diff --git a/CHANGELOG b/CHANGELOG index 8ca08c0ca..424cba220 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -79,6 +79,9 @@ o Changed SSLv2-support.nse so that it only enumerates the list of available ciphers with a verbosity level of at least two or with debugging enabled. [Kris] +o Replaced kibuvDetection.nse with version detection match lines which + work better than the script. [Kris, Brandon] + o Removed mswindowsShell.nse as there is a version detection NULL probe match which accomplishes the same thing. [Brandon, Fyodor, Kris] diff --git a/nmap-service-probes b/nmap-service-probes index 75d3c2f97..77617159f 100644 --- a/nmap-service-probes +++ b/nmap-service-probes @@ -85,6 +85,8 @@ match backdoor m|^\xfa\xcb\xd9\xd9\xdd\xc5\xd8\xce\xd6| p/Theef trojan/ i/**BACK match backdoor m|^220 SSL Connection Established - Loading Protocol\.\.\.\.\r\n| p/dhcpse.exe/ i/**BACKDOOR**/ o/Windows/ match backdoor m|^A-311 Death welcome\x001| p/Haxdoor trojan/ i/**BACKDOOR**/ o/Windows/ match backdoor m|^220 CAFEiNi [-\w_.]+ FTP server\r\n$| p/CAFEiNi trojan/ i/**BACKDOOR**/ o/Windows/ +match backdoor m/^220 (Stny|fuck)Ftpd 0wns j0\r?\n/ p/Kibuv.b worm/ i/**BACKDOOR**/ o/Windows/ +match backdoor m|^220 [Sf.][tu.][nc.][yk.][.F][t.][p.][d.] [0.][w.][n.][s.] [j.][0.]\r?\n|i p/Generic Kibuv worm/ i/**BACKDOOR**/ o/Windows/ match bf2rcon m|^### Battlefield 2 ModManager Rcon v([\d.]+)\.\n### Digest seed: \w+\n\n| p/Battlefield 2 ModManager Remote Console/ v/$1/ @@ -482,7 +484,6 @@ match ftp m|^220 HD316\r FTP server\(Version([\d.]+)\) ready\.\r\n| p/Panasonic match ftp m=^220 \w+ IBM Infoprint (Color |)(\d+) FTP Server ([\d.]+) ready\.\r\n= p/IBM Inforprint $1$2 ftpd/ v/$3/ d/printer/ match ftp m|^220 ShareIt FTP Server ([\d.]+) \(WINCE\) Ready\.\r\n| p/ShareIt ftpd/ v/$1/ d/PDA/ match ftp m|^220 ShareIt FTP Pro ([\d.]+) \(WINCE\) Ready\.\r\n| p/ShareIt Pro ftpd/ v/$1/ d/PDA/ -match ftp m|^220 StnyFtpd 0wns j0\n$| p/Unknown ftp backdoor/ match ftp m|^220 ISOS FTP Server for Upgrade Purpose \(([\d.]+)\) ready\r\n| p/Billion 741GE ADSL router/ v/$1/ d/router/ match ftp m|^220 PV11 FTP Server ready\r\n| p/Unknown wireless acces point ftpd/ i/Runs Phar Lap RTOS/ d/router/ match ftp m|^220 Alize Session Manager FTP Server\r\n| p/Alcatel OmniPCX ftpd/ d/PBX/ diff --git a/scripts/kibuvDetection.nse b/scripts/kibuvDetection.nse deleted file mode 100644 index f1e62d552..000000000 --- a/scripts/kibuvDetection.nse +++ /dev/null @@ -1,37 +0,0 @@ -id = "Kibuv worm" - -description = "\ -A fake FTP server was installed by the KIBUV.B worm \ -on this port. This worm uses known security flaws to \ -infect the system. \ -\ -This machine may already be a 'zombi' used by crackers \ -to perform distributed denial of service. \ -\ -http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.B&VSect=T" - -author = "Diman Todorov " - -license = "Same as Nmap--See http://nmap.org/book/man-legal.html" - -categories = {"malware"} - -require "shortport" - -portrule = shortport.port_or_service({7955, 14920, 42260}, "ftp") - -action = function(host, port) - local socket = nmap.new_socket() - - socket:connect(host.ip, port.number) - local status, s = socket:receive_lines(1) - - if string.match(s, "220 StnyFtpd 0wns j0") - or - string.match(s, "220 fuckFtpd 0wns j0") - then - return "Suspecting that the host is KIBUV.B infected" - end - - return -end diff --git a/scripts/script.db b/scripts/script.db index c4af4e9bd..a9e615261 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -10,7 +10,7 @@ Entry{ category = "version", filename = "PPTPversion.nse" } Entry{ category = "backdoor", filename = "RealVNC_auth_bypass.nse" } Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" } Entry{ category = "discovery", filename = "SMTPcommands.nse" } -Entry{ category = "intrusive", filename = "SMTPcommands.nse" } +Entry{ category = "safe", filename = "SMTPcommands.nse" } Entry{ category = "discovery", filename = "SNMPsysdesr.nse" } Entry{ category = "safe", filename = "SNMPsysdesr.nse" } Entry{ category = "vulnerability", filename = "SQLInject.nse" } @@ -28,7 +28,6 @@ Entry{ category = "intrusive", filename = "ftpbounce.nse" } Entry{ category = "version", filename = "iax2Detect.nse" } Entry{ category = "discovery", filename = "ircServerInfo.nse" } Entry{ category = "malware", filename = "ircZombieTest.nse" } -Entry{ category = "malware", filename = "kibuvDetection.nse" } Entry{ category = "discovery", filename = "nbstat.nse" } Entry{ category = "safe", filename = "nbstat.nse" } Entry{ category = "version", filename = "netbios-smb-os-discovery.nse" }