mirror of
https://github.com/nmap/nmap.git
synced 2025-12-10 09:49:05 +00:00
o Replaced kibuvDetection.nse with version detection match lines which
work better than the script. [Kris, Brandon]
This commit is contained in:
kris
@@ -79,6 +79,9 @@ o Changed SSLv2-support.nse so that it only enumerates the list of
|
|||||||
available ciphers with a verbosity level of at least two or with
|
available ciphers with a verbosity level of at least two or with
|
||||||
debugging enabled. [Kris]
|
debugging enabled. [Kris]
|
||||||
|
|
||||||
|
o Replaced kibuvDetection.nse with version detection match lines which
|
||||||
|
work better than the script. [Kris, Brandon]
|
||||||
|
|
||||||
o Removed mswindowsShell.nse as there is a version detection NULL probe
|
o Removed mswindowsShell.nse as there is a version detection NULL probe
|
||||||
match which accomplishes the same thing. [Brandon, Fyodor, Kris]
|
match which accomplishes the same thing. [Brandon, Fyodor, Kris]
|
||||||
|
|
||||||
|
|||||||
@@ -85,6 +85,8 @@ match backdoor m|^\xfa\xcb\xd9\xd9\xdd\xc5\xd8\xce\xd6| p/Theef trojan/ i/**BACK
|
|||||||
match backdoor m|^220 SSL Connection Established - Loading Protocol\.\.\.\.\r\n| p/dhcpse.exe/ i/**BACKDOOR**/ o/Windows/
|
match backdoor m|^220 SSL Connection Established - Loading Protocol\.\.\.\.\r\n| p/dhcpse.exe/ i/**BACKDOOR**/ o/Windows/
|
||||||
match backdoor m|^A-311 Death welcome\x001| p/Haxdoor trojan/ i/**BACKDOOR**/ o/Windows/
|
match backdoor m|^A-311 Death welcome\x001| p/Haxdoor trojan/ i/**BACKDOOR**/ o/Windows/
|
||||||
match backdoor m|^220 CAFEiNi [-\w_.]+ FTP server\r\n$| p/CAFEiNi trojan/ i/**BACKDOOR**/ o/Windows/
|
match backdoor m|^220 CAFEiNi [-\w_.]+ FTP server\r\n$| p/CAFEiNi trojan/ i/**BACKDOOR**/ o/Windows/
|
||||||
|
match backdoor m/^220 (Stny|fuck)Ftpd 0wns j0\r?\n/ p/Kibuv.b worm/ i/**BACKDOOR**/ o/Windows/
|
||||||
|
match backdoor m|^220 [Sf.][tu.][nc.][yk.][.F][t.][p.][d.] [0.][w.][n.][s.] [j.][0.]\r?\n|i p/Generic Kibuv worm/ i/**BACKDOOR**/ o/Windows/
|
||||||
|
|
||||||
match bf2rcon m|^### Battlefield 2 ModManager Rcon v([\d.]+)\.\n### Digest seed: \w+\n\n| p/Battlefield 2 ModManager Remote Console/ v/$1/
|
match bf2rcon m|^### Battlefield 2 ModManager Rcon v([\d.]+)\.\n### Digest seed: \w+\n\n| p/Battlefield 2 ModManager Remote Console/ v/$1/
|
||||||
|
|
||||||
@@ -482,7 +484,6 @@ match ftp m|^220 HD316\r FTP server\(Version([\d.]+)\) ready\.\r\n| p/Panasonic
|
|||||||
match ftp m=^220 \w+ IBM Infoprint (Color |)(\d+) FTP Server ([\d.]+) ready\.\r\n= p/IBM Inforprint $1$2 ftpd/ v/$3/ d/printer/
|
match ftp m=^220 \w+ IBM Infoprint (Color |)(\d+) FTP Server ([\d.]+) ready\.\r\n= p/IBM Inforprint $1$2 ftpd/ v/$3/ d/printer/
|
||||||
match ftp m|^220 ShareIt FTP Server ([\d.]+) \(WINCE\) Ready\.\r\n| p/ShareIt ftpd/ v/$1/ d/PDA/
|
match ftp m|^220 ShareIt FTP Server ([\d.]+) \(WINCE\) Ready\.\r\n| p/ShareIt ftpd/ v/$1/ d/PDA/
|
||||||
match ftp m|^220 ShareIt FTP Pro ([\d.]+) \(WINCE\) Ready\.\r\n| p/ShareIt Pro ftpd/ v/$1/ d/PDA/
|
match ftp m|^220 ShareIt FTP Pro ([\d.]+) \(WINCE\) Ready\.\r\n| p/ShareIt Pro ftpd/ v/$1/ d/PDA/
|
||||||
match ftp m|^220 StnyFtpd 0wns j0\n$| p/Unknown ftp backdoor/
|
|
||||||
match ftp m|^220 ISOS FTP Server for Upgrade Purpose \(([\d.]+)\) ready\r\n| p/Billion 741GE ADSL router/ v/$1/ d/router/
|
match ftp m|^220 ISOS FTP Server for Upgrade Purpose \(([\d.]+)\) ready\r\n| p/Billion 741GE ADSL router/ v/$1/ d/router/
|
||||||
match ftp m|^220 PV11 FTP Server ready\r\n| p/Unknown wireless acces point ftpd/ i/Runs Phar Lap RTOS/ d/router/
|
match ftp m|^220 PV11 FTP Server ready\r\n| p/Unknown wireless acces point ftpd/ i/Runs Phar Lap RTOS/ d/router/
|
||||||
match ftp m|^220 Alize Session Manager FTP Server\r\n| p/Alcatel OmniPCX ftpd/ d/PBX/
|
match ftp m|^220 Alize Session Manager FTP Server\r\n| p/Alcatel OmniPCX ftpd/ d/PBX/
|
||||||
|
|||||||
@@ -1,37 +0,0 @@
|
|||||||
id = "Kibuv worm"
|
|
||||||
|
|
||||||
description = "\
|
|
||||||
A fake FTP server was installed by the KIBUV.B worm \
|
|
||||||
on this port. This worm uses known security flaws to \
|
|
||||||
infect the system. \
|
|
||||||
\
|
|
||||||
This machine may already be a 'zombi' used by crackers \
|
|
||||||
to perform distributed denial of service. \
|
|
||||||
\
|
|
||||||
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.B&VSect=T"
|
|
||||||
|
|
||||||
author = "Diman Todorov <diman.todorov@gmail.com>"
|
|
||||||
|
|
||||||
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
|
|
||||||
|
|
||||||
categories = {"malware"}
|
|
||||||
|
|
||||||
require "shortport"
|
|
||||||
|
|
||||||
portrule = shortport.port_or_service({7955, 14920, 42260}, "ftp")
|
|
||||||
|
|
||||||
action = function(host, port)
|
|
||||||
local socket = nmap.new_socket()
|
|
||||||
|
|
||||||
socket:connect(host.ip, port.number)
|
|
||||||
local status, s = socket:receive_lines(1)
|
|
||||||
|
|
||||||
if string.match(s, "220 StnyFtpd 0wns j0")
|
|
||||||
or
|
|
||||||
string.match(s, "220 fuckFtpd 0wns j0")
|
|
||||||
then
|
|
||||||
return "Suspecting that the host is KIBUV.B infected"
|
|
||||||
end
|
|
||||||
|
|
||||||
return
|
|
||||||
end
|
|
||||||
@@ -10,7 +10,7 @@ Entry{ category = "version", filename = "PPTPversion.nse" }
|
|||||||
Entry{ category = "backdoor", filename = "RealVNC_auth_bypass.nse" }
|
Entry{ category = "backdoor", filename = "RealVNC_auth_bypass.nse" }
|
||||||
Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" }
|
Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" }
|
||||||
Entry{ category = "discovery", filename = "SMTPcommands.nse" }
|
Entry{ category = "discovery", filename = "SMTPcommands.nse" }
|
||||||
Entry{ category = "intrusive", filename = "SMTPcommands.nse" }
|
Entry{ category = "safe", filename = "SMTPcommands.nse" }
|
||||||
Entry{ category = "discovery", filename = "SNMPsysdesr.nse" }
|
Entry{ category = "discovery", filename = "SNMPsysdesr.nse" }
|
||||||
Entry{ category = "safe", filename = "SNMPsysdesr.nse" }
|
Entry{ category = "safe", filename = "SNMPsysdesr.nse" }
|
||||||
Entry{ category = "vulnerability", filename = "SQLInject.nse" }
|
Entry{ category = "vulnerability", filename = "SQLInject.nse" }
|
||||||
@@ -28,7 +28,6 @@ Entry{ category = "intrusive", filename = "ftpbounce.nse" }
|
|||||||
Entry{ category = "version", filename = "iax2Detect.nse" }
|
Entry{ category = "version", filename = "iax2Detect.nse" }
|
||||||
Entry{ category = "discovery", filename = "ircServerInfo.nse" }
|
Entry{ category = "discovery", filename = "ircServerInfo.nse" }
|
||||||
Entry{ category = "malware", filename = "ircZombieTest.nse" }
|
Entry{ category = "malware", filename = "ircZombieTest.nse" }
|
||||||
Entry{ category = "malware", filename = "kibuvDetection.nse" }
|
|
||||||
Entry{ category = "discovery", filename = "nbstat.nse" }
|
Entry{ category = "discovery", filename = "nbstat.nse" }
|
||||||
Entry{ category = "safe", filename = "nbstat.nse" }
|
Entry{ category = "safe", filename = "nbstat.nse" }
|
||||||
Entry{ category = "version", filename = "netbios-smb-os-discovery.nse" }
|
Entry{ category = "version", filename = "netbios-smb-os-discovery.nse" }
|
||||||
|
|||||||
Reference in New Issue
Block a user