[Dshield] Re: Dshield digest, Vol 1 #629 - 15 msgs

John Sage jsage at finchhaven.com
Sat May 25 17:19:56 GMT 2002


On Sat, May 25, 2002 at 09:35:56AM -0600, Steven Hull wrote:
> >From this I determine that most of the servers in this report are Microsoft
> IIS.  And one Apache.  How would one determine that a server is a Red Hat
> Linux box when 99% of those boxes run Apache.  Apache can also be run on a
> Microsoft OS as well as a couple of others.  How can you determine one
> Linux/Unix server from another to be that specific of the operating
> system????
> 
> Steven Hull
> Networking Student

Use something like wget:

for x in `cat ip_list.txt`; do wget -S -t1 --spider -a responses.txt $x; done

where ip_list.txt is a text file of source IP addresses.

Then you get this sort of a thing into responses.txt:

--20:41:12--  http://12.4.240.219/
           => `index.html'
Connecting to 12.4.240.219:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:40:56 GMT
4 Connection: Keep-Alive
5 Content-Length: 1270
6 Content-Type: text/html
7 Set-Cookie: ASPSESSIONIDGQQGQVVG=ECFPEPPBKEEACMKKDAEKPFGJ; path=/
8 Cache-control: private
9 
200 OK


But if Apache, then this:

--20:44:53--  http://210.181.10.97/
           => `index.html'
Connecting to 210.181.10.97:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Date: Fri, 24 May 2002 03:44:29 GMT
3 Server: Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.224 Last-Modified: Thu, 17 Jan 2002 09:23:41 GMT
5 ETag: "0-84b-3c46981d"
6 Accept-Ranges: bytes
7 Content-Length: 2123
8 Connection: close
9 Content-Type: text/html
10 
200 OK



Or, more simply, for one IP address, using lynx:

[toot at sparky ~]# lynx -head http://211.174.63.197/


HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 25 May 2002 17:05:16 GMT
Connection: Keep-Alive
Content-Length: 14768
Content-Type: text/html
Set-Cookie: ASPSESSIONIDGGQQGBPC=BLNPIKGBBFNILHBMNFJCKPEC; path=/
Cache-control: private



- John
-- 
You simply can never have too many shells

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 




More information about the list mailing list