Nmap Development mailing list archives
Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers"
From: David Fifield <david () bamsoftware com>
Date: Sun, 13 Sep 2009 15:12:11 -0600
On Sat, Sep 12, 2009 at 05:39:29PM -0500, Ron wrote:
(Note: I've included both the blog author and the Nmap mailing list in this email) This is in response to this blog post: http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/ I wrote a script to detect this botnet behaviour. Unfortunately, I don't have time to test it properly. Right now I'm looking for any server that responds with a 302 to that particular file, but not other files. I tested it against a couple servers I found, and it seems to work nicely. I wrote it really quickly, though, since I'm running late. I've attached the script. You'll have to: a) Update to the latest Nmap SVN version b) Put my script (attached) in the /scripts folder (where the other .nse files are) c) run: nmap --script=http-infected <host> It should return the fact that the server's infected, and also where it is redirecting to. I'm going to be away from my computer till later tonight (~5 hours or so). Please, if anybody can test this and let me know if it's working, that'd be great!
What hosts should we be testing? I don't have a list of possibly infected hostnames. I ran the script against my server and got "appears to be clean" for ports 80 and 443. http-infected is a vague name. What other types of things do you see this script checking for in the future? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" Ron (Sep 12)
- Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" David Fifield (Sep 13)
- Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" Ron (Sep 16)