service version disclosure
Reindl Harald
h.reindl at thelounge.net
Sun Jan 8 23:24:47 UTC 2012
Am 08.01.2012 23:16, schrieb Nathanael Noblet:
> So from my logs. Not a probe first, just plain trying to get data using a hopeful exploit. They don't care what
> version of anything I'm running.
>
> I realize it looks like they got the files they wanted, but in reality it ignored the request and sent the data it
> always does...
>
> In any case, I still get tons of requests for Default.aspx, as well as a whole host of requests for IIS
> vulnerabilities. Even though I run Linux and Apache. Hiding the version changes nothing. The software doing all
> this scanning simply *tries* to exploit, not find out exploitable machines so it can tell some random human to then
> run a script against it....
and you think that some random examples prove anything?
some webserver logs are showing nothing about real exploits
there was and there will be exploits you will never see
in your webserver-log because if they worked CODE was
executed in the context of your webserver
fact is that nobody out there needs to know your software-version
for something useful and one of the most important rules in
server-administration disable and disclose ANYTHING which is not
explicit needed to prevent exploit-cases you can not imagine
while configure your machine
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120109/a0cd5c3b/attachment.sig>
More information about the devel
mailing list