assigned to this backdoor.
Added a final 'exit' command to terminate the remote '/bin/sh', however I don't
think that this is necessary since the backdoor was very simple: it did not
fork(), and closing the stdin of the '/bin/sh' will terminate it.
description = [[
http-google-malware checks if hosts are on Google's blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google's Safe Browsing service.
To do this the script queries the Google's Safe Browsing service and you need to have your own API key to access Google's Safe Browsing Lookup services. Sign up for yours at http://code.google.com/apis/safebrowsing/key_signup.html
* To learn more about Google's Safe Browsing:
http://code.google.com/apis/safebrowsing/
* To register and get your personal API key:
http://code.google.com/apis/safebrowsing/key_signup.html
]]
---
-- @usage
-- nmap -p80 --script http-google-malware <host>
--
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
-- |_http-google-malware.nse: Host is known for distributing malware.
--
-- @args http-google-malware.url URL to check. Default: <code>http/https</code>://<code>host</code>
-- @args http-google-malware.api API key for Google's Safe Browsing Lookup service
---
Changed getCredentials to allow a bitmask filter
Changed getCredentials to return an iterator instead of a table
Modified the brute library to support the changes
[Patrik]
Accomplishments:
* Added 117 new signatures to http-enum for a new total of 223! These new signatures are all from vulnerable web applications taken from exploit-db.com's archives from July 1 2009 until May 30 2011. I only checked advisories with more than 300 views to focus on the most popular apps and also did a quick Google search to make sure there are enough installations out there.
* Researched about malware detection methods in HTTP servers.
* Submitted http-default-accounts.nse to nmap-dev
* Fixed a bug in http.lua. The argument 'http.pipeline' was not being read correctly.
* Submitted http-unsafe-host.nse to nmap-dev
* Added more signatures to http-default-accounts
* Submitted http-wp-enum to nmap-dev
Priorities:
* Work on more NSE scripts
* Polish documentation in all my scripts
* Add more signatures to http-default-accounts
It works similar to http-enum, we detect applications by matching known paths and launching a login routine using default credentials when found.
This script depends on a fingerprint file containing the target's information: name, category, location paths, default credentials and login routine.
