I was just so amused by the creativity of a system administrator that I had absolutely no choice other than to write about it. Let me set the scene. I was attempting to bring up my banks website, but the site did not load. In an effort to deduce the problem I visited wellsfargo.com (another large financial institution). The homepage of Wells Fargo loaded perfectly, and thus I wasn’t having any obvious problem with my internet connection.

So what did I find so amusing and funny? Well, it turns out that the Server tag returned in the HTTP Header for Wells Fargo is “KONICHIWA/1.0″ At this point, I probably should have enjoyed the laugh instead of investigating further. But I didn’t. First, I went to Netcraft and did a search for wellsfargo.com. Netcraft shows Wells Fargo as using “KONICHIWA/1.0″ at least as far back as 2006. It was now time to set my gut feeling aside that this name was just a cute obfuscation of the real Application Server and confirm that there wasn’t any new product on the market named Konichiwa. So, I did the research and it turns out my instincts were right.

So why am I writing about this, why are you reading this, and what Application Server is Wells Fargo actually using? I will now hopefully answer at least two of those three questions!

There is a long history of security professionals and system administrators attempting to obfuscate what equipment they use [disclaimer: I am a hypocrite and follow these practices]. The rationale for this is simple: If somebody wants to do something malicious to exploit your vulnerabilities it will harder to do so if they think you are using product A instead of product B. This is merely an illusion, but it gives some peace of mind. Solving the mystery wasn’t incredibly difficult thanks to Net-Square Solutions, a security research firm based in India. They have developed a product httprint which uses web server fingerprinting to attempt to identify web servers based on their characteristics instead of the standard HTTP header which as we have seen can easily be obfuscated and renamed to “Konichiwa” which loosely means good day in Japanese.

Enough “Geeking Out”. The output from httprint is below, and Wells Fargo is actually running Netscape Enterprise Server 6.0 which makes much more sense.

httprint v0.301 (beta) - web server fingerprinting tool
(c) 2003-2005 net-square solutions pvt. ltd. - see readme.txt
http://net-square.com/httprint/
httprint@net-square.com
 
Finger Printing on http://www.wellsfargo.com:80/
Host Redirected to https//www.wellsfargo.com:443/
Finger Printing Completed on https://www.wellsfargo.com:443/
--------------------------------------------------
Host: www.wellsfargo.com
Derived Signature:
KONICHIWA/1.0
9E431BC86ED3C295811C9DC5811C9DC5811C9DC594DF1BD04276E4BBC184CB92
7FC8D095AF7A648F2A200B4C811C9DC5811C9DC5811C9DC5811C9DC52655F350
FCCC535B811C9DC5FCCC535B811C9DC568D17AAE2576B7696ED3C2959E431BC8
6ED3C295E2CE6922811C9DC5811C9DC5811C9DC56ED3C2956ED3C295E2CE6923
E2CE6923FCCC535F811C9DC568D17AAEE2CE6920
 
Banner Reported: KONICHIWA/1.0
Banner Deduced: Netscape-Enterprise/6.0

This entry was posted on Saturday, June 28th, 2008 at 3:44 pm and is filed under Application Servers, Security, Web Servers. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.