PostHole
Compose Login
You are browsing eu.zone1 in read-only mode. Log in to participate.
rss-bridge 2008-01-08T15:57:33+00:00

Strange Entries in your wbeserver logs, Wikto and questions about our Gender!

Over the past while we have been getting emails from people trying to figure out why they had entries like this in their http log files:
10.10.1.136 – – [32/Dec/2007:25:61:07 +0200] “GET //admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp HTTP/1.1” 404 –
Recently a concerned Wikto user figured out that this was linked to him using Wikto (our Win32 Nikto Replacement + Directory / File / Back-End Miner). A snippet from his email read:
-snip-
I sniffed the traffic going out from my host going to the target host and infact this is the result:
HTTP GET /admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp HTTP/1.0
All the requests are full of this… Well, at this point the questions are two:
1) You have a strange sense of humor.
2) You have been compromised. Waiting for a feedback,

Over the past while we have been getting emails from people trying to figure out why they had entries like this in their http log files:

10.10.1.136 – – [32/Dec/2007:25:61:07 +0200] “GET //admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp HTTP/1.1” 404 –

Recently a concerned Wikto user figured out that this was linked to him using Wikto (our Win32 Nikto Replacement + Directory / File / Back-End Miner). A snippet from his email read:

-snip-

I sniffed the traffic going out from my host going to the target host and infact this is the result:

HTTP GET /admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp HTTP/1.0

All the requests are full of this… Well, at this point the questions are two:

1) You have a strange sense of humor.

2) You have been compromised. Waiting for a feedback,

-snip-

We replied to his email to allay his concerns, but the question comes up often enough, so i figured i would paste our response here:

-snip-

Hi XXXXX..

The quick short answer is: a strange sense of humour..

As you probably know, part of Wikto’s advantage over other scanners is

that it doesnt rely on the HTTP response code coming back from the

server to make its decisions. This is why an HTTP server that responds

with “friendly 404” messages (a 200 with an error) throw simple scanners

off..

Instead Wikto asks for a resource that does not exist (but that looks

similar to your request.. i.e. if you wanted login.asp we first look for

[strange_file_that_will_never_be_there].asp and then we compare the

response to looking for login.asp

if both pages return a similar result, even if its not a 400 message, we

can conclude that the resource isnt there.. During the last build our

lead developer (ian@sensepost.com) had a minor turf war with one of our

lead analysts (gareth@sensepost.com) that probably started over some

life and death matter like coffee, pool or foosball..

Gareth used a host name of ian.devs.like.a.girl in some article/chapter

he wrote on penetration testing, so when ian needed a

[strange_file_that_will_never_be_there] he came up with the obvious

choice.. now everyone who scans using wikto loudly testifies to:

a) our strange sense of humour

b) that ian won that round! :>

-snip-

(In the new build this string is user configurable, so you can insult members of your team while pen-testing too..)

So there you have it.. If you have seen it in your logs:

a) Congrats! – The fact that you even check your logs is admirable

/mh

Oh.. for the “windows_sucks_and_i_dont_want_to_boot_a_vm_image_to_run_this_tool” brigade, i have it on good authority that ian’s Java port of Wikto (wiktoJ ?) is being dusted and polished.. so watch this space..

Original source

Reply