-1

I am looking at an old web form located at: http://www.teleservices.lyon.fr/etat-civil/naissance/

Of course, it is obsolete, bogus, without TLS, etc.

But I don’t recognize the web server publishing it. And yet, I came across my fair share of rotten and esoteric software! . Google does not immediately find anything relevant.

→ Can you identify this web server VDL/1.0 ?

$ curl --head --insecure http://www.teleservices.lyon.fr/etat-civil/naissance/
HTTP/1.1 200 OK
Date: Mon, 07 Nov 2022 14:28:22 GMT
Server: VDL/1.0
Content-Length: 23727
Expires: Tue, 08 Nov 2022 00:54:02 GMT
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: public, must-revalidate
Vary: Accept-Encoding
Connection: close

nmap scan:

# nmap -A -T4 www.teleservices.lyon.fr
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 17:22 CET
Nmap scan report for www.teleservices.lyon.fr (185.235.8.66)
Host is up (0.013s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE    VERSION
53/tcp  open  domain     Cloudflare public DNS
80/tcp  open  http       Citrix NetScaler httpd
|_http-server-header: Apache/2.2.15 (Red Hat)
443/tcp open  ssl/https?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
Network Distance: 13 hops
Service Info: Device: load balancer

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   0.34 ms  routeur.localdomain (192.168.1.1)
2   1.08 ms  78.193.87.254
3   1.32 ms  78.255.60.126
4   1.59 ms  sal69-49m-1-v904.intf.nro.proxad.net (78.254.248.41)
5   1.60 ms  gui69-49m-1-v908.intf.nro.proxad.net (78.254.248.134)
6   3.40 ms  lyon-crs8-1-be1503.intf.nro.proxad.net (78.254.248.142)
7   ...
8   16.76 ms marseille-9k-1-be2001.intf.routers.proxad.net (194.149.162.154)
9   ...
10  20.82 ms be5.cr02.mar02.jaguar-network.net (78.153.231.90)
11  21.63 ms he0-0-0-21.cr03.lyo01.jaguar-network.net (78.153.231.89)
12  21.71 ms 185.235.8.250
13  21.58 ms 185.235.8.66

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.85 seconds
Damien Clauzel
  • 111
  • 7

1 Answers1

3

My guess would be a custom header designed to hide/replace an actual server signature :

VDL --> Ville de Lyon ; the city/municipality of Lyon

diya
  • 1,771
  • 3
  • 14
  • I agree, it is a possibility. What bugs me is that their practice are not unified on all their web servers, managed by the same team. – Damien Clauzel Nov 07 '22 at 14:50
  • 1
    I can still only guess, but the team managing the websites is most likely not responsible for all (legacy) applications that are offered online. Reverse proxy-ing and otherwise integrating backend applications will by default not remove headers set by the back-end, so I can absolutely see one team of developers being cute and setting a custom server header of "VDL" where others don't and as a result inconstancies. I imagine that setting an unknown server signature even avoids "annoying" warnings from vulnerability scanners that rely on the self-proclaimed server string for their analyses – diya Nov 07 '22 at 15:08
  • Yes, hiding the identity of the web service is like changing its port: it is useless . I will email the IT department when I have the motivation; if only to tell them to switch to HTTPS (GDPR, etc. ). Thanks for your insight! – Damien Clauzel Nov 07 '22 at 16:30