[NEW] bugbear_b.nasl

From: Vincent Renardias (vincentat_private)
Date: Mon Jun 09 2003 - 04:12:33 PDT

  • Next message: Renaud Deraison: "Re: [NEW] bugbear_b.nasl"

    A new plugin to test for the presence of Bugbear.B's backdoor.
    (It's currently untested as I don't currently have access to an infected
    machine.)
    
    	Cordialement,
    
    -- 
    Vincent RENARDIAS
    Looking for a job : <http://www.renardias.com/cv.html>
    
    
    #
    # (C) 2003 StrongHoldNet
    #
    #
    # Ref: http://www.f-secure.com/v-descs/bugbear_b.shtml
    #
    # UNTESTED
    
    if (description)
    {
     script_id(99999);
     script_version ("$Revision$");
    
     script_name(english:"Bugbear.B web backdoor");
     desc["english"] = "
    Your system seems to be infected by the Bugbear.B virus
    (its backdoor has been detected on port 81).
    
    More information: http://www.f-secure.com/v-descs/bugbear_b.shtml
    
    Solution: Use your favorite antivirus to disinfect your
    system. Standalone disinfection tools also exist :
    ftp://ftp.f-secure.com/anti-virus/tools/f-bugbr.zip
    
    Risk factor : High";
    
     script_description(english:desc["english"]);
     script_summary(english:"Checks for Bugbear.B web backdoor");
     script_category(ACT_GATHER_INFO);
     script_family(english:"Backdoors", francais:"Backdoors");
     script_copyright(english:"This script is Copyright (C) 2003 StrongHoldNet");
     script_dependencie("find_service.nes");
     script_require_ports(81);
     exit(0);
    }
    
    include("http_func.inc");
    include("http_keepalive.inc");
    
    port = 81; # Not supposed to be on any other port.
    if(!get_port_state(port))exit(0);
    
    
    url = string(d, '/%NETHOOD%/');
    req = http_get(item:url, port:port);
    buf = http_keepalive_send_recv(port:port, data:req);
    if( buf == NULL ) exit(0);
    if(ereg(pattern:"^HTTP/[0-9]\.[0-9] 200 ", string:buf) && "Microsoft Windows Network" >< buf) {
      security_hole(port);
      exit(0);
    }
    



    This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 04:13:37 PDT