VHM followup... an open proxy probe?
Looking over the Apache logs a bit more carefully, I can see several requests of the form: http://www.virtualhost.com/misc_/SiteAccess/VirtualHostMonster.gif and http://www.virtualhost.com/p_/zopelogo_jpg Both of which will return graphics positively identifying your server as Zope unless you've taken measures to the contrary. Oops. Around the same times as the probes for site/vhm//, there were several failed requests to use my server as an open proxy... my guess is that open proxies may be what the probe is *really* looking for. Zope servers running VHM are highly likely to be running Apache and given the variety and age of the available docs on setting up Zope with Apache, it may be fair to assume that some number of Zope+VHM+Apache sites are set up insecurely. A couple thoughts/recommendations: 1. Read up on configuring and securing Apache proxy services: http://httpd.apache.org/docs/mod/mod_proxy.html#access 2. Don't volunteer configuration info to potential attackers. You can conceal misc_ and p_ from your virtual sites by placing empty folders with these names in the folder above your virtual root. You may wish to name your VHM object something unpredictable. Ensure that Apache is configured with ServerSignature Off. FWIW, Dylan
Dylan Reinhardt wrote:
Looking over the Apache logs a bit more carefully, I can see several requests of the form:
http://www.virtualhost.com/misc_/SiteAccess/VirtualHostMonster.gif and http://www.virtualhost.com/p_/zopelogo_jpg
Both of which will return graphics positively identifying your server as Zope unless you've taken measures to the contrary. Oops.
Hmm. There are million ways to fingerprint zope, I suppose those are as good as any. But check out OFS/Application.py for nice fat sack of ideas. This is why I really want a tool that I can use to expose every possible object available for request that includes what you can obtain via acquisition. It would making locking down a zope installation much easier.
Around the same times as the probes for site/vhm//, there were several
Thats pretty interesting... assuming they'd find the vhm object... what is there to do with it? I actually tried doing stuff like that a long time ago but I couldn't come up with anything useful to do with it, maybe I missed something. I do tend to use a random string generator when naming objects that have no direct traversal value though, I figure it can't hurt. I looked through my logs for the past week, I didn't see any similar signs of curiosity apart from my own attempts. -- Jamie Heilman http://audible.transient.net/~jamie/ "Paranoia is a disease unto itself, and may I add, the person standing next to you may not be who they appear to be, so take precaution." -Sathington Willoughby
Hi, On Sat, Mar 15, 2003 at 02:37:18PM -0800, Jamie Heilman wrote:
Dylan Reinhardt wrote:
Both of which will return graphics positively identifying your server as Zope unless you've taken measures to the contrary. Oops.
Hmm. There are million ways to fingerprint zope, I suppose those are as good as any.
http://www.yourserver.com/HelpSys cleary identifies Zope but also list "some of" the installed products (those which have documentation). /HelpSys shouldn't be available to anonymous users. Knowing which products are installed, attack is easier. bye, Jerome Alet
participants (3)
-
Dylan Reinhardt -
Jamie Heilman -
Jerome Alet