Project 2068/11.1 - ObiWaN
Server responses to ObiWaN attacks
The OMNI httpd from Omnicron
had survived 1982 passwords. After this numer of attempts there was 1989
connections in TIME_WAIT. No chance to connect to this site. Shutdown the
server and restart: no chance. The NT box was killed for port 80. NT become
very slow if you call "netstat". Everything else runs but restart of the
entire NT box is nessesary.
Xitami Webserver 2.4
The Xitami is a real nice free webserver. It survived all tests and the
speed was ok (but Apache was faster for all users). ObiWaN was able to
find the passwords even in long test series - the answer times was lower
then Apache's. Logging can be a problem - it is not tested. But a logfile
cycle is only possible to configure ervery restart.
A real security problem here: If you try to break in a Xitami Server
- use a NULL string (no character - not a blank - nothing !!) as username.
Possible a super-mega-password is set up for this Xitami. If you
can break this password - everything is open for you. If you can't: Use
the URI /admin/. If enabled, and you find the username/password you can
reconfigureall servers and you can see all usernames and passwords
in cleartext !