Nmap Development mailing list archives
Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers"
From: David Fifield <david () bamsoftware com>
Date: Sun, 13 Sep 2009 18:36:46 -0600
On Sun, Sep 13, 2009 at 04:40:50PM -0500, Ron wrote:
On 09/13/2009 04:12 PM, David Fifield wrote:What hosts should we be testing? I don't have a list of possibly infected hostnames. I ran the script against my server and got "appears to be clean" for ports 80 and 443.I should have been more clear. In my message, I listed an infected server (in the part I forwarded). Assuming it's still infected, when you scan it, it sends you to another, and another, and so on. So using that, it seemed to identify all infected hosts without issue (I went a few deep). I was actually more concerned about false positives than anything else. I don't think there will be any issues, though. It's a really simple script, and is basically the same as http-enum (except checking for a different HTTP status code). I just don't like to arbitrarily check things in without giving people a chance to say 'no'.
I understand now. Here is what I got. The first server redirects to the second, which redirects to a third, which redirects back to the second. $ ./nmap --script=http-infected -F 174.143.25.37 -v Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-09-13 18:32 MDT Host 174-143-25-37.slicehost.net (174.143.25.37) is up (0.10s latency). Interesting ports on 174-143-25-37.slicehost.net (174.143.25.37): Not shown: 86 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http |_ http-infected: Server appears to be clean 110/tcp open pop3 143/tcp open imap 443/tcp open https |_ http-infected: Server appears to be clean 465/tcp open smtps 993/tcp open imaps 995/tcp open pop3s 1720/tcp filtered H.323/Q.931 3306/tcp open mysql 8080/tcp open http-proxy |_ http-infected: Server appears to be infected (/ts/in.cgi?open2 redirects to http://cechl.webhop.info:8080/index.php) $ ./nmap --script=http-infected -F cechl.webhop.info -v Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-09-13 18:32 MDT Interesting ports on 67.223.232.29: Not shown: 96 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_ http-infected: Server appears to be clean 1720/tcp filtered H.323/Q.931 8080/tcp open http-proxy |_ http-infected: Server appears to be infected (/ts/in.cgi?open2 redirects to http://blaauwvogelzang.servemp3.com:8080/index.php) $ ./nmap --script=http-infected -F blaauwvogelzang.servemp3.com Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-09-13 18:34 MDT Warning: File ./nmap-services exists, but Nmap is using /usr/share/nmap/nmap-services for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too). NSE: Script Scanning completed. Interesting ports on forbookings.com (85.17.237.5): Not shown: 81 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http |_ http-infected: Server appears to be clean 110/tcp open pop3 111/tcp open rpcbind 113/tcp open auth 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 143/tcp open imap 443/tcp open https |_ http-infected: Server appears to be clean 445/tcp filtered microsoft-ds 587/tcp open submission 993/tcp open imaps 995/tcp open pop3s 1720/tcp filtered H.323/Q.931 3306/tcp open mysql 8080/tcp open http-proxy |_ http-infected: Server appears to be infected (/ts/in.cgi?open2 redirects to http://cechl.webhop.info:8080/index.php) David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" Ron (Sep 12)
- Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" David Fifield (Sep 13)
- Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" Ron (Sep 13)
- Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" David Fifield (Sep 13)
- Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" Ron (Sep 13)
- Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" Ron (Sep 13)
- Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" David Fifield (Sep 13)
- Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" Ron (Sep 16)