A new plugin to test for the presence of Bugbear.B's backdoor. (It's currently untested as I don't currently have access to an infected machine.) Cordialement, -- Vincent RENARDIAS Looking for a job : <http://www.renardias.com/cv.html> # # (C) 2003 StrongHoldNet # # # Ref: http://www.f-secure.com/v-descs/bugbear_b.shtml # # UNTESTED if (description) { script_id(99999); script_version ("$Revision$"); script_name(english:"Bugbear.B web backdoor"); desc["english"] = " Your system seems to be infected by the Bugbear.B virus (its backdoor has been detected on port 81). More information: http://www.f-secure.com/v-descs/bugbear_b.shtml Solution: Use your favorite antivirus to disinfect your system. Standalone disinfection tools also exist : ftp://ftp.f-secure.com/anti-virus/tools/f-bugbr.zip Risk factor : High"; script_description(english:desc["english"]); script_summary(english:"Checks for Bugbear.B web backdoor"); script_category(ACT_GATHER_INFO); script_family(english:"Backdoors", francais:"Backdoors"); script_copyright(english:"This script is Copyright (C) 2003 StrongHoldNet"); script_dependencie("find_service.nes"); script_require_ports(81); exit(0); } include("http_func.inc"); include("http_keepalive.inc"); port = 81; # Not supposed to be on any other port. if(!get_port_state(port))exit(0); url = string(d, '/%NETHOOD%/'); req = http_get(item:url, port:port); buf = http_keepalive_send_recv(port:port, data:req); if( buf == NULL ) exit(0); if(ereg(pattern:"^HTTP/[0-9]\.[0-9] 200 ", string:buf) && "Microsoft Windows Network" >< buf) { security_hole(port); exit(0); }
This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 04:13:37 PDT