Fingerprinting Port 80 Attacks

pg writes "I found an interesting article on www.cgisecurity.com that explains common fingerprints in web server, and web application attacks. It goes to describe how to detect most known, and unknown attacks. This may come in handy when trying to detect another internet worm."

One thing missed

[13013dobbs]

formmail script exploits. Due to post 25 blocking, spammers are looking for exploitable formmail scripts to send their spam through. I guess the author just wanted to talk about root exploits, but there are other ways to abuse a web server.

Securing webservers

One thing that I am surprised is in what ports the webserver can reach out with, and what ports the webserver can be accessed with. If you have access to a firewall.. then the ONLY port that anyone should be able to connect to the webserver is port 80 (or port 443, depending on if you use SSL). Also, you shouldn't let your webserver send any outgoing packets unless they are originating from port 80. This circumvents a lot of common attacks which involve any sort of remote 3rd party or involve any service other than HTTP.

Re:Fingerprint Database

[b1t+r0t]

I'd love to see a plugin for apache that allowed a central server fingerprint database for new exploits.

Then we could couple it with my favorite idea for an Apache module: mod_labrea. This way any 'undesirable' HTTP exploit could be given a reverse DoS by keeping the connections alive and stalled for as long as possible.