Funny and malicious server banners
31st January, 2022
Netcraft’s most recent Web Server Survey includes nearly 1.2 billion websites. Most of these sites return a server banner that shows which web server software they use, thus allowing us to determine the market shares of each server vendor since 1995.
Many of these server banners are simply short strings like “
Apache”, while others may include additional details that reveal which other software – and which versions – are installed on the server. One such example is “
Apache/2.2.32 (Unix) mod_ssl/2.2.32 OpenSSL/1.0.2k-fips DAV/2 PHP/5.5.38”.
A web server reveals its server banner via the Server HTTP response header. This string is not ordinarily exposed to users, but most browsers allow it to be viewed in the Network Inspector panel.
Web server software usually allows its server banner to be modified. A common reason for changing the default value is to reduce the amount of information that would be revealed to an attacker.
For example, if a web server advertises itself as running a vulnerable version of Apache, such as “
Apache/2.4.49” it could be more likely to come under attack than a server that reveals only “
Our Web Server Survey includes a few websites that return the following
Server header, which takes a deliberate swipe at the effectiveness of hiding this sort of information:
Server: REMOVED FOR PCI SCAN COMPLIANCE - SECURITY THROUGH OBSCURITY WORKS, RIGHT? - https://bit.ly/2nzfRrt
Of course, with this amount of flexibility, a cheeky or malicious administrator can configure a web server to pretend to be anything they want. Sometimes this is done in a deliberate attempt to cloak the truth or to mislead, while in others it may simply be done as a joke waiting to be found by anyone curious enough to look for the banner.
Unlikely server banners
Amongst the 1.2 billion websites, there are plenty of examples of unlikely server banners.
There are hundreds of web servers that claim to be running on a Commodore 64, but are more than likely not.
And whilst it is not impossible for a web server to be powered by a potato, one of the most well known examples that hit the news 22 years ago ultimately turned out to be a joke. Today, possibly in homage to this prank, there are several hundred websites that return a “
Server: Potato” response header.
Perhaps to avoid any ambiguities with a Debian distribution from the same era named Potato, there are also dozens of websites that claim to be running on “
A literal potato with wires sticking out of it”. A couple of servers also claim to be running “
GLaDoS PoTaTo”, which is a reference to the potato battery that powers the antagonist in the computer game Portal 2. All of the purportedly potato powered web servers insinuate that there is only one potato involved in the generation of electricity (other examples include “
A Single Potato” and “
a potato"), with the only exception being a small number of servers that have adopted a higher tech approach with “
somme potatoes linked together” [sic].
A handful of sites return the following server header, which includes an inordinate number of software names and versions which are unlikely in practice:
- `360 web server, 792/71644 HTTP Server version 2.0 - TELDAT S.A., A10WS/1.00, ADB Broadband HTTP Server, ADH-Web, AR, ASUSTeK UPnP/1.0 MiniUPnPd/1.4, ATS/5.3.0, Adaptec ASM 1.1, AirTies/ASP 1.0 UPnP/1.0 miniupnpd/1.0, Allegro-Software-RomPager/4.06, AmirHossein Server v1.0, AnWeb/1.42p, Android Webcam Server, AnyStor-E, Apache-Coyote/1.1, Apache/2.2.15 (CentOS), Apache/2.4.29 (Ubuntu), Apache/2.4.6 (Red Hat Enterprise Linux) PHP/7.3.11, Apache/2.4.6 (Red Hat Enterprise Linux) mod_jk/1.2.46 OpenSSL/1.0.2k-fips, App-webs/, ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (220.127.116.11), AvigilonGateway/1.0 Microsoft-HTTPAPI/2.0, Avtech, Baby Web Server, BigIP, BlueIris-HTTP/1.1, Boa/0.93.15, Boa/0.94.13, Boa/0.94.14rc20, Boa/0.94.14rc21, Boa/0.94.7, BolidXMLRPC/1.10 (Windows NT) ORION-BOLID v1.10, BroadWorks, Brovotech/2.0.0, CJServer/1.1, CPWS, CVM, Caddy, Cam, Cambium HTTP Server, Camera Web Server, CentOS WebPanel: Protected by Mod Security, Check Point SVN foundation, Cherokee/1.2.101 (Ubuntu), CherryPy/2.3.0, CherryPy/3.1.0beta3 WSGI Server, CherryPy/8.1.2, CirCarLife Scada v4.2.3, Cirpark Scada v4.5.3-rc1, Cisco AWARE 2.0, Citrix Web PN Server, Commvault WebServer, Control4 Web Server, CouchDB/1.6.1 (Erlang OTP/18), CouchDB/1.6.1 (Erlang OTP/R16B03), CouchDB/2.0.0 (Erlang OTP/17), Cougar/9.01.01.3841, Cougar/9.01.01.5001, Cowboy, Cross Web Server, D-Link Web Server 0.01, DNVRS-Webs, DVR-HttpServer/1.0, DVRDVS-Webs, DWS, DasanNetwork Solution, Debian/4.0 UPnP/1.0 miniupnpd/1.0, Deluxe Beauty Office, Destiny, DpmptspKarawangkab_HTTP_SERVER, E2EE Server 1.0, EBox, EShare Http Server/1.0, Easy-Web Server/1.0, Embedded HTTP Server., Embedded HTTPD v1.00, 1999(c) Delta Networks Inc., Embedthis-Appweb/3.2.3, Embedthis-Appweb/3.3.1, Embedthis-http, Entrust, Ericom Access Server, Ericom Access Server x64, FN-Httpd 1.0 [HTTP/1.1], FUJITSU ServerView iRMC S4 Webserver, FileMakerPro/6.0Fv4 WebCompanion/6.0v3, Flussonic, GSHD/3.0, GeoHttpServer, GeoWebServer 18.104.22.168, Ginatex-HTTPServer, GlassFish Server Open Source Edition 4.0, GoAhead-Webs, GoAhead-Webs/2.5.0, GoAhead-http, GoTTY, H3C-Miniware-Webs, HFS 2.2f, HFS 2.3 beta, HFS 2.3e, HFS 2.3i, HFS 2.3k, HFS 2.3m, HTTP Server, HTTP Server 1.0, HTTP Software 1.1, HTTPD, HTTPD Web Server, HTTPD-HR Server powered by Apache, HTTPD_gw 1.0, Hikvision-Webs, Hipcam, HostGW.com EnterpriseServer built fo SMKN 1 Kaligondang, Http Server, Httpd, Httpd/1.0, Hydra/0.1.8, IBM_HTTP_Server, IIS, IP Webcam Server, IPC@CHIP, IPCamera-Webs, IPCamera-Webs/2.5.0, IPCamera_Logo, IPOffice/, IceWarp/22.214.171.124 x64, IceWarp/9.4.2, IdeaWebServer/0.83.292, If you want know, you can ask me, Indy/9.0.11, Intoto Http Server v1.0, InvalidPanda/1.0.0, JAWS/1.0, JAWS/1.0 Jan 21 2017, JBoss-EAP/7, JDVR/4.0, JFinal 4.5, JWS, Jetty(6.1.19), KMS_ACCESS, Keil-EWEB/2.1, Kerio MailServer 6.5.2, Kestrel, LINUX-2.6 UPnP/1.0 MiniUPnPd/1.5, LTE Router Webs, Lanswitch - V100R003 HttpServer 1.1, Linux, HTTP/1.1, DIR-860L Ver 1.01, Linux/2.6.18 UPnP/1.0 miniupnpd/1.0, Linux/2.x UPnP/1.0 Avtech/1.0, Linux/3.10.0 eHomeMediaCenter/1.0, Linux/3.10.104 eHomeMediaCenter/1.0, Linux/3.10.33 UPnP/1.0 Teleal-Cling/1.0, Linux/3.14.29 CyberHTTP/1.0, Linux/3.4.39 UPnP/1.0 Cling/2.0, LiteSpeed, Lotus-Domino, MIPS LINUX/2.4 UPnP/1.0 miniupnpd/1.0, MJPG-Streamer/0.2, MS-SDK-HttpServer/1.0, MailEnable-HTTP/5.0, Mars, Mathopd/1.5p6, Mbedthis-AppWeb/2.0.4, Mbedthis-Appweb/12.5.0, Mbedthis-Appweb/2.4.0, Mbedthis-Appweb/2.4.2, Microsoft-HTTPAPI/1.0, Microsoft-HTTPAPI/2.0, Microsoft-IIS/10.0, Microsoft-IIS/5.0, Microsoft-IIS/5.1, Microsoft-IIS/6.0, Microsoft-IIS/7.0, Microsoft-IIS/7.5, Microsoft-IIS/8.0, Microsoft-IIS/8.5, Microsoft-NetCore/2.0, UPnP/1.0 DLNADOC/1.50, Microsoft-WinCE/7.00, Mikrotik HttpProxy, Mini Embedded Web Server, Mini web server 1., Mini web server 1.0 ZTE corp 2005., Mini web server 1.0 ZXIC corp 2005., MiniServ/1.890, MistServer/2.14.2, MochiWeb/1.0 (Any of you quaids got a smint?), MonitorServer/0.10.5.363 Python/2.7.5, Monitorix HTTP Server, Monkey, Mono-HTTPAPI/1.0, MoxaHttp/1.0, Mrvl-R1_0, Mrvl-R2_0, NISS, NVR EXT SERVER, NVR Webserver, Net-OS 5.xx UPnP/1.0, NetBox Version 2.8 Build 4128, NetEVI/3.10, Netwave IP Camera, Network Camera with Pan/Tilt, Network_Module/1.0 (WXA-50), Nexus/3.13.0-01 (OSS), Nexus/3.9.0-01 (OSS), Nginx, Nginx Microsoft-HTTPAPI/2.0, Nucleus/4.3 UPnP/1.0 Virata-EmWeb/R6_2_0, OPNsense, OceanView-CDN, Oktell LS, OpenBCM/1.07b3, OpenBSD httpd, Oracle Containers for J2EE, Oracle GlassFish Server 126.96.36.199, Oracle XML DB/Oracle Database, Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server, Oracle-Application-Server-11g, Oracle-HTTP-Server, Oracle-HTTP-Server-11g, Oracle_WebDb_Listener/2.1, PBX/63.0.2 (CentOS64), PRTG/188.8.131.5230, Pan/Tilt, PanWeb Server/ -, Payara Server 5.193 #badassfish, PrHTTPD Ver1.0, Proxy, Python/3.6 aiohttp/2.3.10, Qualvision -HTTPServer, REP Server, RNOAAA018180026 HTTP Server version 2.0 - TELDAT S.A., Rabbit, RapidLogic/1.1, Raption v5.8.0, ReeCam IP Camera, RemotelyAnywhere/9.0.856, Reposify, Resin/2.1.12, Resin/3.0.17, Resin/3.1.8, Rex/12.0.7601.17514, RomPager/4.07 UPnP/1.0, RomPager/4.51 UPnP/1.0, Router, Router Webserver, SAP, SCADA, SQ-WEBCAM, SRS/3.0.45(OuXuli), SY8033, SY8045, Safe3 Web Firewall, Safedog/4.0.0, ScreenConnect/19.4.25542.7213-2135886336 Microsoft-HTTPAPI/2.0, Serv-U/184.108.40.206, Server, ServiceNow, Servlet 2.5; JBoss-5.0/JBossWeb-2.1, Servlet/2.5 JSP/2.1, SimpleHTTP/0.6 Python/2.7.15+, SinforHttpd/1.0, SmartXFilter, SoftManager Application Server, SonicWALL, Spark, Start HTTP-Server/1.1, Sun GlassFish Enterprise Server v2.1.1, Swift1.0, Switch, SyncThru 5, TOPSEC, TP-LINK Router, TWebAP/220.127.116.11, Tas, Techno Vision Security System Ver. 2.0, Tengine/2.3.2, Thecapital Caphe Websphere 12.3 build 3.456.234.2600, This is webserver, TibetSystem Server 2.0, Tieline, Tntnet/2.1, Topsec, TornadoServer/6.0.2, TurnStat webserver, TwistedWeb/18.9.0, U S Software Web Server, UBNT Streaming Server v1.2, UCS PremieraExternal v18.104.22.168, UMC Webserver/5.0, UPnP/1.0 DLNADOC/1.50 Allwinnertech/0.1.0, UPnP/1.0 DLNADOC/1.50 Platinum/22.214.171.124, Unknown, Unspecified, UPnP/1.0, Unspecified, VAppServer/6.0.0, VB, VB100, VCS-VideoJet-Webserver, VPON Server/1.0, Varnish, Vinahost, Virata-EmWeb/R6_0_1, Virtual Web 0.9, Vivotek Network Camera, WAF, WCY_WEBServer/1.0, WCY_WEBServer/2.0, WDaemon/10.0.0, WDaemon/4.0, WEB SERVER, WMSServer/126.96.36.199, WN/2.4.7, WS CDN Server, WSGIServer/0.2 CPython/3.7.3, WWW Server/1.1, WWW-Kodeks/6.4, Warp/3.2.27, Warp/3.2.28, Waveplus HTTPD, Web Express 0.9, Web Server, Web Switch, Web server, Web-Server/3.0, WebServer, WebServer/1.0 UPnP/1.0, Webs, WebsServer/2.1.8 PeerSec-MatrixSSL/, Werkzeug/0.9.6 Python/2.7.6, WhatsUp, WhatsUp_Gold/8.0, WiJungle, WildDuck API, WildFly/10, WildFly/11, WildFly/8, WildFly/9, WindRiver-WebServer/4.7, WindWeb/1.0, Windows Server 2008 R2, UPnP/1.0 DLNADOC/1.50, Serviio/1.8, Wing FTP Server(Mario Kaserer), Wing FTP Server(MediaSend pty Ltd), Wing FTP Server/3.3.5(), Winstone Servlet Engine v0.9.10, Wisp/188.8.131.52, WowzaStreamingEngine/4.7.1, WowzaStreamingEngine/4.7.7, XDaemon v1.0, XEvil_4.0.0[Beta][V4_0b25], Xavante 2.2.0 embeded, Xitami, Yawcam, YouTrack, YxlinkWAF, ZK Web Server, ZSWS/2.2, ZTE web server 1.0 ZTE corp 2015., Zope/(2.13.15, python 2.7.3, linux2) ZServer/1.1, Zope/(2.13.27, python 2.7.3, linux2) ZServer/1.1, Zscaler/5.7, abcd, access to tenda, alphapd, alphapd/2.1.7, alphapd/2.1.8, antid, axhttpd/1.4.0, axhttpd/1.5.3, beegoServer:1.12.0, bots-webserver, box, build-in http server, calibre 4.0.0, ccapi-dvrs-production, cisco-IOS, cloudflare, cloudflare-nginx, cvmd-1.0.0 (r1), dcs-lig-httpd, de475d6363d3b9295c4645cd08294af288c1c0de, eHTTP v2.0, eboo server, embedded http dameon, falcon/2.1, foo, gSOAP/2.7, gen5th/1.33.00, gen5th/1.82.01, go1984, gunicorn/19.3.0, h2o/2.3.0-DEV@6cde7eb3f, http server 1.0, httpd, httpd/1.00, httpd/2.0, httpd_four-faith, httpserver, i-Catcher Console, iSpy, jjhttpd v0.1.0, kangle/184.108.40.206, kong/0.14.0, libwww-perl-daemon/6.01, lighttpd, lighttpd-Intelbras, lighttpd/1.4.28, lighttpd/1.4.35, lighttpd/1.4.43, lighttpd/1.4.54, localhost, lwIP/1.4.0 (http://savannah.nongnu.org/projects/lwip), mORMot (Windows) Microsoft-HTTPAPI/1.0, mORMot (Windows) Microsoft-HTTPAPI/2.0, micro_httpd, minhttpd, mini_httpd/1.19 19dec2003, mini_httpd/1.21 18oct2014, mini_httpd/1.30 26Oct2018, miniupnpd/1.0 UPnP/1.0, mysrv, nPerf/2.2.0 2019-04-02, nextgen_0.2, nginx, nginx/1.8.0, ngjit, nostromo 1.9.4, o2switch PowerBoost, openresty, product only, rchttpd/1.0, rednetcloud, scada, secure, siyou server, sky_router, squid, squid/3.1.18, staging, sthttpd/2.27.0 03oct2014, thttpd, thttpd-alphanetworks/2.23, thttpd/2.25b 29dec2003, thttpd/2.25b-lxc 29dec2003, thttpd/2.27 19Oct2015, tinyproxy/1.10.0, tsbox, uc-httpd 1.0.0, uc-httpd/1.0.0, waitress, web, webcam 7, webcamXP, webserver, webserver/1.0, wfe, wfust, wildix-http-server, wizzardo-http/0.1, yawcam`
This sort of honeypot banner is a red herring for automated attack software that is looking for vulnerable websites to exploit.
We also see server banners being used to ask the most profound questions, such as:
Why do you Care?
Why look here?
Who wants to know that?
What are you looking at?
Do You Come Here often?
Without feeling of respect, what is there to distinguish men from beasts?
What is the air speed velocity of an unladen swallow ?
Other peculiar server banners are used to convey messages or stories. One such example is the website of a self-confessed computer nerd that returns the following lengthy server banner, which regales the story of Darth Plagueis, a fictional character from the Star Wars franchise:
Did you ever hear the tragedy of Darth Plagueis the Wise? I thought not. It's not a story the Jedi would tell you. It's a Sith legend. Darth Plagueis was a Dark Lord of the Sith, so powerful and so wise he could use the Force to influence the midichlorians to create life He had such a knowledge of the dark side that he could even keep the ones he cared about from dying. The dark side of the Force is a pathway to many abilities some consider to be unnatural. He became so powerful the only thing he was afraid of was losing his power, which eventually, of course, he did. Unfortunately, he taught his apprentice everything he knew, then his apprentice killed him in his sleep. Ironic. He could save others from death, but not himself.
Some websites therefore use the server banner to present these messages, as it is an easy-to-configure place to put the message whilst still making it practically invisible to the majority of visitors.
Some examples of server banners being used for recruitment purposes include:
Hey! We are hiring! :) Send your CV to hr@[redacted].com with 'Server' subject
We're Hiring Ninjas
Malicious server banners
Amidst the plentiful examples of jokey server banners, there are some that delve into murkier territories. Numerous websites return specially crafted server banners that attempt to exploit security vulnerabilities in the clients that visit the sites, in back-end systems that subsequently process the strings, or on webpages where the server banner is redisplayed.
Some of these server banners are designed only to detect or demonstrate the presence of vulnerabilities in a benign fashion, whereas some are overtly malicious.
A small number of websites in our latest Web Server Survey attempt to exploit the recent Log4shell vulnerability in Log4j by setting server banners similar to the following:
If one of the LDAP URLs in these server banners receives any requests, the “attacker” will know the site presenting the banner has been visited by a bot or other type of client that ultimately uses a vulnerable version of Log4j to log the string.
While these instances are currently benign and could well be done purely out of curiosity or in a legitimate attempt to claim bug bounties, they are nonetheless capable of detecting vulnerable clients or back-ends and the payloads could be turned malicious at any time.
There are hundreds of websites with server banners that include cross-site scripting (XSS) payloads, some of which are specially crafted in an attempt to bypass filters. Here are several examples:
<script>alert('Im Watching You!')</script>
<img src=http://i.giphy.com/sMjmhaWPuzFHa.gif> <script>alert("XSS")</script>
These server banners are intended to exploit stored XSS vulnerabilities, i.e. where the scripts are stored and subsequently redisplayed on a different website with insufficient encoding to prevent them being executed in a visitor’s web browser. Again, while some of these payloads are clearly benign, those that reference external scripts could be weaponised at any moment by changing the content of the remote script.
Any service that fetches websites and displays the server name on a web page (or in any kind of HTML-based client) without proper encoding would be vulnerable to this type of attack, and the attacker may be able to identify where the script is ultimately executed by visitors via the Referer HTTP request header.
One of the above payloads executes a remote script hosted at
https://1y.lc/m. This script is presumably the work of a bug bounty hunter, as amongst other things it uses the XSS vulnerability to see whether the site has a security policy hosted at
/.well-known/security.txt. If present, these policy files typically instruct researchers how to report security bugs and may also indicate whether any monetary rewards are available.
The much larger script at
http://xn--rda.pw, which is loaded by the long obfuscated payload, includes a header comment that says “This is a payload to test for Cross-site Scripting (XSS). It is meant to be used by security professionals and bug bounty hunters.” However, there is nothing to prevent it being used for malicious purposes such as taking screenshots of sensitive data and transmitting them to an attacker.
Possibly inspired by a classic xkcd comic, hundreds of websites return server banners similar to the following:
' DROP TABLE server_types; --
'; DROP TABLE servertypes;DROP TABLE scan;DROP TABLE servers;--
ninjas/9042'; DROP TABLE servertypes; --
);DROP TABLE users;--
; DROP TABLE servers; --
'; DROP TABLE servertypes; --
'; DROP TABLE servertypes;-'
Whilst seemingly jokey at first, these payloads are overtly malicious and have a clear intent: To delete data by exploiting an SQL injection vulnerability.
If these sites are visited by a web crawler that logs server banners in a database by executing an unsafely constructed SQL statement, the malicious server banners could result in entire database tables being unexpectedly deleted.
Dozens of websites include the contents of the EICAR test file in their server banner. This is a benign file that was originally created to test the response of anti-virus software without having to place real malware on a system.
All that is ours is yours!<!-- X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* -->
These are other examples of custom server banners that may have been intended as a joke but that could have harmful consequences, such as causing loss of data or a denial of service. When these server headers are written to a log file or database, there’s a slight possibility that anti-virus software might delete or quarantine the server-side data.
YouTube in iframes
Several sites return the following server banner, which embeds a YouTube video in an iframe. It will attempt to autoplay the video on any webpage that shows this server name without encoding it appropriately.
<iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=1' frameborder='0' allowfullscreen></iframe>
There are no prizes for guessing what the video is, and while you could argue there is no harmful intent behind tricking other websites into unexpectedly playing excellent 80s pop music videos at their visitors, doing so would indicate the presence of an HTML injection vulnerability. Sites that play the video would likely also be vulnerable to stored cross-site scripting attacks.
More than a hundred server banners contain hyperlinks. As these links would never be displayed in the visitor’s browser, this suggests expectations of them eventually ending up being displayed on other websites that do display the banner.
MEDIA 24 LLC - <a href='http://media24-corp.ru/api/'>media24-corp.ru</a> - API FRONTEND 1.0/1.2.1
Powered By VMPanel ( <a href='http://www.vmpanel.ir'>www.VMPanel.ir</a> ) <br>
Powered by <a href='https://woobsing.com'>Woobsing</a>
ARGO httpd/1.0 <a href='https://argo-content.com'>argo content</a>
<a title="scrapbooking" href="https://kombinujezpapierami.pl/">Scrapbooking</a>
<a title="kolorowanki dla dzieci" href="http://www.kolorowankidladzieci.org/">Kolorowanki dla dzieci</a>
<a title="pan redaktor" href="https://panredaktor.pl/">Pan Redaktor</a>
<a title="pan redaktor" href="http://www.panredaktor.pl/">Pan Redaktor</a>
Apache/2.0.59 (<A HREF=http://www.rackstar.net/>RACKSTAR</A>)
<a title="polskie programy" href="https://www.polskieprogramy.pl/">Polskie programy</a>
<a title="kalendarz" href="http://www.kalendarzonline.pl/">Kalendarz</a>
<a href='https://argo-content.com'><img src='https://argo-content.com/images/argo-logo.jpg'>ARGO httpd/1.0</a>
<a title="vampire diaries" href="http://vampirediaries.pl/">Vampire Diaries</a>
<a title="nauka dla dzieci" href="http://www.naukadladzieci.net/">Nauka dla dzieci</a>
Powered By AsanPanel ( <a href='http://www.asanpanel.ir'>www.AsanPanel.ir</a> ) <br>
This may not seem a particularly sinister practice at first glance, but being able to plant links on multiple vulnerable sites could have useful applications for black hat search engine optimisation.
Additionally, when a link is clicked on by a visitor, the browser may transmit a Referer header that will reveal the location of the page that contains the hyperlink. As the page bearing the hyperlink is demonstrably vulnerable to HTML injection via a server banner, it is likely to also be vulnerable to cross-site scripting which could give an attacker more powerful opportunities to attack the site’s visitors.
Fortunately, the significant majority of server banners are neither malicious nor misleading. Market shares of the major server vendors are published monthly in our Web Server Survey, which has been tracking the growth of the web since 1995.