I was just so amused by the creativity of a system administrator that I had absolutely no choice other than to write about it. Let me set the scene. I was attempting to bring up my banks website, but the site did not load. In an effort to deduce the problem I visited wellsfargo.com (another large financial institution). The homepage of Wells Fargo loaded perfectly, and thus I wasn’t having any obvious problem with my internet connection.
So what did I find so amusing and funny? Well, it turns out that the Server tag returned in the HTTP Header for Wells Fargo is “KONICHIWA/1.0″ At this point, I probably should have enjoyed the laugh instead of investigating further. But I didn’t. First, I went to Netcraft and did a search for wellsfargo.com. Netcraft shows Wells Fargo as using “KONICHIWA/1.0″ at least as far back as 2006. It was now time to set my gut feeling aside that this name was just a cute obfuscation of the real Application Server and confirm that there wasn’t any new product on the market named Konichiwa. So, I did the research and it turns out my instincts were right.
So why am I writing about this, why are you reading this, and what Application Server is Wells Fargo actually using? I will now hopefully answer at least two of those three questions!
There is a long history of security professionals and system administrators attempting to obfuscate what equipment they use [disclaimer: I am a hypocrite and follow these practices]. The rationale for this is simple: If somebody wants to do something malicious to exploit your vulnerabilities it will harder to do so if they think you are using product A instead of product B. This is merely an illusion, but it gives some peace of mind. Solving the mystery wasn’t incredibly difficult thanks to Net-Square Solutions, a security research firm based in India. They have developed a product httprint which uses web server fingerprinting to attempt to identify web servers based on their characteristics instead of the standard HTTP header which as we have seen can easily be obfuscated and renamed to “Konichiwa” which loosely means good day in Japanese.
Enough “Geeking Out”. The output from httprint is below, and Wells Fargo is actually running Netscape Enterprise Server 6.0 which makes much more sense.
httprint v0.301 (beta) - web server fingerprinting tool
(c) 2003-2005 net-square solutions pvt. ltd. - see readme.txt
Finger Printing on http://www.wellsfargo.com:80/
Host Redirected to https//www.wellsfargo.com:443/
Finger Printing Completed on https://www.wellsfargo.com:443/
Banner Reported: KONICHIWA/1.0
Banner Deduced: Netscape-Enterprise/6.0