o Replaced kibuvDetection.nse with version detection match lines which

work better than the script. [Kris, Brandon]
2025-12-09 22:21:29 +00:00 · 2008-05-25 23:30:21 +00:00
parent 71a29d4e2d
commit ee876ada98
4 changed files with 6 additions and 40 deletions
--- a/3
+++ b/3
@@ -79,6 +79,9 @@ o Changed SSLv2-support.nse so that it only enumerates the list of
  available ciphers with a verbosity level of at least two or with
  debugging enabled. [Kris]

+o Replaced kibuvDetection.nse with version detection match lines which
+  work better than the script. [Kris, Brandon]
+
 o Removed mswindowsShell.nse as there is a version detection NULL probe
  match which accomplishes the same thing. [Brandon, Fyodor, Kris]

--- a/3
+++ b/3
@@ -85,6 +85,8 @@ match backdoor m|^\xfa\xcb\xd9\xd9\xdd\xc5\xd8\xce\xd6| p/Theef trojan/ i/**BACK
 match backdoor m|^220 SSL Connection Established - Loading Protocol\.\.\.\.\r\n| p/dhcpse.exe/ i/**BACKDOOR**/ o/Windows/
 match backdoor m|^A-311 Death welcome\x001| p/Haxdoor trojan/ i/**BACKDOOR**/ o/Windows/
 match backdoor m|^220 CAFEiNi [-\w_.]+ FTP server\r\n$| p/CAFEiNi trojan/ i/**BACKDOOR**/ o/Windows/
+match backdoor m/^220 (Stny|fuck)Ftpd 0wns j0\r?\n/ p/Kibuv.b worm/ i/**BACKDOOR**/ o/Windows/
+match backdoor m|^220 [Sf.][tu.][nc.][yk.][.F][t.][p.][d.] [0.][w.][n.][s.] [j.][0.]\r?\n|i p/Generic Kibuv worm/ i/**BACKDOOR**/ o/Windows/

 match bf2rcon m|^### Battlefield 2 ModManager Rcon v([\d.]+)\.\n### Digest seed: \w+\n\n| p/Battlefield 2 ModManager Remote Console/ v/$1/

@@ -482,7 +484,6 @@ match ftp m|^220 HD316\r FTP server\(Version([\d.]+)\) ready\.\r\n| p/Panasonic
 match ftp m=^220 \w+ IBM Infoprint (Color |)(\d+) FTP Server ([\d.]+) ready\.\r\n= p/IBM Inforprint $1$2 ftpd/ v/$3/ d/printer/
 match ftp m|^220 ShareIt FTP Server ([\d.]+) \(WINCE\) Ready\.\r\n| p/ShareIt ftpd/ v/$1/ d/PDA/
 match ftp m|^220 ShareIt FTP Pro ([\d.]+) \(WINCE\) Ready\.\r\n| p/ShareIt Pro ftpd/ v/$1/ d/PDA/
-match ftp m|^220 StnyFtpd 0wns j0\n$| p/Unknown ftp backdoor/
 match ftp m|^220 ISOS FTP Server for Upgrade Purpose \(([\d.]+)\) ready\r\n| p/Billion 741GE ADSL router/ v/$1/ d/router/
 match ftp m|^220 PV11 FTP Server ready\r\n| p/Unknown wireless acces point ftpd/ i/Runs Phar Lap RTOS/ d/router/
 match ftp m|^220 Alize Session Manager FTP Server\r\n| p/Alcatel OmniPCX ftpd/ d/PBX/
--- a/scripts/kibuvDetection.nse
+++ b/scripts/kibuvDetection.nse
@@ -1,37 +0,0 @@
-id = "Kibuv worm"
-
-description = "\
-A fake FTP server was installed by the KIBUV.B worm \
-on this port. This worm uses known security flaws to \
-infect the system. \
-\
-This machine may already be a 'zombi' used by crackers  \
-to perform distributed denial of service. \
-\
-http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.B&VSect=T"
-
-author = "Diman Todorov <diman.todorov@gmail.com>"
-
-license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-
-categories = {"malware"}
-
-require "shortport"
-
-portrule = shortport.port_or_service({7955, 14920, 42260}, "ftp")
-
-action = function(host, port)
-	local socket = nmap.new_socket()
-
-	socket:connect(host.ip, port.number)
-	local status, s = socket:receive_lines(1)
-
-	if	string.match(s, "220 StnyFtpd 0wns j0")
-		or
-		string.match(s, "220 fuckFtpd 0wns j0")
-	then 
-		return "Suspecting that the host is KIBUV.B infected"
-	end
-
-	return 
-end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -10,7 +10,7 @@ Entry{ category = "version", filename = "PPTPversion.nse" }
 Entry{ category = "backdoor", filename = "RealVNC_auth_bypass.nse" }
 Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" }
 Entry{ category = "discovery", filename = "SMTPcommands.nse" }
-Entry{ category = "intrusive", filename = "SMTPcommands.nse" }
+Entry{ category = "safe", filename = "SMTPcommands.nse" }
 Entry{ category = "discovery", filename = "SNMPsysdesr.nse" }
 Entry{ category = "safe", filename = "SNMPsysdesr.nse" }
 Entry{ category = "vulnerability", filename = "SQLInject.nse" }
@@ -28,7 +28,6 @@ Entry{ category = "intrusive", filename = "ftpbounce.nse" }
 Entry{ category = "version", filename = "iax2Detect.nse" }
 Entry{ category = "discovery", filename = "ircServerInfo.nse" }
 Entry{ category = "malware", filename = "ircZombieTest.nse" }
-Entry{ category = "malware", filename = "kibuvDetection.nse" }
 Entry{ category = "discovery", filename = "nbstat.nse" }
 Entry{ category = "safe", filename = "nbstat.nse" }
 Entry{ category = "version", filename = "netbios-smb-os-discovery.nse" }