New Mod_Rewrite Signatures.

Publicated on : 1213677699
I got inspired by Paul & Larry from pauldotcom[1] who wrote about a peculiar issue regarding Httprint.[2] Httprint is a small application that let you grab banners from servers, and interestingly when using my mod_rewrite rules it sometimes guesses it wrong or generates errors.[3] But more important here to understand is that you can trick this program in giving bogus data. You can do this by setting up a rule that gives back bogus response documents, for example a 505, or a 501 document to a request that is known to come from a banner grabbing program. To me that is the obvious way in diverting banner grabbing the easiest way. Or when serving up bogus data, you could track the attacker by logging specific attacks for IIS when he tries to attack you while running Apache.



I wrote a couple of rules that can detect it:

RewriteCond %{THE_REQUEST} ^.*(JUNK|/../../|.asmx).* [NC,OR]
 

RewriteCond %{THE_REQUEST} ^.*(HTTP/0.8|HTTP/0.9|HTTP/3.0).* [NC]

Then it is a matter of deciding what you want to do with it. You could raise a bogus error document, or just deny the request being made.



More interestingly, almost any server has one or more default icon stored that identifies the server. For example:

icon: iis51_6.gif for IIS.
 

icon: apache.gif for Apache.

Or in my case:

http://www.0x000000.com/icons/apache_pb.gif

It's easy to replace those images with something else, and I encourage you to do so if you like toying with this stuff. You can also deny the image being retrieved by banner grabbing finger/foot printing programs by setting up another rule in your .htaccess or httpd.conf whatever you have access to. Or you could serve up a huge 10MB icon trying to crash the program, be creative. I do advise to use the httpd.conf because that loads in all the rules at start up without parsing the .htaccess for every request. But sometimes you have no access to it, in such case you can use a .htaccess instead.

RewriteCond %{REQUEST_URI} ^/(icons/apache_pb.gif|icons/apache.gif).* [NC]

Overall, it's fun to trick banner grabbing programs. At least it keeps me busy every now and then. If you have more ways in diverting banner grabbing programs, please let me know and I will share it here.



[1] http://www.pauldotcom.com

[2] http://www.net-square.com/httprint/

[3] http://www.pauldotcom.com/wiki/index.php/Episode111