http-malware-host
脚本使用类型:
portrule
脚本所属分类:
malware, safe
脚本下载地址: http://nmap.org/svn/scripts/http-malware-host.nse
Looks for signature of known server compromises.
Currently, the only signature it looks for is the one discussed here:
http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/.
This is done by requesting the page /ts/in.cgi?open2
and
looking for an errant 302 (it attempts to detect servers that always
return 302). Thanks to Denis from the above link for finding this
technique!
执行格式
nmap -sV --script=http-malware-host <target>
Interesting ports on www.sopharma.bg (84.242.167.49): PORT STATE SERVICE REASON 80/tcp open http syn-ack |_ http-malware-host: Host appears to be clean 8080/tcp open http-proxy syn-ack | http-malware-host: | | Host appears to be infected (/ts/in.cgi?open2 redirects to http://last-another-life.ru:8080/index.php) |_ |_ See: http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/
Author: Ron Bowes
License: VER007 整理 http://www.ver007.com