Re: More Service Detection Notes

["Brandon Enright" <bmenrigh () ucsd edu>]

Fyodor wrote:
> On Tue, Jul 25, 2006 at 10:19:22PM -0700, doug () hcsw org wrote:
> > Thanks to Google's Summer of Code I was again able to spend the last
> > week integrating your service detection submissions! Thank you to
> > everybody who submitted.
>
> Yay!  To you and the submitters.  The updates will be in the next
> release.
>
> > As usual, I've added a blog entry with an edited selection of my notes:
> >
> > http://www.hcsw.org/blog.pl?a=19&b=19
> >
> > I discuss Skype 2.0, Cisco ACNS, protocols that consider remote
> > source ports, outbound filtered tcp/25, and more.
>
> But the best part is the gallery of bizarre service banners :).
> Watch out for the Browser Sux Error!
>
> BTW, I noticed that the Haxdoor trojan signature mentioned in your
> blog seems to be missing a p// element.  So I added one (after a bit
> of Googling):
>
> -match backdoor m|^A-311 Death welcome\x001\.87| i/**BACKDOOR**/
> o/Windows/
> +match backdoor m|^A-311 Death welcome\x001\.87| p/Haxdoor trojan/
> i/**BACKDOOR**/ o/Windows/
>
> Cheers,
> -F

This pattern looks to be too specific to match all versions of Haxdoor. 
One of our hosts just returned "A-311\x20Death\x20welcome\x001\.88E!".

Perhaps the pattern should be entry should be changed to:

match backdoor m|^A-311 Death welcome\x001| p/Haxdoor trojan/
i/**BACKDOOR**/ o/Windows/

Brandon

-- 
Brandon Enright
Network Security Analyst
UCSD ACS/Network Operations
bmenrigh () ucsd edu



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev