On Tue, Sep 18, 2001 at 06:24:18PM -0400, Alan Pitts wrote:
>
> Hi,
>
> Attached is a .nasl plugin that will check to see if the server has
> been infected by the Nimda Worm.
>
> This plugin will check the index page for readme.eml.
>
> Please comment... I would like ideas on how to improve it.
Hi,
Matt Moore sent me the same plugins a few minutes before you :(
I think that next time I'll give precedence to plugins sent to me via
the mailing list rather than sent to me directly.
Anyway, let's comment the coding style (which is the purpose of this
mailing list after all).
> port = get_kb_item("Services/www");
> if(!port) port = 80;
>
> if ( get_port_state(port) ) {
> soc = open_sock_tcp(port);
If you were a purist (something I'm not), you'd use http_open_socket().
Today, http_open_socket() is exactly the same as open_sock_tcp(), but in
the future it /might/ open a socket to your selected proxy.
(I don't use it myself, not really knowing whether I'll add proxy
support in Nessus. But if you really want to think ahead, this is the
way to go).
> if (soc) {
>
> data = string("GET / HTTP/1.0\r\n\r\n");
You should prefer http_get(), as it forges a full HTTP/1.1 or 1.0
request. The syntax would be :
data = http_get(item:"/", port:port);
(the argument "port" is needed so that NASL can then look in the KB if
the remote server running on that port supports HTTP/1.0 or /1.1).
Which makes me think : maybe doing your request is the way to go, as
it'd return the remote web root (not the root of a virtual server).
Which file is modified when the worm hits ? The web root or the root of
the current virtual server ?
Thanks,
-- Renaud
This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 02:25:42 PDT