yep this already an old knowledge that we already know since our past time, nowaday i just remember it again ======= [root@ip-elite-1337.org conf]# nmap -A server_ip -PN Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-03-23 20:30 MST Interesting ports on ************ Not shown: 1659 closed ports PORT STATE SERVICE VERSION 25/tcp filtered smtp 42/tcp filtered nameserver 69/tcp filtered tftp 80/tcp open http? 111/tcp open rpcbind 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 161/tcp filtered snmp 162/tcp filtered snmptrap 445/tcp filtered microsoft-ds 631/tcp open http? 835/tcp open http? 1080/tcp filtered socks 1241/tcp filtered nessus 3128/tcp filtered squid-http 3306/tcp open mysql 6666/tcp filtered irc-serv 6667/tcp filtered irc 6668/tcp filtered irc 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port80-TCP:V=4.11%I=7%D=3/23%Time=4F6D3FE1%P=i686-redhat-linux-gnu%r(Ge SF:tRequest,8F,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20nginx\r\nDate:\x20Sat SF:,\x2024\x20Mar\x202012\x2002:29:17\x20GMT\r\nContent-Type:\x20text/html SF:\r\nConnection:\x20close\r\nX-Powered-By:\x20PHP/5\.2\.8\r\n\r\ntes")%r SF:(HTTPOptions,137,"HTTP/1\.1\x20405\x20Not\x20Allowed\r\nServer:\x20ngin SF:x\r\nDate:\x20Sat,\x2024\x20Mar\x202012\x2002:29:17\x20GMT\r\nContent-T SF:ype:\x20text/html\r\nContent-Length:\x20166\r\nConnection:\x20close\r\n SF:\r\n\r\n405\x20Not\x20Allowed\r\n\r\n

405\x20Not\x20Allowed

\r\n
nginx
\r\n\r\n\r\n")%r(RTSPReq SF:uest,A6,"\r\n400\x20Bad\x20Request\r\ SF:n\r\n

400\x20Bad\x20Request

< SF:/center>\r\n
nginx
\r\n\r\n\r\n")%r(X1 SF:1Probe,A6,"\r\n400\x20Bad\x20Request\ SF:r\n\r\n

400\x20Bad\x20Request

\r\n
nginx
\r\n\r\n\r\n")%r( SF:FourOhFourRequest,155,"HTTP/1\.1\x20500\x20Internal\x20Server\x20Error\ SF:r\nServer:\x20nginx\r\nDate:\x20Sat,\x2024\x20Mar\x202012\x2002:29:17\x SF:20GMT\r\nContent-Type:\x20text/html\r\nContent-Length:\x20186\r\nConnec SF:tion:\x20close\r\n\r\n\r\n500\x20Internal\x20Server\ SF:x20Error\r\n\r\n

5 SF:00\x20Internal\x20Server\x20Error

\r\n
nginx\r\n\r\n\r\n")%r(RPCCheck,A6,"\r\n400\x20Bad\x20Request\r\n\r SF:\n

400\x20Bad\x20Request

\r\n
nginx< SF:/center>\r\n\r\n\r\n")%r(DNSVersionBindReq,A6,"\r\n SF:400\x20Bad\x20Request\r\n\r\n

400\x20Bad\x20Request

\r\n
nginx
\r\n\r\n\r\n")%r(DNSStatusRequest,A6," SF:\r\n400\x20Bad\x20Request\r\n\r\n

400\x20Bad\x20Request

\ SF:r\n
nginx
\r\n\r\n\r\n"); No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=4.11%P=i686-redhat-linux-gnu%D=3/23%Tm=4F6D3FF0%O=80%C=1) TSeq(Class=TR%IPID=Z%TS=1000HZ) T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=N) T3(Resp=N) T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(Resp=N) PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) Uptime 2.519 days (since Wed Mar 21 08:03:40 2012) Nmap finished: 1 IP address (1 host up) scanned in 23.353 seconds ========== since we dont need port 111,631,835, and 3306 (tcp) to be open from outsider we better filter it. first of all check your interface, here we have eth0 and an alias of eth0 we have eth0:0 : do this netfilter rule: ==== service iptables start /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 111 -j DROP /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 631 -j DROP /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 793 -j DROP /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 793 -j DROP service iptables save ==== than it's better now: === [root@h4x0r]# nmap -A server_ip -PN Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-03-23 20:30 MST Interesting ports on *********************88888 Not shown: 1659 closed ports PORT STATE SERVICE VERSION 25/tcp filtered smtp 42/tcp filtered nameserver 69/tcp filtered tftp 80/tcp open http? 111/tcp filtered rpcbind 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 161/tcp filtered snmp 162/tcp filtered snmptrap 445/tcp filtered microsoft-ds 631/tcp filtered ipp 835/tcp filtered unknown 1080/tcp filtered socks 1241/tcp filtered nessus 3128/tcp filtered squid-http 3306/tcp filtered mysql 6666/tcp filtered irc-serv 6667/tcp filtered irc 6668/tcp filtered irc 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port80-TCP:V=4.11%I=7%D=3/23%Time=4F6D3FE1%P=i686-redhat-linux-gnu%r(Ge SF:tRequest,8F,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20nginx\r\nDate:\x20Sat SF:,\x2024\x20Mar\x202012\x2002:29:17\x20GMT\r\nContent-Type:\x20text/html SF:\r\nConnection:\x20close\r\nX-Powered-By:\x20PHP/5\.2\.8\r\n\r\ntes")%r SF:(HTTPOptions,137,"HTTP/1\.1\x20405\x20Not\x20Allowed\r\nServer:\x20ngin SF:x\r\nDate:\x20Sat,\x2024\x20Mar\x202012\x2002:29:17\x20GMT\r\nContent-T SF:ype:\x20text/html\r\nContent-Length:\x20166\r\nConnection:\x20close\r\n SF:\r\n\r\n405\x20Not\x20Allowed\r\n\r\n

405\x20Not\x20Allowed

\r\n
nginx
\r\n\r\n\r\n")%r(RTSPReq SF:uest,A6,"\r\n400\x20Bad\x20Request\r\ SF:n\r\n

400\x20Bad\x20Request

< SF:/center>\r\n
nginx
\r\n\r\n\r\n")%r(X1 SF:1Probe,A6,"\r\n400\x20Bad\x20Request\ SF:r\n\r\n

400\x20Bad\x20Request

\r\n
nginx
\r\n\r\n\r\n")%r( SF:FourOhFourRequest,155,"HTTP/1\.1\x20500\x20Internal\x20Server\x20Error\ SF:r\nServer:\x20nginx\r\nDate:\x20Sat,\x2024\x20Mar\x202012\x2002:29:17\x SF:20GMT\r\nContent-Type:\x20text/html\r\nContent-Length:\x20186\r\nConnec SF:tion:\x20close\r\n\r\n\r\n500\x20Internal\x20Server\ SF:x20Error\r\n\r\n

5 SF:00\x20Internal\x20Server\x20Error

\r\n
nginx\r\n\r\n\r\n")%r(RPCCheck,A6,"\r\n400\x20Bad\x20Request\r\n\r SF:\n

400\x20Bad\x20Request

\r\n
nginx< SF:/center>\r\n\r\n\r\n")%r(DNSVersionBindReq,A6,"\r\n SF:400\x20Bad\x20Request\r\n\r\n

400\x20Bad\x20Request

\r\n
nginx
\r\n\r\n\r\n")%r(DNSStatusRequest,A6," SF:\r\n400\x20Bad\x20Request\r\n\r\n

400\x20Bad\x20Request

\ SF:r\n
nginx
\r\n\r\n\r\n"); No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=4.11%P=i686-redhat-linux-gnu%D=3/23%Tm=4F6D3FF0%O=80%C=1) TSeq(Class=TR%IPID=Z%TS=1000HZ) T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=N) T3(Resp=N) T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(Resp=N) PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) Uptime 2.519 days (since Wed Mar 21 08:03:40 2012) Nmap finished: 1 IP address (1 host up) scanned in 23.353 seconds ========== [fake finger printing] based on above scan we may notice our server fingerprinting: nginx, php version,etc basically on nmap scan we may disable httpd token for nginx by adding: === server_tokens off; ==== on nmap we still see some default nginx figerprint: ex: === head>400\x20Bad\x20Request\r\n\r\n

400\x20Bad\x20Request

\r\n
SF:
nginx
\=== let's make a fake 404 status page, check your nginx.conf then you'll find out default 404,500,502,503 and 504 status: ====== error_page 404 /404.html; error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } ======= let's make it simple: ===== error_page 404 500 502 503 504 /50x.html; location = /50x.html { root html; } ==== as an example i use this : ========= # cat 50x.html server punya acong ========= then restart your httpd, as an example here i use nginx: ==== [root@elite-box conf]# killall -9 nginx [root@elite-box conf]# /usr/sbin/chroot /home/nginx /usr/local/nginx/sbin/nginx ==== agen bola euro 2012 http://ourbetting.com http://zonabets.com http://bursagen.com http://pasangbet.com http://royalbet77.org agen bola sbobet euro2012