Fingerprinting (potential) Sinkhole Server
Posted: July 1st, 2014 | Author: xanda | Filed under: IT Related | Tags: sinkhole | No Comments »A short update, a note for myself
Last May, while discussing with a friend, we’ve concluded that these 2 header (HTTP header) example indicate that those servers are sinkhole servers:
HTTP/1.0 200 OK Server: Apache 1.0/SinkSoft Date: Tue, 27 May 2014 06:11:29 GMT Content-Length: 0 Connection: close |
HTTP/1.1 200 OK Date: Mon, 26 May 2014 07:26:20 GMT Server: Apache/2.2.20 (Ubuntu) X-Sinkhole: malware-sinkhole Vary: Accept-Encoding Content-Length: 0 Content-Type: text/html |
So we can look for:
- Apache 1.0/SinkSoft
- X-Sinkhole:
Today, I’ve found “Server: TornadoServer” is another indicator. But i’m not yet 100% sure. Comments are welcome
Leave a Reply