Bugtraq mailing list archives
Re: easy remote detection of a running tripwire for webpages syst em
From: "Johnny Cyberpunk" <johncybpk () gmx net>
Date: Fri, 31 Aug 2001 18:03:40 +0200
Jordan, i patch my servers by editing the binaries ( httpd and the modules i'm using) with a hexeditor. This works for me very well and i never had problems with that. If you're using this way, you have to patch on multiple offsets. Not only ' HEAD / HTTP/1.0 ' gives information on the used Apache version, ie. also a non valid request or non existing file gives info. Also be careful, while patching ! Don't use longer strings as the original text ! Terminate the string with ' 00 ' and if you don't want to show any information, the first byte in the string should be ' 20 ' hex and the next ' 00 ' ! Another possibility is to find the program lines for a HEAD request to modify its answers. Or try to find every string where the servername or modulename is mentioned in the sourcecode. cheers johnny cyberpunk ----- Original Message ----- From: "Jordan K Wiens" <jwiens () nersp nerdc ufl edu> To: "Jonathan Sartin" <jonathan.sartin () rubus com> Cc: <bugtraq () securityfocus com> Sent: Friday, August 31, 2001 2:17 PM Subject: RE: easy remote detection of a running tripwire for webpages syst em
Know of any good links to documentation or source patches for completely modifying or removing the banner? Note also that the Prod option only works with versions strictly greater than 1.3.12. :-( -- Jordan Wiens UF Network Incident Response Team (352)392-2061 On Wed, 29 Aug 2001, Jonathan Sartin wrote:You need to set the ServerTokens directive in httpd.conf to reveal only those things that you feel appropriate about the server. Options are: min - will return the product and version (i.e. Apache/1.3.0) os - will return product version and operating system. full - will return everything, including the installed modules (as you noted, and probably a bad thing). product_only - will return just the product (i.e. Apache) default seems to be full. Examples: ServerTokens Prod[uctOnly] Server sends (e.g.): Server: Apache ServerTokens Min[imal] Server sends (e.g.): Server: Apache/1.3.0 ServerTokens OS Server sends (e.g.): Server: Apache/1.3.0 (Unix) ServerTokens Full (or not specified) Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2 Note that this works on the server config level and therefore cannot be
set
for individual virtualhosts. Cheers .... J
Current thread:
- RE: easy remote detection of a running tripwire for webpages syst em Jonathan Sartin (Aug 30)
- RE: easy remote detection of a running tripwire for webpages syst em Jordan K Wiens (Aug 31)
- RE: easy remote detection of a running tripwire for webpages syst em Fernando Cardoso (Aug 31)
- Re: easy remote detection of a running tripwire for webpages syst em Johnny Cyberpunk (Aug 31)
- RE: easy remote detection of a running tripwire for webpages syst em Jordan K Wiens (Aug 31)