seems good (but not tested by me) ... but i think we should test on multiple ways for the worm . e.g. ucp/tcp 69 could be filtered by a packet filter - but readme.eml would be still on the www server / it still can spread via email / etc. smb guest login is already checked, right? regards, felix huber ----- Original Message ----- From: "Renaud Deraison" <deraisonat_private> To: <plugins-writersat_private> Sent: Friday, September 21, 2001 7:20 PM Subject: [Fwd: Another Nimda scanner] > > This is an alternative way to detect nimda-infected boxen. What do you > think of it / who can try it ? > > > ----- Forwarded message from Gareth Bromley <gbbromleyat_private> ----- > > > Delivered-To: renaudat_private > > Delivered-To: renaudat_private > > X-Originating-IP: [62.189.94.193] > > From: "Gareth Bromley" <gbbromleyat_private> > > To: deraisonat_private > > Subject: Another Nimda scanner > > Date: Fri, 21 Sep 2001 13:21:30 +0100 > > X-OriginalArrivalTime: 21 Sep 2001 12:21:31.0012 (UTC) FILETIME=[F1F7AC40:01C14297] > > > > As subject: > > > > This is my first Nessus script ;) > > > > It checks remote hosts for a TFTP server that allow Admin.dll to be > > downloaded, thus allowing detection for email or file share infected hosts > > as well as IIS exploited systems. > > > > I haven't had chance to fully test it, as I'm on client site :( > > > > Cheers, > > > > --Gareth Bromley <gbromleyat_private> > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > > # > > # Created by Gareth Bromley <gbromleyat_private>, 20th September 2001 > > # > > # See the Nessus Scripts License for details > > # > > > > if(description) > > { > > script_id(10767); > > name["english"] = "Tests for Nimda Worm infected scanning hosts"; > > script_name(english:name["english"]); > > > > desc["english"] = "Your server appears to have been compromised by the > > Nimda worm.It uses various known Microsoft vulnerabilities to > > compromise the server via IIS exploits, Email attachment exploits, IE > > exploits. > > > > Solution: Take this server offline immediately and rebuild it. > > > > Risk Factor: High"; > > > > script_description(english:desc["english"]); > > > > summary["english"] = "Tests for Nimda Worm scanning hosts"; > > > > script_summary(english:summary["english"]); > > > > script_category(ACT_GATHER_INFO); > > > > script_copyright(english:"This script is Copyright (C) 2001 Gareth > > Bromley"); > > family["english"] = "CGI abuses"; > > script_family(english:family["english"]); > > script_dependencie("find_service.nes"); > > script_require_ports("Services/tftp", 69); > > exit(0); > > } > > > > # Check for ability to get admin.dll from a remote tftp server. > > port = get_kb_item("Services/tftp"); > > if(!port) > > { > > port = 69; > > } > > if(get_port_state(port)) > > { > > soc = open_socket_udp(port); > > if(soc) > > { > > # TFTP get request for Admin.dll in binary > > # 00 01 = RRQ Get request > > # 41 64 6D 69 6E 2E 64 6C 00 = Admin.dll\0 > > # 6F 63 74 65 74 00 = octet\0 > > rawdata = raw_string{0x00, 0x01, 0x41, 0x64, 0x6D, 0x69, 0x6E, 0x2E, 0x64, > > 0x6C, 0x6C, 0x00, 0x6F, 0x63, 0x74, 0x65, 0x74, > > 0x00}; > > send(socket:soc, data:rawdata); > > # We should not get icmp port-unreachable if a TFTP server like process > > exists > > # Recv up to 100Kb. Nimda is about 52Kb in size > > data = recv(socket:soc, length:102400); > > if(data) > > { > > # Data was returned!! > > security_note(port:port, data:string("Nimda worm maybe present!"); > > } > > close(soc); > > } > > > > > > > ----- End forwarded message ----- > > -- > Renaud Deraison > The Nessus Project > http://www.nessus.org >
This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 10:23:44 PDT