Nmap Development mailing list archives
Re: [NSE] Script to detect vsftpd backdoor
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 5 Jul 2011 06:42:15 -0500
Henri, Glad I could help. I took most of the code from ftp-proftpd-backdoor.nse, so perhaps the "author" field should show that author as a contributor. The source for the backdoored server was readily available online, so the only tricky part I ran into was finding out that a PASS command was needed to trigger in most cases. I think the sleep between triggering and checking could be reduced, but it is definitely necessary, because on my test machine with no load, the port had not bound before I checked it the first time. Checking for the shell first may be a good idea: 6200/tcp is not even included in nmap-services, so chance of collision is low. This reminds me of a script idea I had to check for bind shells, meterpreter service, etc. on port 4444, 31337, etc. Dan On Tue, Jul 5, 2011 at 2:17 AM, Henri Doreau <henri.doreau () greenbone net>wrote:
2011/7/5 Daniel Miller <bonsaiviking () gmail com>:Hey list, This was just announced yesterday. References:http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.htmlhttp://pastebin.com/AetT9sS5https://dev.metasploit.com/redmine/projects/framework/repository/revisions/13093Hope this helps someone! The download was available from ~Feb 15 to ~Jul3DanHi Daniel, this is great! You were faster than the "SoC NSE vulnerability research team" for this one ;-) I have committed your script as of r24635 with the following changes: - added references in the script description (the diff of the backdoor is available via the blog post, I haven't included this one) - removed a couple unused variables The backdoor, when triggered, will bind a shell on port 6200/tcp. I wonder whether it would make sense to check if the backdoor is already listening before attempting to exploit the server? This is how the metasploit module works. Regards. -- Henri Doreau | Greenbone Networks GmbH | http://www.greenbone.net Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460 Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Script to detect vsftpd backdoor Daniel Miller (Jul 04)
- Re: [NSE] Script to detect vsftpd backdoor m k (Jul 04)
- Re: [NSE] Script to detect vsftpd backdoor Henri Doreau (Jul 05)
- Re: [NSE] Script to detect vsftpd backdoor Daniel Miller (Jul 05)
- Re: [NSE] Script to detect vsftpd backdoor Djalal Harouni (Jul 05)
- Re: [NSE] Script to detect vsftpd backdoor Henri Doreau (Jul 05)
- Re: [NSE] Script to detect vsftpd backdoor Djalal Harouni (Jul 05)