Nmap Development mailing list archives
Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers"
From: Ron <ron () skullsecurity net>
Date: Sun, 13 Sep 2009 16:40:50 -0500
On 09/13/2009 04:12 PM, David Fifield wrote:
I should have been more clear. In my message, I listed an infected server (in the part I forwarded). Assuming it's still infected, when you scan it, it sends you to another, and another, and so on. So using that, it seemed to identify all infected hosts without issue (I went a few deep). I was actually more concerned about false positives than anything else.What hosts should we be testing? I don't have a list of possibly infected hostnames. I ran the script against my server and got "appears to be clean" for ports 80 and 443.
I don't think there will be any issues, though. It's a really simple script, and is basically the same as http-enum (except checking for a different HTTP status code). I just don't like to arbitrarily check things in without giving people a chance to say 'no'.
I'm hoping to detect any legitimate server that's serving up malware. At the moment it's just the one, but I don't think it's an uncommon situation. I don't mind changing the name if somebody would like to suggest a better one. I'm not sure if the 'botnet' this detects has a specific name yet (though I haven't been following the stories).http-infected is a vague name. What other types of things do you see this script checking for in the future?
David Fifield
Ron -- Ron Bowes http://www.skullsecurity.org/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" Ron (Sep 12)
- Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" David Fifield (Sep 13)
- Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" Ron (Sep 13)
- Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" David Fifield (Sep 13)
- Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" Ron (Sep 16)