Okay, I just scanned a system that was infected with BugBear.b and nessus did not report it as being infected. I see two plugins available for BugBear, but neither seem to work. I can be a guinea pig and test a plugin if somebody wants me to. vjl -----Original Message----- From: Renaud Deraison [mailto:deraisonat_private] Sent: Tuesday, June 10, 2003 7:44 AM To: plugins-writersat_private Subject: Re: [NEW] bugbear_b.nasl On Tue, Jun 10, 2003 at 01:04:13PM +0200, Pavel Kankovsky wrote: > On Mon, 9 Jun 2003, Jason Alexander wrote: > > > I thought that BugBear.B's backdoor was running on port 1080 > > http://www.idefense.com/public_release/06.05.2003.html > > Yes, it appears to listen on 1080/tcp. > The protocol is something wierd, certainly not HTTP. According to the reference in Vincent's plugin, it's possible to launch a web server on an arbitrary port, so I added the plugin, which now looks for every web server, not only port 81. As for the protocol on port 1080, if anyone has an infected host I'd be happy to write a signature for it. -- Renaud
This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 10:19:05 PDT