Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers"

[David Fifield <david () bamsoftware com>]

On Sat, Sep 12, 2009 at 05:39:29PM -0500, Ron wrote:
> (Note: I've included both the blog author and the Nmap mailing list in  
> this email)
>
> This is in response to this blog post:
> http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/
>
> I wrote a script to detect this botnet behaviour. Unfortunately, I don't  
> have time to test it properly. Right now I'm looking for any server that  
> responds with a 302 to that particular file, but not other files. I  
> tested it against a couple servers I found, and it seems to work nicely.  
> I wrote it really quickly, though, since I'm running late.
>
> I've attached the script. You'll have to:
> a) Update to the latest Nmap SVN version
> b) Put my script (attached) in the /scripts folder (where the other .nse  
> files are)
> c) run:
> nmap --script=http-infected <host>
>
> It should return the fact that the server's infected, and also where it  
> is redirecting to.
>
> I'm going to be away from my computer till later tonight (~5 hours or  
> so). Please, if anybody can test this and let me know if it's working,  
> that'd be great!

What hosts should we be testing? I don't have a list of possibly
infected hostnames. I ran the script against my server and got "appears
to be clean" for ports 80 and 443.

http-infected is a vague name. What other types of things do you see
this script checking for in the future?

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org