Microsoft-IIS/6.0 serves up Debian... WTF!

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Microsoft-IIS/6.0 serves up Debian... WTF!

Jim Popovitch
Well, I thought I had seen it all... but this takes the cake.

http://ike.egr.msu.edu/debian/pool/


-Jim P.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

jeffry s
> Well, I thought I had seen it all... but this takes the cake.
>
> http://ike.egr.msu.edu/debian/pool/
>
>
> -Jim P.
>
>
> --
> To UNSUBSCRIBE, email to [hidden email]
> with a subject of "unsubscribe". Trouble? Contact
> [hidden email]
>
>

this is weird. but, somehow it is hard to believe. it is possible to change
the identification string to anything right? maybe it is apache but trying
to be IIS???


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Jim Popovitch
On Sun, Jun 8, 2008 at 2:05 AM,  <[hidden email]> wrote:
> this is weird. but, somehow it is hard to believe. it is possible to change
> the identification string to anything right? maybe it is apache but trying
> to be IIS???

That would be nice if true... but I seriously doubt that to be the case.

>From : http://ike.egr.msu.edu/debian/pool/main/3/3ddesktop/
  3ddesktop_0.2.8-1.diff.gz 2005-Apr-08 05:32:08 7.1K application/x-gzip
  3ddesktop_0.2.8-1.dsc 2005-Apr-08 05:32:08 0.7K application/octet-stream
  3ddesktop_0.2.8-1_alpha.deb 2005-Apr-09
14:02:02 78.8K application/octet-stream
  ....

Everything other than .gz is type "application/octet-stream", I bet if
we could see permissions they'd be 0777.

And then there is this:  http://ike.egr.msu.edu/server-status

It's mirror's like that, that make me paranoid about Debian Security.

-Jim P.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

JD. Brown
In reply to this post by jeffry s
On Sun, Jun 8, 2008 at 12:05 AM,  <[hidden email]> wrote:
>> Well, I thought I had seen it all... but this takes the cake.
>>
>> http://ike.egr.msu.edu/debian/pool/

For the heck of it, Here is some info about them.

http://toolbar.netcraft.com/site_report?url=http://ike.egr.msu.edu

&

http://private.dnsstuff.com/tools/ipall.ch?ip=35.9.37.225&src=ShowIP

It looks like they were running Debian before and switched this month.
Seems very weird to me.


Regards,



--
JD. Brown

Linux User # 375995 - http://counter.li.org/

Debian - http://www.debian.org/intro/about


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Henri Salo-2
On Sun, 8 Jun 2008 01:27:06 -0600
"JD. Brown" <[hidden email]> wrote:

> On Sun, Jun 8, 2008 at 12:05 AM,  <[hidden email]> wrote:
> >> Well, I thought I had seen it all... but this takes the cake.
> >>
> >> http://ike.egr.msu.edu/debian/pool/
>
> For the heck of it, Here is some info about them.
>
> http://toolbar.netcraft.com/site_report?url=http://ike.egr.msu.edu
>
> &
>
> http://private.dnsstuff.com/tools/ipall.ch?ip=35.9.37.225&src=ShowIP
>
> It looks like they were running Debian before and switched this month.
> Seems very weird to me.
>
>
> Regards,
>
That server looks like lighttpd.

--
Henri Salo <fgeek at fgeek.fi> +358407705733
GPG ID: 2EA46E4F  fp: 14D0 7803 BFF6 EFA0 9998  8C4B 5DFE A106 2EA4 6E4F

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Nico Golde-9
Hi Henri,
* Henri Salo <[hidden email]> [2008-06-08 12:34]:
> On Sun, 8 Jun 2008 01:27:06 -0600
> "JD. Brown" <[hidden email]> wrote:
[...]
> > It looks like they were running Debian before and switched this month.
> > Seems very weird to me.
> >
>
> That server looks like lighttpd.

Yep this is lighttpd and it's mod_status. Microsoft-IIS/6.0
also has a different ordering of the HTTP response headers:
IIS:
HTTP/1.1 400 Bad Request
Content-Length: 39
Content-Type: text/html
Date: Sun, 08 Jun 2008 11:00:49 GMT
Connection: close

lighttpd:
HTTP/1.1 400 Bad Request
Connection: close
Content-Type: text/html
Content-Length: 349
Date: Sun, 08 Jun 2008 11:00:23 GMT

Cheers
Nico

--
Nico Golde - http://www.ngolde.de - [hidden email] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

attachment0 (204 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Bernd Eckenfels
In reply to this post by Jim Popovitch
In article <[hidden email]> you wrote:
> It's mirror's like that, that make me paranoid about Debian Security.

Why is that? IIS is the second most used web server on the market. And since
mirrors are not a trusted part of software distribution anyway, I dont see
an issue here.

Gruss
Bernd


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Jim Popovitch
On Sun, Jun 8, 2008 at 12:30 PM, Bernd Eckenfels <[hidden email]> wrote:
> In article <[hidden email]> you wrote:
>> It's mirror's like that, that make me paranoid about Debian Security.
>
> Why is that? IIS is the second most used web server on the market. And since
> mirrors are not a trusted part of software distribution anyway, I dont see
> an issue here.

Here's my issue, please correct me if I am wrong.  .debs and sigs both
exist on the same server.  If the Windows box/network is compromised,
then the sigs and debs can be modified and who would know?

-Jim P.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Jim Popovitch
In reply to this post by Nico Golde-9
On Sun, Jun 8, 2008 at 7:02 AM, Nico Golde <[hidden email]> wrote:
> Yep this is lighttpd and it's mod_status.

OK (if true), I still question the need for posing as IIS, and
therefore I question the mirror operator's
intent/reasons/capabilities/interests/.... as well as security
capabilites.   Are they playing around by posing as IIS.  Is it meant
to deflect interest in a Linux box being on their network?  What is
the reason behind masquerading as something they aren't?

If they want to do this, fine.  But should they continue to be in
rotation for ftp.us.debian.org?

-Jim P.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Jamie Jones-3
In reply to this post by Jim Popovitch
On Sun, 2008-06-08 at 14:58 -0400, Jim Popovitch wrote:

> On Sun, Jun 8, 2008 at 12:30 PM, Bernd Eckenfels <[hidden email]> wrote:
> > In article <[hidden email]> you wrote:
> >> It's mirror's like that, that make me paranoid about Debian Security.
> >
> > Why is that? IIS is the second most used web server on the market. And since
> > mirrors are not a trusted part of software distribution anyway, I dont see
> > an issue here.
>
> Here's my issue, please correct me if I am wrong.  .debs and sigs both
> exist on the same server.  If the Windows box/network is compromised,
> then the sigs and debs can be modified and who would know?
Any system regardless of what operating system it is running can be
compromised, and the sigs and debs can be "compromised". Remember
someone has admin rights, and/or physical access on those machines.

If that mirror makes you feel uneasy, use another mirror. It is, after
all the mirrors prerogative to use whatever operating system they wish.

Regards,
Yagisan
--
GPG/PGP signed mail preferred.
PGP Key ID 0x4B6E7209
Fingerprint E1FD 9D7E 6BB4 1BD4 AEB9 3091 0027 CEFA 4B6E 7209

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Jacob Appelbaum
In reply to this post by Jim Popovitch
Jim Popovitch wrote:

> On Sun, Jun 8, 2008 at 7:02 AM, Nico Golde <[hidden email]> wrote:
>> Yep this is lighttpd and it's mod_status.
>
> OK (if true), I still question the need for posing as IIS, and
> therefore I question the mirror operator's
> intent/reasons/capabilities/interests/.... as well as security
> capabilites.   Are they playing around by posing as IIS.  Is it meant
> to deflect interest in a Linux box being on their network?  What is
> the reason behind masquerading as something they aren't?
>

Only the operator would be able to answer this. It seems like there are
reasons for doing this. One of them is to obscure the actual platform
from someone just randomly google "hacking" their server by searching
for a specific banner string.

There are many many more reasons for masquerading as something they aren't.

> If they want to do this, fine.  But should they continue to be in
> rotation for ftp.us.debian.org?
>

I think it's irrelevant. All that matters is that the packages are
available, valid, that they're properly signed and that users don't have
issues with the repository.

Regards,
Jacob Appelbaum


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Joey Hess
In reply to this post by Jim Popovitch
Jim Popovitch wrote:
> Here's my issue, please correct me if I am wrong.  .debs and sigs both
> exist on the same server.  If the Windows box/network is compromised,
> then the sigs and debs can be modified and who would know?

The security provided by a gpg signature is the difficulty in forging
the signature, not the server that serves it.

http://wiki.debian.org/SecureApt

--
see shy jo

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Lasse Kliemann-17
In reply to this post by Jim Popovitch
* Message by -Jim Popovitch- from Sun 2008-06-08:

> On Sun, Jun 8, 2008 at 12:30 PM, Bernd Eckenfels <[hidden email]> wrote:
> > In article <[hidden email]> you wrote:
> >> It's mirror's like that, that make me paranoid about Debian Security.
> >
> > Why is that? IIS is the second most used web server on the market. And since
> > mirrors are not a trusted part of software distribution anyway, I dont see
> > an issue here.
>
> Here's my issue, please correct me if I am wrong.  .debs and sigs both
> exist on the same server.  If the Windows box/network is compromised,
> then the sigs and debs can be modified and who would know?
The one who checks the 'sigs' will know that, for an attacker will not be
able to forge cryptographic signatures for his modified packages. These ARE
cryptographic signatures, or am I mistaken? If I am, then of course you are
right, and the rationale behind the 'sigs' would have to be questioned in the
first place.

attachment0 (852 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Simon Valiquette
In reply to this post by Jim Popovitch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Jim Popovitch un jour écrivit:
 >>
 >> Yep this is lighttpd and it's mod_status.
 >
 > OK (if true), I still question the need for posing as IIS, and
 > therefore I question the mirror operator's
 > intent/reasons/capabilities/interests/.... as well as security
 > capabilites.   Are they playing around by posing as IIS.  Is it meant
 > to deflect interest in a Linux box being on their network?  What is
 > the reason behind masquerading as something they aren't?

  My best guess is that It is security by obscurity.  Personnaly, I
often configure mail servers to claim to be another mail server, running
on a different operating system and with some ad hoc version number that
seams reasonable.

  The idea is that script kiddies, and many other attackers, will waste
time using attacks that have no chance of succeeding, giving you an
opportunity to detect and block an attack before It really start.

  Except by buying you a bit of time, in practice It doesn't add much
real security against a determined attacker, but It is very useful
for honeypot.

 >
 > If they want to do this, fine.  But should they continue to be in
 > rotation for ftp.us.debian.org?

  Personnaly, I would have chosen to impersonate another web server than
IIS, but except for that I see no problem with what they have done.


  I don't see why you want them to be removed from ftp.us.debian.org,
except that you don't like to see them lying about the server application
and version they use, which is something done by a lot of people on
production systems that directly face the Internet.

Simon Valiquette


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Linux PPC)

iD8DBQFITE9qJPE+P+aMAJIRA5JpAKCtOVrvTPpcDw1/lxI7CV6oxoItDwCg9jvq
kRg3a23JXWO5piDR5sl43Kc=
=tHtZ
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Rick Moen
Quoting Simon Valiquette ([hidden email]):

>  Personnaly, I would have chosen to impersonate another web server than
> IIS, but except for that I see no problem with what they have done.

It also could be just a case of the sysadmin amusing him/herself:  Back
in the day, I used to edit /etc/{issue|issue.net} to make the system
claim to be a Super Nintendo, just for laughs.

--
Cheers,                  "Entia non sunt multiplicanta praeter necessitatem."
Rick Moen                                         -- William of Ockham (attr.)
[hidden email]


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Jim Popovitch
In reply to this post by Simon Valiquette
On Sun, Jun 8, 2008 at 5:30 PM, Simon Valiquette <[hidden email]> wrote:

> Jim Popovitch un jour écrivit:
>>
>> If they want to do this, fine.  But should they continue to be in
>> rotation for ftp.us.debian.org?
>
>  Personnaly, I would have chosen to impersonate another web server than
> IIS, but except for that I see no problem with what they have done.
>
>
>  I don't see why you want them to be removed from ftp.us.debian.org,
> except that you don't like to see them lying about the server application
> and version they use, which is something done by a lot of people on
> production systems that directly face the Internet.

The reason is this:  *if* they are using "security by obscurity", then
that raises the bigger question of their security knowledge and
capabilities.   That would be enough for me to remove them from
distributing software to others from my domain (ftp.us.debian.org).

-Jim P.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Jacob Appelbaum
Jim Popovitch wrote:

> On Sun, Jun 8, 2008 at 5:30 PM, Simon Valiquette <[hidden email]> wrote:
>> Jim Popovitch un jour écrivit:
>>> If they want to do this, fine.  But should they continue to be in
>>> rotation for ftp.us.debian.org?
>>  Personnaly, I would have chosen to impersonate another web server than
>> IIS, but except for that I see no problem with what they have done.
>>
>>
>>  I don't see why you want them to be removed from ftp.us.debian.org,
>> except that you don't like to see them lying about the server application
>> and version they use, which is something done by a lot of people on
>> production systems that directly face the Internet.
>
> The reason is this:  *if* they are using "security by obscurity", then
> that raises the bigger question of their security knowledge and
> capabilities.   That would be enough for me to remove them from
> distributing software to others from my domain (ftp.us.debian.org).
>

Your thoughts on this subject are really fascinating. Because while I
agree that the idea of "security by obscurity" as the only line of
defense is flawed, you're making assumptions and value judgments that
seem beyond your abilities. I question your security knowledge and
capabilities.

How would you feel if they used a firewall that obscured their TCP
stack? Or if they dropped ICMP time stamp requests? Or used address
space randomization to stop certain types of remote code execution? Or
what if they removed all real version strings from all software that
they used that faces the internet?

Do you really think that obscurity as *part* of your security plan is
only negative? And do you really think that you know their entire
security plan?

I think not. In addition, I think the mere fact that they took the time
to customize their banner shows that they're at least thinking about the
problem. Even if we agree that it is flawed to *only* try hiding version
strings, you don't know that this is all they are doing. Personally, I
think it's worse to print proper version strings and feel so smugly
about it. It is not as if being honest about this little detail somehow
protects people using your Debian mirror.

Have you found some actual security issue with the mirror? Are the
packages tampered with? Are the signatures invalid?

If so, have you tried contacting the administrator of the mirror?

Regards,
Jacob Appelbaum


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Anderson Kaiser
In reply to this post by Joey Hess


2008/6/8 Joey Hess <[hidden email]>:
Jim Popovitch wrote:
> Here's my issue, please correct me if I am wrong.  .debs and sigs both
> exist on the same server.  If the Windows box/network is compromised,
> then the sigs and debs can be modified and who would know?

The security provided by a gpg signature is the difficulty in forging
the signature, not the server that serves it.

http://wiki.debian.org/SecureApt

--
see shy jo


Well,

The TTL from this server is equal 64.The Default TTL Debian.

See my tests from Brasil:

I use:

# tracert ike.egr.msu.edu

It returns 25 jumps.

The TTL returns 39

39 + 25 = 64 TTL

root@k41s3r:~# ping ike.egr.msu.edu
PING ike.egr.msu.edu (35.9.37.225) 56(84) bytes of data.
64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=1 ttl=39 time=315 ms
64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=2 ttl=39 time=289 ms
64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=3 ttl=39 time=317 ms
64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=4 ttl=39 time=326 ms
64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=5 ttl=39 time=308 ms
64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=7 ttl=39 time=272 ms



--
Anderson Kaiser
[hidden email]
Linux User #: 426240
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Jim Popovitch
In reply to this post by Jacob Appelbaum
On Sun, Jun 8, 2008 at 7:00 PM, Jacob Appelbaum <[hidden email]> wrote:
> Your thoughts on this subject are really fascinating. Because while I
> agree that the idea of "security by obscurity" as the only line of
> defense is flawed, you're making assumptions and value judgments that
> seem beyond your abilities. I question your security knowledge and
> capabilities.

Yeah, yeah.  Whatever dude.

> [snip, snip]

> Have you found some actual security issue with the mirror? Are the
> packages tampered with? Are the signatures invalid?

No, I haven't found an actual security issue with the mirror.  And I
don't believe in waiting for someone to raise a security issue to
determine the actual security of a system.  Surely you would agree
that there are acceptable minimums.  I do think that it would be
prudent for the Debian Security and Mirror teams to know the specifics
about their mirror ops.  And I say that as former v.d.o mirror op,
where my experience revealed little concern over mirror operators.

The mirror in this instance seems to fall into one of two cases:
   1)  Security by Obscurity plus possible unknown foo.
   2)  Bored opers having fun.

I would think that neither of those cases immediately passes muster
with concerned security minded folks.  And, just because you are OK
with it, it doesn't mean I have to be. ;-)

-Jim P.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Peter Palfrader
On Sun, 08 Jun 2008, Jim Popovitch wrote:

> I would think that neither of those cases immediately passes muster
> with concerned security minded folks.  And, just because you are OK
> with it, it doesn't mean I have to be. ;-)

Clearly the people in charge are.  Can we move on to relevant stuff now?

--
weasel


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

12