On Thu, 18 Apr 2002 07:11, you wrote:
> On Wed, 17 Apr 2002, TheFinn wrote:
> > Anyone know of an easy/fast way to stop apache from spilling its' guts
> > when it gets scanned?
> >
> > Here's some scanner output: Apache/1.3.12 (Unix) (Red Hat/Linux)
> > mod_ssl/2.6.6 OpenSSL/0.9.6 PHP/3.0.15 mod_perl/1.21
> >
> > It would be good to be able to stop all that.
>
> Why? Skilled attackers will see right through the ruse and the
> scriptkiddies and automated worms will just pound away no matter how your
> webserver identifies itself.
>
> Changing the webserver ID can be entertaining, but it doesn't
> afford you any additional security whatsoever.
I disagree, have a look at one of the latest TESO exploits:
team teso (thx bnuts, tomas, synnergy.net !).
Compiled for MnM 01/12/2001..pr0t!
usage: ./wu [-h] [-v] [-a] [-D] [-m]
[-t <num>] [-u <user>] [-p <pass>] [-d host]
[-L <retloc>] [-A <retaddr>]
- -h this help
- -v be verbose (default: off, twice for greater effect)
- -a AUTO mode (target from banner)
- -D DEBUG mode (waits for keypresses)
- -m enable mass mode (use with care)
- -t num choose target (0 for list, try -v or -v -v)
- -u user username to login to FTP (default: "ftp")
- -p pass password to use (default: "mozilla@")
- -d dest IP address or fqhn to connect to (default: 127.0.0.1)
- -L loc override target-supplied retloc (format: 0xdeadbeef)
- -A addr override target-supplied retaddr (format: 0xcafebabe)
- -a auto mode checks the version numbers. It's script kiddies who use that
most of all. This one came in worm format with a bunch of other programs as
well. One was a port scanner which scanned for port 21 through b classes, the
other went in and checked the version number and then put verified and
exploitable versions into a file which then got the ./wu program run on it.
Then it waited for root and uploaded a rootkit (different rootkit depending
on version of O/S).
So, if you can obscure your version numbers this baby don't work. Merely one
example.
L8r
TheFinn.
