Re: [NEW] bugbear_b.nasl

From: Renaud Deraison (deraisonat_private)
Date: Tue Jun 10 2003 - 04:44:19 PDT

Next message: larosa, vjay: "RE: [NEW] bugbear_b.nasl"

Previous message: Pavel Kankovsky: "Re: [NEW] bugbear_b.nasl"
In reply to: Pavel Kankovsky: "Re: [NEW] bugbear_b.nasl"
Next in thread: Pavel Kankovsky: "Re: [NEW] bugbear_b.nasl"
Next in thread: larosa, vjay: "RE: [NEW] bugbear_b.nasl"
Reply: Pavel Kankovsky: "Re: [NEW] bugbear_b.nasl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jun 10, 2003 at 01:04:13PM +0200, Pavel Kankovsky wrote:
> On Mon, 9 Jun 2003, Jason Alexander wrote:
> 
> > I thought that BugBear.B's backdoor was running on port 1080
> > http://www.idefense.com/public_release/06.05.2003.html
> 
> Yes, it appears to listen on 1080/tcp.
> The protocol is something wierd, certainly not HTTP.

According to the reference in Vincent's plugin, it's possible to launch
a web server on an arbitrary port, so I added the plugin, which now
looks for every web server, not only port 81.

As for the protocol on port 1080, if anyone has an infected host I'd be
happy to write a signature for it.

				-- Renaud

Next message: larosa, vjay: "RE: [NEW] bugbear_b.nasl"
Previous message: Pavel Kankovsky: "Re: [NEW] bugbear_b.nasl"
In reply to: Pavel Kankovsky: "Re: [NEW] bugbear_b.nasl"
Next in thread: Pavel Kankovsky: "Re: [NEW] bugbear_b.nasl"
Next in thread: larosa, vjay: "RE: [NEW] bugbear_b.nasl"
Reply: Pavel Kankovsky: "Re: [NEW] bugbear_b.nasl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 04:43:00 PDT