Re: Unusual Web Server

From: Bill Pennington (billp@boarder.org)
Date: Tue Jul 08 2003 - 15:37:20 EDT

• Next message: Noonan, Wesley: "RE: Unusual Web Server"
• Previous message: Keith Pachulski: "RE: Unusual Web Server"
• In reply to: charrin2@maine.rr.com: "Unusual Web Server"
• Next in thread: Noonan, Wesley: "RE: Unusual Web Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I am pretty sure that is a Domino web server though I am not 100% sure.

I would try using netcat
http://www.atstake.com/research/tools/network_utilities/ instead of
telnet. Many versions of telnet try to send a userid as part of the
connection and I think that is why you are getting the "400 Bad
Request" initially.

A request to try:

OPTIONS * HTTP/1.1
Host: host.foobar.com

This will generally spill the beans.

On Tuesday, July 8, 2003, at 11:45 AM, "" <charrin2@maine.rr.com> wrote:

> All,
>
> I have found a web server that I cannot identify. It is listening on
> port
> 5050. When I telnet to it I get:
>
> telnet host.foobar.com 5050
> Trying 10.10.10.10...
> Connected to host.foobar.com.
> Escape character is '^]'.
>
> HTTP/1.1 400 Bad Request
> Date: Tue, 8 July 2003 14:59:05
> Server: Web/R5_2_2
>
> 400 Bad Request
> Connection closed by foreign host.
>
>
> If I try to browse to it I am prompted for a username / password. After
> entering the wrong password I get the ususal 401 unauthorized. The
> default
> page is layout.html
>
> Any help would be appreciated.
>
> --Chris
>
>
>
> -----------------------------------------------------------------------
> ----
> The Lightning Console aggregates IDS events, correlates them with
> vulnerability info, reduces false positives with the click of a
> button, anddistributes this information to hundreds of users.
>
> Visit Tenable Network Security at http://www.tenablesecurity.com to
> learn
> more.
> -----------------------------------------------------------------------
> -----
>
>

---
Bill Pennington, CISSP, CCNA
Chief Technology Officer
WhiteHat Security Inc.
http://www.whitehatsec.com
---------------------------------------------------------------------------
The Lightning Console aggregates IDS events, correlates them with 
vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users.
Visit Tenable Network Security at http://www.tenablesecurity.com to learn 
more.
----------------------------------------------------------------------------

• Next message: Noonan, Wesley: "RE: Unusual Web Server"
• Previous message: Keith Pachulski: "RE: Unusual Web Server"
• In reply to: charrin2@maine.rr.com: "Unusual Web Server"
• Next in thread: Noonan, Wesley: "RE: Unusual Web Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT