[UNIX] Easy Remote Detection of a Running Tripwire for Webpages System

From: support@securiteam.com
Date: 09/02/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] Easy Remote Detection of a Running Tripwire for Webpages System
Message-Id: <20010901220600.78C7A138BF@mail.der-keiler.de>
Date: Sun,  2 Sep 2001 00:06:00 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Easy Remote Detection of a Running Tripwire for Webpages System
------------------------------------------------------------------------

SUMMARY

 <http://www.tripwire.com/products/web_pages/> Tripwire for Web Pages
extends Tripwire data and network integrity protection to Web pages hosted
on Apache Web servers. It enables immediate remediation by automatically
replacing altered Web page content with a customized notification page,
instantly notifying the administrator, and logging all instances. A
problem in the way the product "advertises" itself allows remote attackers
to detect whether a remote host has enabled this product on his web
server.

DETAILS

Example:
telnet <remote-host> 80
HEAD / HTTP/1.0

The Output looks as follows:

HTTP/1.1 200 OK
Date: Tue, 28 Aug 2001 15:41:33 GMT
Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 Intrusion/1.0.3
Last-Modified: Fri, 13 Jul 2001 11:32:48 GMT
ETag: "c7a3-6f-3b4edc60"
Accept-Ranges: bytes
Content-Length: 111
Connection: close
Content-Type: text/html

The text 'Intrusion/1.0.3' in the 'Server:' line tells us that Tripwire
for Webpages 1.0.3 is running.

This output is caused by the module: libmod_tripwire.so

This information could be used by an attacker to be more careful when
trying to deface the content of the site running TWP, and may beat the
purpose of installing TWP.

ADDITIONAL INFORMATION

The information has been provided by <mailto:johncybpk@gmx.net>
johncybpk.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: securing system after giving away root password
    ... Since the person did not have the permission to go standalone, ... just installing tripwire would be useless ... use tripwire and the remote, ... posting my remote logging suggestion. ...
    (comp.os.linux.security)
  • Re: [Full-Disclosure] IRC spying on EEYE!
    ... > my irc spying. ... I tried to figure out a good reason to have a "few instances" of tripwire. ... of them playing with tripwire or tripwire being your problem is remote. ... happen if for some reason the virgin system you just created, ...
    (Full-Disclosure)
  • [NT] WinWrapper Professional Remote File Disclosure Vulnerability
    ... WinWrapper Professional Remote File Disclosure Vulnerability ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)