---
id: 5a5d9ada-42fc-4706-8cfc-5d59761e2947
---

# Apache Server Info Disclosure Incident
---

The Apache Server Info Disclosure Incident refers to a security vulnerability in Apache servers that enables an attacker to gain access to sensitive system information. This type of incident involves an unauthorized user exploiting a flaw in the Apache server configuration to obtain confidential information such as server version, installed modules, and other system details. Attackers can use this information to launch further attacks on the system, compromise data, or disrupt services. It is important to address this incident type promptly to prevent any potential security breaches.

### Parameters
```shell
export DIRECTORY_="PLACEHOLDER"

export HOSTNAME="PLACEHOLDER"

export IP_ADDRESS="PLACEHOLDER"

export N="PLACEHOLDER"

export PARAMETER="PLACEHOLDER"

export SERVER_IP_ADDRESS="PLACEHOLDER"
```

## Debug

### Check Apache version
```shell
apache2 -v
```

### Check Apache configuration files for sensitive information
```shell
grep -Ri "${DIRECTORY_}" /etc/apache2/
```

### Check Apache access logs for suspicious activity
```shell
tail -n 100 /var/log/apache2/access.log | grep -i "GET /"
```

### Check Apache error logs for any errors or warnings
```shell
tail -n 100 /var/log/apache2/error.log
```

### Check Apache mod_status module for any unusual activity
```shell
curl -s http://${SERVER_IP_ADDRESS}/server-status?auto | awk '/^BusyWorkers/ {print $2}'
```

### Misconfiguration of Apache server settings that allowed unauthorized access to sensitive server information.
```shell


#!/bin/bash



# Check if Apache server is installed

if ! command -v apache2 >/dev/null 2>&1 ; then

  echo "Apache server is not installed on this machine."

  exit 1

fi



# Check Apache server configuration for sensitive information disclosure

if grep -q -i "ServerTokens" /etc/apache2/apache2.conf && grep -q -i "ServerSignature" /etc/apache2/apache2.conf; then

  echo "Apache server is configured to display server version and other sensitive information."

  exit 0

else

  echo "Apache server is not configured to display sensitive information."

  exit 1

fi


```

## Repair

### Update the Apache server software to the latest version to address known vulnerabilities.
```shell


#!/bin/bash



# Update Apache server software

sudo apt-get update

sudo apt-get upgrade apache2


```

### Disable server info disclosure by modifying the Apache configuration file (httpd.conf) to remove the "ServerSignature" and "ServerTokens" directives.
```shell
bash

#!/bin/bash



# backup the original httpd.conf file

sudo cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak



# disable server signature

sudo sed -i 's/ServerSignature On/ServerSignature Off/g' /etc/httpd/conf/httpd.conf



# disable server tokens

sudo sed -i 's/ServerTokens OS/ServerTokens Prod/g' /etc/httpd/conf/httpd.conf



# restart Apache for the changes to take effect

sudo systemctl restart httpd


```

The Apache Server Info Disclosure Incident refers to a security vulnerability in Apache servers that enables an attacker to gain access to sensitive system information. This type of incident involves an unauthorized user exploiting a flaw in the Apache server configuration to obtain confidential information such as server version, installed modules, and other system details. Attackers can use this information to launch further attacks on the system, compromise data, or disrupt services. It is important to address this incident type promptly to prevent any potential security breaches.


This incident type refers to an unauthorized access to directories in Apache HTTPD, which is a widely used web server software. It means that someone was able to access files or directories that they were not supposed to, without having proper authorization. This type of incident can potentially lead to sensitive data being exposed or even stolen, and can compromise the security of the server and the applications running on it.


Unauthorized Directory Access in Apache HTTPD.

The Slowloris Attack is a type of Denial of Service (DoS) attack that exploits a vulnerability in the Apache web server. It works by sending HTTP requests to the server and keeping those connections open for as long as possible, thereby using up all the available resources of the server and rendering it unresponsive to legitimate requests. As a result, the server becomes slow or unresponsive, causing downtime for the affected website or service. This type of attack can be detected and mitigated by implementing specific security measures and tools.


Slowloris Attack Detected on Apache server.

This incident type refers to the detection of SQL injection attempts in Apache web server logs. SQL injection is a type of cyber attack that exploits vulnerabilities in web applications allowing attackers to execute malicious SQL statements. In this incident, attackers are attempting to inject SQL code into the URI (Uniform Resource Identifier) of an Apache web server, potentially compromising the server's security and exposing sensitive information.


Apache SQL Injection Attempts in URI Incident

This incident type refers to a security vulnerability in the SSL/TLS configuration of the Apache HTTP Server, which can leave the server and its users vulnerable to attacks. The SSL/TLS configuration is responsible for encrypting the communication between the server and its clients, and if it is not configured properly, it can be exploited by hackers to intercept or modify sensitive data. This type of incident requires immediate attention from software engineers to ensure that the SSL/TLS configuration is properly configured to prevent any potential security threats.


Inadequate SSL/TLS Configuration for Apache HTTP Server.

This incident type refers to a distributed denial-of-service (DDoS) attack on an Apache HTTP server. In a DDoS attack, a large number of requests are sent to the server, overwhelming its capacity to respond to legitimate requests. This can cause the server to become inaccessible to users and disrupt normal operations. Apache HTTP Server is a popular open-source web server software used by millions of websites, making it a common target for cyber attacks.


DDoS Attack on Apache HTTP Server.

```shell
export DIRECTORY_="PLACEHOLDER"

export HOSTNAME="PLACEHOLDER"

export IP_ADDRESS="PLACEHOLDER"

export N="PLACEHOLDER"

export PARAMETER="PLACEHOLDER"

export SERVER_IP_ADDRESS="PLACEHOLDER"
```


### Check Apache version

```shell
apache2 -v
```

### Check Apache configuration files for sensitive information

```shell
grep -Ri "${DIRECTORY_}" /etc/apache2/
```

### Check Apache access logs for suspicious activity

```shell
tail -n 100 /var/log/apache2/access.log | grep -i "GET /"
```

### Check Apache error logs for any errors or warnings

```shell
tail -n 100 /var/log/apache2/error.log
```

### Check Apache mod\_status module for any unusual activity

```shell
curl -s http://${SERVER_IP_ADDRESS}/server-status?auto | awk '/^BusyWorkers/ {print $2}'
```

### Misconfiguration of Apache server settings that allowed unauthorized access to sensitive server information.

```shell


#!/bin/bash



# Check if Apache server is installed

if ! command -v apache2 >/dev/null 2>&1 ; then

  echo "Apache server is not installed on this machine."

  exit 1

fi



# Check Apache server configuration for sensitive information disclosure

if grep -q -i "ServerTokens" /etc/apache2/apache2.conf && grep -q -i "ServerSignature" /etc/apache2/apache2.conf; then

  echo "Apache server is configured to display server version and other sensitive information."

  exit 0

else

  echo "Apache server is not configured to display sensitive information."

  exit 1

fi


```


### Update the Apache server software to the latest version to address known vulnerabilities.

```shell


#!/bin/bash



# Update Apache server software

sudo apt-get update

sudo apt-get upgrade apache2


```

### Disable server info disclosure by modifying the Apache configuration file (httpd.conf) to remove the "ServerSignature" and "ServerTokens" directives.

```shell
bash

#!/bin/bash



# backup the original httpd.conf file

sudo cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak



# disable server signature

sudo sed -i 's/ServerSignature On/ServerSignature Off/g' /etc/httpd/conf/httpd.conf



# disable server tokens

sudo sed -i 's/ServerTokens OS/ServerTokens Prod/g' /etc/httpd/conf/httpd.conf



# restart Apache for the changes to take effect

sudo systemctl restart httpd


```


Apache Server Info Disclosure Incident

Overview

Parameters

Debug

Check Apache version

Check Apache configuration files for sensitive information

Check Apache access logs for suspicious activity

Check Apache error logs for any errors or warnings

Check Apache mod_status module for any unusual activity

Misconfiguration of Apache server settings that allowed unauthorized access to sensitive server information.

Repair

Update the Apache server software to the latest version to address known vulnerabilities.

Disable server info disclosure by modifying the Apache configuration file (httpd.conf) to remove the "ServerSignature" and "ServerTokens" directives.

Learn more

Related Runbooks

Unauthorized Directory Access in Apache HTTPD.

Slowloris Attack Detected on Apache server.

Apache SQL Injection Attempts in URI Incident

Inadequate SSL/TLS Configuration for Apache HTTP Server.

Support