Re: Apache again

From: Soeren Ziehe (robinton-usenet@gmx.de)
Date: 05/11/02

• Next message: Kasper Dupont: "Re: When not to log"
• Previous message: Kasper Dupont: "Re: When not to log"
• In reply to: Luke Vogel: "Re: Apache again"
• Next in thread: Igor2: "Re: Apache again"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: robinton-usenet@gmx.de (Soeren Ziehe)
Date: 11 May 2002 11:13:00 +0200

In article <3CDB923A.2BD38F58@bell-bird.com.au> [10 May 02]
   Luke Vogel <luke@bell-bird.com.au> wrote:

>> But why?
>> The above request is IMHO specifically built to force a 404
>> response. So what's to gain?

> Fingerprinting.

OK. But why in a way that turns up on the admins radar?

> A good cracker will gather as much information about potential
> targets as is possible, and in a way that attracts as little
> attention as possible.

Yes. But on the contrary this attracts attention.

> One of the easiest ways to identify a default web server install is
> to force a 404 and read the banner info that tells you what version
> of the web server you are running and on what os.

Do a normal "GET / HTTP/1.0" request and you're supplied with the server
information in the headers. There's soo much information there, if
you're lucky: which server, what modules, which OS, which vendor.
And this way the admin doesn't notice that you were there scouting,
since it looks like a normal benign request.

The format of the bogus request suggests the use of a tool. So this tool
can look at the headers and supply benign browser identification. That
way the cracker gets his info and the admin never notices a thing.

But maybe the mass of admin never looks at their error log?
Then you may get away with this non-stealth reconnaisance.

Robinton

-- 
Aktivierungsenergie:
  Energetischer Berg, der vor jeder chem. Reaktion ueberwunden werden muss.
  Fuer die meisten Chemiker liegt er im Bereich einer heissen Tasse Kaffee.
                                        (Froehliches Woerterbuch Chemiker)

---

• Next message: Kasper Dupont: "Re: When not to log"
• Previous message: Kasper Dupont: "Re: When not to log"
• In reply to: Luke Vogel: "Re: Apache again"
• Next in thread: Igor2: "Re: Apache again"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: [Full-disclosure] Computer name should match with your real identity? ... an organization policy change, a new guideline, or just "because"? ... Was the admin given the appropriate authority to request such a change? ... equipment becomes the users responsibility, ... (Full-Disclosure) Re: Banned from DFO ... Write the admin an email and request you be reinstated. ... time unless you went on a rampage and insulted everyone and their mother. ... of the old DCI forum. ... (rec.music.makers.percussion) Re: OT - Silverlight ... but we were unable to service your request. ... I found on my workstation the install exe and tried with and without UAC, as admin, not as admin. ... Changing ownership on reg keys etc. ... (microsoft.public.dotnet.framework.aspnet) Re: Biomedical Engineering info ... basically taught in biomedical engineering....VISIT-http://biomeng.blogspot.com/ ... All info you want....and you can request the admin for anyothr doubt ... (sci.engr.biomed) Re: New e-mail ... You need to sub to this list with your new address, using the request ... address (not the list or admin addresses). ... newsgroup post is not a good idea as it can easily be harvested for ... (soc.genealogy.ireland)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2002-05