From: Kenn Humborg (kenn at domain bluetree.ie)
Date: Fri 04 May 2001 - 11:58:28 IST
> Hi guys,
> I know some people here really hate windoze, but I need to
> get some info for a colleague who is using IIS 4.0.
> The server advertises itself as being IIS 4.0, obviously this
> makes it easy relatively easy for anyone to hack into, as they know
> straight away what they are dealing with. Does anybody on the
> list know if
> this can be turned in the registry, or the IIS metabase, or
> wherever, so that
> if someone is trying to find out what the site is based on, they
> will just
> get a blank response, or altenatively some other nasty text.
If you were writing a script-kiddies tool for running exploits
against web servers, and you knew that the server name/version
could be easily changed by the server admin, what would you do:
1. Say "This is IIS 4 - let's only try IIS exploits", "this is
Apache 1.2.9 - let's only try Apache exploits", "don't know
what this is - let's not try any exploits"
2. Try _every_ exploit regardless of what you think the server is?
If you don't want it to be "relatively easy to hack" (whatever
that means) then sign up to Microsoft's security announcements
list and apply updates as soon as possible. If you can't do this,
then you shouldn't be running it on a hostile network.
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:10:11 GMT