This is an alternative way to detect nimda-infected boxen. What do you think of it / who can try it ? ----- Forwarded message from Gareth Bromley <gbbromleyat_private> ----- > Delivered-To: renaudat_private > Delivered-To: renaudat_private > X-Originating-IP: [62.189.94.193] > From: "Gareth Bromley" <gbbromleyat_private> > To: deraisonat_private > Subject: Another Nimda scanner > Date: Fri, 21 Sep 2001 13:21:30 +0100 > X-OriginalArrivalTime: 21 Sep 2001 12:21:31.0012 (UTC) FILETIME=[F1F7AC40:01C14297] > > As subject: > > This is my first Nessus script ;) > > It checks remote hosts for a TFTP server that allow Admin.dll to be > downloaded, thus allowing detection for email or file share infected hosts > as well as IIS exploited systems. > > I haven't had chance to fully test it, as I'm on client site :( > > Cheers, > > --Gareth Bromley <gbromleyat_private> > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > # > # Created by Gareth Bromley <gbromleyat_private>, 20th September 2001 > # > # See the Nessus Scripts License for details > # > > if(description) > { > script_id(10767); > name["english"] = "Tests for Nimda Worm infected scanning hosts"; > script_name(english:name["english"]); > > desc["english"] = "Your server appears to have been compromised by the > Nimda worm.It uses various known Microsoft vulnerabilities to > compromise the server via IIS exploits, Email attachment exploits, IE > exploits. > > Solution: Take this server offline immediately and rebuild it. > > Risk Factor: High"; > > script_description(english:desc["english"]); > > summary["english"] = "Tests for Nimda Worm scanning hosts"; > > script_summary(english:summary["english"]); > > script_category(ACT_GATHER_INFO); > > script_copyright(english:"This script is Copyright (C) 2001 Gareth > Bromley"); > family["english"] = "CGI abuses"; > script_family(english:family["english"]); > script_dependencie("find_service.nes"); > script_require_ports("Services/tftp", 69); > exit(0); > } > > # Check for ability to get admin.dll from a remote tftp server. > port = get_kb_item("Services/tftp"); > if(!port) > { > port = 69; > } > if(get_port_state(port)) > { > soc = open_socket_udp(port); > if(soc) > { > # TFTP get request for Admin.dll in binary > # 00 01 = RRQ Get request > # 41 64 6D 69 6E 2E 64 6C 00 = Admin.dll\0 > # 6F 63 74 65 74 00 = octet\0 > rawdata = raw_string{0x00, 0x01, 0x41, 0x64, 0x6D, 0x69, 0x6E, 0x2E, 0x64, > 0x6C, 0x6C, 0x00, 0x6F, 0x63, 0x74, 0x65, 0x74, > 0x00}; > send(socket:soc, data:rawdata); > # We should not get icmp port-unreachable if a TFTP server like process > exists > # Recv up to 100Kb. Nimda is about 52Kb in size > data = recv(socket:soc, length:102400); > if(data) > { > # Data was returned!! > security_note(port:port, data:string("Nimda worm maybe present!"); > } > close(soc); > } > > ----- End forwarded message ----- -- Renaud Deraison The Nessus Project http://www.nessus.org
This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 10:17:57 PDT