Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
RE: [suse-security] Obscuring OS
From: Tom Knight (thomas.knightahds.ac.uk)
Date: Wed Feb 18 2004 - 03:34:49 CST
> -----Original Message-----
> From: Allen/gore/SlackWareWolf [mailto:goreBOFHcomcast.net]
> Sent: 17 February 2004 23:40
> To: suse-securitysuse.com
> Cc: TheHorse TheHorse
> Subject: Re: [suse-security] Obscuring OS
> On Tuesday 17 February 2004 04:56 pm, Bill.Lightkp.org
> > I am running a mail/web server and Netcraft says that it
> > is Apache/1.3.28 and (Linux/SuSE).
> > While on one hand that is nice....Would it not be better
> > to obscure which distro I am running and the version of
> > Apache ??
> > How would one accomplish this ?
> > - Bill
> Don't worry :) Anyone reading this list knows you use SuSE
> Linux, Apache, and that your name is bill. This is more
> than enough for me to social engineer my way into root
> access at your server :) Not that I would, but remember to
> watch what you let out on a list.
Of course it could be that he's actually a lady called Freda, running
IIS on WinNT4, and trying to disguise the fact....
Or maybe his mame _is_ Bill, and he's running Linux/Apache, but
trying to make you think he's running IIS on WinNT4...
Or even that he's a creature from the planet X running FabHTTPd
on SuperOS 6, trying to make you think he's called Bill, pretending
to be Freda pretending to be Bill?
My head hurts.
Anyway, I agree that hiding OS/webserver info won't help that much,
I remember examinging http requests of my old Netscape Enterprise
server and finding loads of IIS exploits aimed at it.
My guess is that:
1. Attacker tries to find a port 80 that responds to a port scan.
2. Attacker tries whatever tool they've downloaded from some l33t
h4ax0r on #l33t_h4x0rs.
Also - yes, social engineering works scarily well.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here