Over the past while we have been getting emails from people trying to figure out why they had entries like this in their http log files:
10.10.1.136 – – [32/Dec/2007:25:61:07 +0200] “GET //admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp HTTP/1.1” 404 –
Recently a concerned Wikto user figured out that this was linked to him using Wikto (our Win32 Nikto Replacement + Directory / File / Back-End Miner). A snippet from his email read:
-snip-
I sniffed the traffic going out from my host going to the target host and infact this is the result:
HTTP GET /admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp HTTP/1.0
All the requests are full of this… Well, at this point the questions are two:
1) You have a strange sense of humor.
2) You have been compromised. Waiting for a feedback,
-snip-
We replied to his email to allay his concerns, but the question comes up often enough, so i figured i would paste our response here:
-snip-
Hi XXXXX..
The quick short answer is: a strange sense of humour..
As you probably know, part of Wikto’s advantage over other scanners is
that it doesnt rely on the HTTP response code coming back from the
server to make its decisions. This is why an HTTP server that responds
with “friendly 404” messages (a 200 with an error) throw simple scanners
off..
Instead Wikto asks for a resource that does not exist (but that looks
similar to your request.. i.e. if you wanted login.asp we first look for
[strange_file_that_will_never_be_there].asp and then we compare the
response to looking for login.asp
if both pages return a similar result, even if its not a 400 message, we
can conclude that the resource isnt there.. During the last build our
lead developer (ian@sensepost.com) had a minor turf war with one of our
lead analysts (gareth@sensepost.com) that probably started over some
life and death matter like coffee, pool or foosball..
Gareth used a host name of ian.devs.like.a.girl in some article/chapter
he wrote on penetration testing, so when ian needed a
[strange_file_that_will_never_be_there] he came up with the obvious
choice.. now everyone who scans using wikto loudly testifies to:
a) our strange sense of humour
b) that ian won that round! :>
-snip-
(In the new build this string is user configurable, so you can insult members of your team while pen-testing too..)
So there you have it.. If you have seen it in your logs:
a) Congrats! – The fact that you even check your logs is admirable
b) Dont worry (unless you have hidden directories, backup files, etc lying around – cause chances are Wikto will find it)
/mh
Oh.. for the “windows_sucks_and_i_dont_want_to_boot_a_vm_image_to_run_this_tool” brigade, i have it on good authority that ian’s Java port of Wikto (wiktoJ ?) is being dusted and polished.. so watch this space..