued)
- Re: favicon survey script Vlatko Kosturjak (Aug 05)
- Re: favicon survey script David Fifield (Aug 05)
- Re: favicon survey script Vlatko Kosturjak (Aug 05)
- Re: favicon survey script David Fifield (Aug 06)
- Re: favicon survey script Brandon Enright (Aug 06)
- Re: favicon survey script Vlatko Kosturjak (Aug 06)
- Scanning DNS names fast (was Re: favicon survey script) Brandon Enright (Aug 06)
- Re: favicon survey script David Fifield (Aug 06)
- Re: favicon survey script kx (Aug 06)
- Re: favicon survey script Joao Correa (Aug 06)
- Re: favicon survey script Joao Correa (Aug 09)
- Re: favicon survey script Joao Correa (Aug 09)
- Re: favicon survey script Fyodor (Aug 10)
- Re: favicon survey script Joao Correa (Aug 10)
- Re: favicon survey script Joao Correa (Aug 10)
- Re: favicon survey script Joao Correa (Aug 17)
- Re: favicon survey script David Fifield (Aug 18)
- Re: favicon survey script Joao Correa (Aug 28)
- Re: favicon survey script Vlatko Kosturjak (Aug 05)
- Re: favicon survey script Vlatko Kosturjak (Aug 06)
- Re: favicon survey script Vlatko Kosturjak (Aug 05)