Dylan Reinhardt wrote:
Looking over the Apache logs a bit more carefully, I can see several requests of the form:
http://www.virtualhost.com/misc_/SiteAccess/VirtualHostMonster.gif and http://www.virtualhost.com/p_/zopelogo_jpg
Both of which will return graphics positively identifying your server as Zope unless you've taken measures to the contrary. Oops.
Hmm. There are million ways to fingerprint zope, I suppose those are as good as any. But check out OFS/Application.py for nice fat sack of ideas. This is why I really want a tool that I can use to expose every possible object available for request that includes what you can obtain via acquisition. It would making locking down a zope installation much easier.
Around the same times as the probes for site/vhm//, there were several
Thats pretty interesting... assuming they'd find the vhm object... what is there to do with it? I actually tried doing stuff like that a long time ago but I couldn't come up with anything useful to do with it, maybe I missed something. I do tend to use a random string generator when naming objects that have no direct traversal value though, I figure it can't hurt. I looked through my logs for the past week, I didn't see any similar signs of curiosity apart from my own attempts. -- Jamie Heilman http://audible.transient.net/~jamie/ "Paranoia is a disease unto itself, and may I add, the person standing next to you may not be who they appear to be, so take precaution." -Sathington Willoughby