From c73dfd173a488cef6c140962047b8c93e985d362 Mon Sep 17 00:00:00 2001
From: fyodor <fyodor@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Thu, 6 Nov 2008 21:58:29 +0000
Subject: [PATCH] o Renamed irc-zombie.nse to auth-spoof and improved its
 description   and output a bit. [Fyodor]

---
 CHANGELOG                                  |  3 +++
 scripts/{irc-zombie.nse => auth-spoof.nse} | 10 ++++++----
 2 files changed, 9 insertions(+), 4 deletions(-)
 rename scripts/{irc-zombie.nse => auth-spoof.nse} (54%)

diff --git a/CHANGELOG b/CHANGELOG
index 4ad185741..0361c4a41 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o Renamed irc-zombie.nse to auth-spoof and improved its description
+  and output a bit. [Fyodor]
+
 o Most script names were changed to make them more consistent.
   [Fyodor, David]
 
diff --git a/scripts/irc-zombie.nse b/scripts/auth-spoof.nse
similarity index 54%
rename from scripts/irc-zombie.nse
rename to scripts/auth-spoof.nse
index 38dcf5e05..92db8fb66 100644
--- a/scripts/irc-zombie.nse
+++ b/scripts/auth-spoof.nse
@@ -1,8 +1,10 @@
 description = [[
-Checks for an IRC zombie.
+Checks for an identd (auth) server which is spoofing its replies.
 
-If port 113 responds before we ask it then something is fishy. Usually this
-means that the host is an IRC zombie.
+Tests whether an identd (auth) server responds with an answer before
+we even send the query.  This sort of identd spoofing can be a sign of
+malware infection though it can also be used for legitimate privacy
+reasons.
 ]]
 
 author = "Diman Todorov <diman.todorov@gmail.com>"
@@ -23,6 +25,6 @@ action = function(host, port)
 		return
 	end
 
-	return owner
+	return "Spoofed reply: " .. owner
 end