I recently wrote an article about a piece of software called ServerMask. The software is designed to obscure your Web server operating system from potential hackers. The software does a good job of covering the basics, and I recommend the software to those interested in making it more difficult for hacker’s to crack their system.
Nonetheless, there is still no foolproof method to deceive a determined hacker. At the end of the day, your Web server is what it is. For instance, though ServerMask will modify many server identifiers, IIS will always behave like an IIS server. In this article, I want to take a look at ways that a hacker could determine that the type of Web server you’re running is IIS. Where possible, I will show you some workarounds.
Your server’s code
The code for your Web site can be a dead giveaway as to your server’s true identity. While FrontPage 2003 does produce cleaner code than earlier versions of the software, it still leaves hints to its origins. In Figure A, you can see the code for an extremely simple static Web page. Notice in the figure, there are several lines of code that identify the page as being developed by FrontPage.
|Code developed in FrontPage contains identifying information.|
Obviously, it would be very easy to just remove the unwanted code. This would leave you with a generic HTML document, as shown in Figure B. Unfortunately, most Web sites do not use generic HTML documents. For example, when you add a theme to the site, FrontPage adds a metatag to each page that uses the name Microsoft Theme, as shown in Figure C. However, you can’t get rid of this tag or rename it because doing so prevents the Web site from applying the theme. The reason for this strict naming convention is because items like themes and style sheets use FrontPage Server Extensions. These extensions to the Web server allow the server to interpret certain FrontPage-specific commands. Thus, using FrontPage-specific commands in your Web site is another dead giveaway that the Web server is running FrontPage Server Extensions, and therefore is using IIS.
|You can remove FrontPage-specific tag lines.|
|FrontPage themes rely on FrontPage extensions to IIS.|
Dynamic pages more problematic
Today, most Web pages are dynamic and generated by server-side scripts. The main dynamic page type used by IIS is ASP (Active Server Pages). IIS is the only server platform that natively supports ASP. Therefore, if you code pages in ASP, it’s obvious that the server is running IIS.
Since the pages are generated dynamically at the server end, you might be wondering how a hacker could know what script type is being used. You can often tell by looking at the page’s code. However, you don’t have to get that complex. You can determine the script type just by looking at a page’s URL. For example, the name of the default page on my Web site is INDEX.ASP. As you can see in Figure D, you can simply look at the Internet Explorer address bar and tell this is an ASP page, and that my Web site is running IIS.
|You can often look at Internet Explorer’s address bar and determine what type of code the page is running.|
PHP as an alternative
For my Web site, I had scripts to make everything work. Although I could have done a lot of the site using Java script, Java just wasn’t a good fit for me because of potential compatibility and security issues. I therefore decided to use ASP. But suppose that I didn’t want to use ASP. What other options would I have had?
One option would have been to use PHP. PHP (Hypertext Preprocessor) can do a lot of the same things as ASP, but is actually faster and more efficient. The problem with PHP scripts is they are native to UNIX and Linux servers and do not run on IIS. However, you can go to the PHP Web site and download a module that will allow IIS to run PHP scripts. Although implementing PHP can be a little complex, doing so is a great way to disguise your Web server. Now, using ServerMask to make IIS appear as a UNIX server, and then writing your Web site in PHP will fool most hacker’s into thinking you are running on UNIX.
Another vulnerability and hope
There are other subtle, telltale signs that expose your server’s operating system. For example, every operating system implements the TCP/IP protocol stack somewhat differently. Thus, a sophisticated hacker could look at the packet formation and tell that the server is running a Microsoft operating system rather than a UNIX operating system.
Fortunately, most hackers will probably only check two or three identifying traits of the server. The vast majority of the Web servers out there do not try to obscure the type of software they are running. Therefore, a hacker has no reason to suspect that they are being lied to by the server. Hopefully this means they will try to hack your IIS Web server using techniques that would normally be used on a UNIX server. When things don’t work as expected, it won’t take a good hacker long to figure out that they have been deceived. By that time, hopefully, your intrusion detection software will have alerted you to the attempted hack.