Nmap Development mailing list archives
Re: [NSE] Detection of ProFTPD backdoor
From: Kris Katterjohn <katterjohn () gmail com>
Date: Mon, 06 Dec 2010 18:42:47 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/06/2010 06:25 PM, David Fifield wrote:
On Mon, Dec 06, 2010 at 05:16:06PM -0600, Mak Kolybabi wrote:-- Check version. if not resp:match("ProFTPD 1.3.3c") then stdnse.print_debug(1, "This version is not known to be backdoored.") return endI guess this could also happen in the portrule instead of the action, but that would require version detection to be run every time.
Maybe check it in the portrule if version data is available? I think narrowing it down there if possible is good given that most servers matching the current broad portrule (standard service/port for ftp) won't be this particular backdoored variety. I don't think there's any point in launching a bunch of scripts needlessly, which would be really wasteful for a not-unlikely scan of FTP servers with version detection and NSE running. And if version detection isn't run, then no harm's done. (And the same goes for any other similar scripts which do this)
David Fifield
Cheers, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJM/YMGAAoJEEQxgFs5kUfuHeQP/j1+a2RRbFy/Ewym1ru75k3K ZQyHC8fwWDeztOEMpAIKnmpkG2vcuAH8bQOtmJGLiZCv8qgjwEyS3gBqIXLILdth 7j2ViOOEHVhbkHeNzvjzFVmvzlDBa4QRRmqx8sv4TKxsJqbN2h3Dek694dBep9K5 wAmOaQWS8ntBuNqta6KvNQUUMohbzr12Pqw476DUJGfv7p4DDYLqNbIFCJ1gxtJJ mGfeo8iyeAQ+HEg4PGR+bEGVaXstb1wCvB8/6j+ZrNEKJ43NUAC9Y6Av5U1YBJoy ZopBBhN8Is+hIjZltWV6qQeLOinSoEHqtTb985WM6fhzqTL9x3Av37pCBP6AWha3 6vlvTfVXSFQ3nMr/ytQdi2ZGjR1nx4yqIg7/75v/8Ko2MN6G7wzQp6hhACHj4k/A sMgDTNi10se/HkJHWteJsarCEXv1UCqNgJY+AOhnOfupUPjuF9I+G+9YiMibCltc QU4V8QisS6emhmIms+3E9ofImfsOg5PkpOutlj5I/PweoZ+Yq7Z1K33tT2V/jhP3 OlvQvJYH+S9FHHOiyVF51JqxIXf9UtTrYO4iIBeToUV4dPuN5tTp9IeeBpHffX3g BDoGxvFe4xCz4+jnjhjZkqcDykC9bACYx9xadTsRQQWe+/4ak8c4OasPJn+5xUMW Vj4DT+yk8eZIjZNTQ/5a =r7Q4 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Detection of ProFTPD backdoor Mak Kolybabi (Dec 06)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 06)
- Re: [NSE] Detection of ProFTPD backdoor Kris Katterjohn (Dec 06)
- Re: [NSE] Detection of ProFTPD backdoor Mak Kolybabi (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor Kris Katterjohn (Dec 06)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 06)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 08)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 08)
- Re: [NSE] Detection of ProFTPD backdoor Mak Kolybabi (Dec 10)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 11)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 12)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 13)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 07)