Re: favicon survey script

[Joao Correa <joao () livewire com br>]

Uff, Hello guys.

Here follows the mapping of the top 50 websites sent by Brandon. I've
merged his list with Klost's, so we have a 59 top sites list. I've
made a few considerations about some of the favicons, that I could not
be entirely sure about or had any other problem.

I expect to send another list of favicon hashes soon, with some CMSs
I've noticed that are missing but that I consider very common (at
least in Brazil).

68B329DA9893E34099C7D8AD5CB9C940:Favicon is the website URL printed in
an image [1]
AF999538CD3D4D0370F3EA92E0A6070F:H-Sphere
10BD6AD7B318DF92D9E9BD03104D9B80:Plone cms [2]
A34DEA4BD04BDB816BEA176619C29063:Confixx Professional
2C0067D9382A7F1751FED2D200F38DB7:Point2 Real State Websites
63B982EDDD64D44233BAA25066DB6BC1:Joomla!
E9E6C56F63122FB05E6899E1DEDD0734:Worldsoft CMS Website
F30B5ED270A57EABEA60BEB935E2B800:FC2 Blog/.fc2.com domain
(http://blog.fc2.com/) [3]
EC49973C1991BF39FCDB53260467F39F:Parallels H-Sphere
292B586171617B56E77EE694485B1052:directdomain.com/hover client [4]
E52C40433AA5F9256E521D7C139A05BD:GovOffice (Governmental Office CMS)
4644F2D45601037B8423D45E13194C93:Apache Tomcat
2C338C26309E13987D315D85F499D7F2:e107 cms
BEFCDED36AEC1E59EA624582FCB3225C:Speedtouch
61E029C99ABC5CF058ABC77562A69F98:SchoolCenter Pro (School CMS)
D16A0DA12074DAE41980A6918D33F031:ST 605
EDAAEF7BBD3072A3A0C3FB3B29900BCB:Powered by Reynolds Web Solutions
(Car sales CMS)
A31552D4FCC0EA68D69153E458FE6AB2:Google pages
73778A17B0D22FFBB7D6C445A7947B92:Apple
7194D8AFD9E3A6DD0048149C3F66D60A:Blank Favicon [5]
D99217782F41E71BCAA8E663E6302473:Apache on Red Hat/Fedora
CA79ABA701B8ED97D4505BCD766DF6F3:Spam Website
B25DBE60830705D98BA3AAF0568C456A:Netscape iPlanet 6.0
325472601571F31E1BF00674C368D335:XSite by a la mode, inc.
0C46689B7D84E977E3C3683C6F316122:phpBB hosted in Free Forum Services
(forumotion.com, forumactif.fr and others)
81ED5FA6453CF406D1D82233BA355B9A:E-zekiel
226FFC5E483B85EC261654FE255E60BE:Netscape 4.1
FF2C8612B75B5F9A6175E016FE4AA609:Linux Tux (Apache on SuSE?) [6]
639B61409215D770A99667B446C80EA1:Lotus Notes
4EB846F1286AB4E7A399C851D7D84CCA:Plone cms [2]
FA54DBF2F61BD2E0188E47F5F578F736:Wordpress
C1201C47C81081C7F0930503CAE7F71A:vBulletin forum
389A8816C5B87685DE7D8D5FEC96C85B:XOOPS cms
A5220EF442813C2FC6EE8CF13560278F:.republika.pl domain/hosted website [7]
59A0C7B6E4848CCDABCEA0636EFDA02B:Blogspot
B7EBD6E8609ECBF0F053BAF5F550CB04:Blank Favicon [5]
A28EBCAC852795FE30D8E99A23D377C1:SunOne 6.1
4EE75CA12A52425B9514EE6DE25D23FE:Hostmonster hosted website
6F767458B952D4755A795AF0E4E0AA17:Yahoo!
7DBE9ACC2AB6E64D59FA67637B1239DF:Lotus-Domino
ECAA88F7FA0BF610A5A26CF545DCD3AA:3-byte invalid favicon: domain sellers
5B0E3B33AA166C88CEE57F83DE1D4E55:DotNetNuke (http://www.dotnetnuke.com)
1CE0C63F8BD1E5D3376EC0AE95A41C08:Parallels Plesk Panel
E1E8BDC3CE87340AB6EBE467519CF245:bluehost hosted website
A8FE5B8AE2C445A33AC41B33CCC9A120:Cannot find server(Access to this web
page is currently unavailable.). Let us know - please submit!
5E1E9CC940D3BFAA59F51282D9FEC510:.free.fr domain/hosted website [7]
64CA706A50715E421B6C2FA0B32ED7EC:Parallels Plesk [8]
DCEA02A5797CE9E36F19B7590752563E:Apache (seen on CentOS/Debian/Fedora)
9CEAE7A3C88FC451D59E24D8D5F6F166:Parallels Plesk
D41D8CD98F00B204E9800998ECF8427E:Zero byte favicon
09B565A51E14B721A323F0BA44B2982A:Google web server
506190FC55CEAA132F1BC305ED8472CA:SocialText
2CC15CFAE55E2BB2D85B57E5B5BC3371:PHPwiki
E6A9DC66179D8C9F34288B16A02F987E:Drupal cms
F1876A80546B3986DBB79BAD727B0374:NetScreen WebUI
41E2C893098B3ED9FC14B821A2E14E73:Netscape 6.0 (AOL)
71E30C507CA3FA005E2D1322A5AA8FB2:Apache on Redhat
6CEC5A9C106D45E458FC680F70DF91B0:Wordpress - obsolete version
E4A509E78AFCA846CD0E6C0672797DE5:i3micro VRG

[1]
Some websites do not show any favicon, anyway, when you try to
explicitly get it using the browser, you find an image with the
website URL printed inside. Even if the URL is different, the hashes
are the same. Some are:
http://www.motoexpert.fr/favicon.ico
http://www.lordsofmetal.nl/favicon.ico
http://www.hostingphpbb.com/favicon.ico

[2]
Two different hashes for the same favicon. Anyway, a diff shows that
both files are different (but similar to eye).

[3]
I can't understand the languages of this webpage, but the pages
contained buttons with information like FC2 Blog and are .fc2.com
subdomains.

[4]
directdomain.com seems to no longer exist, and its website redirects
to hover.com. The websites in the list use the same blue humming bird
favicon, that is the hover's logo. Anyway, hover is now only a mail
redirect service and all the websites are now hosted by
domaindirecthosting.com. All the websites have the same IP number.

[5]
Some favicons are blank. I couldn't find any relation between the
websites where these favicons were found.

[6]
I could notice that all these servers are running SuSE and apache. I
believe that it is a default favicon for this specific apache, just
like others mentioned in Klost's list.

[7]
I can't understand the languages of these webpages, but I believe that
it is a hosting/internet access service.

[8]
I've found information about this favicon on a website, but I couldn't
find any confirmation on the websites list. Anyway, the websites were
running HTTP service on port 8443, what makes this information very
probable.

Worth Mentioning:

I could notice that some hash collisions happened. One example is:
E52C40433AA5F9256E521D7C139A05BD and http://www.xata.com/

Hope this helps =)
João

On Thu, Aug 6, 2009 at 10:00 PM, Joao Correa<joao () livewire com br> wrote:
> On Thu, Aug 6, 2009 at 9:08 PM, kx<kxmail () gmail com> wrote:
> > Sorry if this is duplicative, but I just googled for some of the
> > hashes Brandon posted:
> >
> > 72702 hash/D41D8CD98F00B204E9800998ECF8427E - (empty file) - Kost had this
> > 25779 hash/9CEAE7A3C88FC451D59E24D8D5F6F166 - "Plesk managed system"
> >
> > see: http://cirt.net/nikto/UPDATES/2.03/db_favicon
> >
> > Funny enough, when you google for several of these hashes, it turns up
> > cached pages of phpshells that apparently md5 favicons.
> >
> > Based on the URLs Brandon gave, here is another:
> >
> > EC49973C1991BF39FCDB53260467F39F Parallels® H-Sphere
> > www.parallels.com:80
> >
> > I'll grab the file, and if I get time, I will try out a few more tomorrow.
> >
> > Cheers,
> >  kx
> >
> >
> > On Fri, Aug 7, 2009 at 12:57 AM, David Fifield<david () bamsoftware com> wrote:
> > > On Thu, Aug 06, 2009 at 08:26:12PM +0000, Brandon Enright wrote:
> > > > On Thu, 6 Aug 2009 11:49:03 -0600 David Fifield <david () bamsoftware com> wrote:
> > > > > On Thu, Aug 06, 2009 at 08:27:24AM +0200, Vlatko Kosturjak wrote:
> > > > > > David Fifield wrote:
> > > > > > > Vlatko, did you ever finish mapping the hashes back to favicons
> > > > > > > in your research?
> > > > > >
> > > > > > Yes, I did. But extracted only top 10 from each survey done
> > > > > > (dmoz,80,443) and have summarized that into favicon-db (just updated
> > > > > > favicon-db in attachment to reflect survey done).
> > > > ...snip...
> > > > > Awesome. I would prefer to keep only the hashes that we have measured
> > > > > to be common. João Correa is going to do some scanning and Brandon
> > > > > Enright has been scanning as well.
> > > > >
> > > > > The hash A8FE5B8AE2C445A33AC41B33CCC9A120 is by far the most common
> > > > > one I found in my scanning, and I think in Brandon's too. Just like
> > > > > you noted, it is really HTML text:
> > > >
> > > > Indeed, I have been scanning ;-)
> > > >
> > > > Here is what I scanned:
> > > >
> > > > * 100M random IPs (small percentage actually listening on 80)
> > > > * 450k IPs resolved from links in Wikipedia (>99% listening on 80)
> > > > * 3M names (not IPs) from open directory/dmoz, (>99% listening on 80)
> > > >
> > > > I'm making a compressed (7Zip) tarball of the entire favicon directory
> > > > available at:
> > > >
> > > > http://noh.ucsd.edu/~bmenrigh/favicon.tar.7z
> > >
> > > I'm downloading it now. João, are you getting a copy too? Brandon did a
> > > huge part of the work by scanning all these hosts. Now we have to find
> > > out the server software for each of the hashes, as Vlatko did in his
> > > scans. It should be pretty easy by visiting the sites in the hash/
> > > directory; you can also look at the icon in the icon/ directory with an
> > > image viewer.
> David, I've scanned only a small set of hosts yet (due to some
> connection limitations I'm trying to work around). Anyway, I'll work
> on classifying the list and I'll return it to the list soon!
>
> > > 50 initially strikes me as a pretty good number for the size of the
> > > database. When you're looking up software be sure to refer to the list
> > > Vlatko already made at http://seclists.org/nmap-dev/2009/q3/0475.html.
>
> great!
>
> > > David Fifield
> > >
> > > _______________________________________________
> > > Sent through the nmap-dev mailing list
> > > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > > Archived at http://SecLists.Org
> >
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > Archived at http://SecLists.Org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org