File `http-malware-host`

脚本使用类型: portrule
脚本所属分类: malware, safe
脚本下载地址: http://nmap.org/svn/scripts/http-malware-host.nse

User Summary

Looks for signature of known server compromises.

Currently, the only signature it looks for is the one discussed here: http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/. This is done by requesting the page /ts/in.cgi?open2 and looking for an errant 302 (it attempts to detect servers that always return 302). Thanks to Denis from the above link for finding this technique!

Script Arguments

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

Example Usage

执行格式

nmap -sV --script=http-malware-host <target>

Script Output

Interesting ports on www.sopharma.bg (84.242.167.49):
PORT     STATE SERVICE    REASON
80/tcp   open  http       syn-ack
|_ http-malware-host: Host appears to be clean
8080/tcp open  http-proxy syn-ack
|  http-malware-host: 
|  |  Host appears to be infected (/ts/in.cgi?open2 redirects to http://last-another-life.ru:8080/index.php)
|_ |_ See: http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/

Requires

Author: Ron Bowes

License: VER007 整理 http://www.ver007.com

File http-malware-host