Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: [Roy Schestowitz cannot stop lying] [Rival] Another Major Site Runs Windows, Serves All Visitors with Malware After PWNAGE

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 11 Nov 2007 12:37:51 -0600,
 Erik Funkenbusch <erik@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> On Sun, 11 Nov 2007 17:53:25 +0000 (UTC), p5000011 wrote:
>
>> On Sun, 11 Nov 2007 11:34:02 -0600, Erik Funkenbusch wrote:
>> 
>>> 
>>> You mean like Linux?  Which the IndiaTimes website runs and has been
>>> running for quite some time?
>>> 
>>> http://toolbar.netcraft.com/site_report?url=http://www.indiatimes.com
>>> 
>>> Why do you lie like this Roy?  IndiaTimes is not running Windows.  It runs
>>> Linux.  That means the *LINUX* site was compromised.
>>> 
>>> Oh, but i'm sure you'll just blame that on bad configuration or something
>>> (never mind that it's Akamai, one of the most knowledgeable companies about
>>> Linux running the site).  
>>> 
>>> So why lie and say the site runs Windows?  Why dou constantly lie, Roy?
>> 
>> hmm, they seem to be using akamai proxies:
>> 
>> lynx -head http://www.indiatimes.com
>> 
>>      HTTP/1.0 302 Moved Temporarily
>>      Server: AkamaiGHost
>>      Content-Length: 0
>>      Location: http://in.indiatimes.com
>>      Date: Sun, 11 Nov 2007 17:50:18 GMT
>> 
>> Now enter in.indiatimes.com into netcraft:
>> 
>>     Linux  	 Microsoft-IIS/6.0
>> 
>> So the proxy is running linux but the web server is running IIS.
>> 
>> Seems Roy was right. When can we expect your apology?
>
> No, Roy was not right.  This is a classic case of a web server trying to
> diguise what it's running.  It's easy to identify:
>
> lynx -head http://in.indiatimes.com
> 	HTTP/1.0 200 OK
> 	Server: Microsoft-IIS/6.0
> 	Content-Type: text/html
> 	Vary: Accept-Encoding
> 	Content-Encoding: gzip
> 	Expires: Sun, 11 Nov 2007 18:03:33 GMT
> 	Date: Sun, 11 Nov 2007 18:03:33 GMT
> 	Content-Length: 12102
> 	Connection: close
>
> Notice the order of the headers:
>
> lynx -head http://www.funkenbusch.com
>
> 	HTTP/1.1 302 Found
> 	Cache-Control: private
> 	Connection: close
> 	Date: Sun, 11 Nov 2007 18:07:04 GMT
> 	Content-Length: 152
> 	Content-Type: text/html; charset=utf-8
> 	Location: http://funkenbusch.com/default.aspx
> 	Server: Microsoft-IIS/6.0
> 	X-Powered-By: ASP.NET
> 	X-AspNet-Version: 2.0.50727
>
> Now, notice how the order is different?  Clearly, whatever server
> in.indiatimes.com is running is using a false server header, probably a
> lame attempt to confuse hackers.
>
> Further, there are no tell-tale signs of a Microsoft based server.  There
> are no ASP or similar session cookies.  Also, IIS doesn't use the "Vary"
> header.  Additionally, all the links on the site end in a .cms extension,
> which appears to be Enonic's CMS system which is an apache tomcat based
> system running Java, which means it can't be running IIS.  While it could
> be Apache on Windows... the fact that it is issuing an IIS header means
> it's lying about it's web server, and given that the OS is fingerprinted as
> Linux, i'd say it's almost certainly Apache/Tomcat on Linux.
>
> So no, I'm not wrong.  Do a little more research.


Follow your own advice. 


The Vary header is often added by caching proxies, we do it here
via Akamai for reasons that I can't recall at the moment, something we
had to do for IE compat IIRC. 


Since in.indiatimes.com is an akamai host, you can't trust that the
headers you get from that are the same ones that the origin site sent
out. Without knowing what the origin site's IP/hostname is, you can't
get the raw headers, so all your stuff above, is a waste of typing,
since Akamai can, and does, mess with the headers. 

As far as your claims that they must be using ApacheTomcat because they
have .cms suffixs, that makes about as much sense as claiming a file
must be created by notepad since it has a .txt extension. I suspect that
.cms for a *C*ontent *M*anagement *S*ystem is a pretty common extension
for in house stuff. 

Could it all be running on Linux? it's possible, have you proven it? or
even offered compelling evidence? no. 



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHONPgd90bcYOAWPYRAnHdAKCjCT8I/e10EJfd8pF717vFiZzFDgCfWaWw
2VtZFFq2asQQoQL7IokpsqQ=
=bWRI
-----END PGP SIGNATURE-----

-- 
Jim Richardson     http://www.eskimo.com/~warlock
If space is warped, time is all that's weft.

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index