Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Detection of ProFTPD backdoor

From: David Fifield <david () bamsoftware com>
Date: Mon, 6 Dec 2010 16:25:17 -0800
On Mon, Dec 06, 2010 at 05:16:06PM -0600, Mak Kolybabi wrote:

I've attached a script to detect the ProFTPD backdoor. I submit it here for
(hopefully) inclusion into Nmap. I have tested it both on a backdoored, and a
non-backdoored version of ProFTPD 1.3.3c. Comments, concerns, criticism, and
testing are appreciated.


Awesome, Mak! This one had been on my mind since I saw it in the new VA
modules listing a few days ago. It's pretty simple and looks correct to
me so I've added it. I changed the name from proftpd-backdoor to
ftp-proftpd-backdoor to match the pattern that's been established with
irc-unrealircd-backdoor.


      -- Check version.
      if not resp:match("ProFTPD 1.3.3c") then
              stdnse.print_debug(1, "This version is not known to be backdoored.")
              return
      end


I guess this could also happen in the portrule instead of the action,
but that would require version detection to be run every time.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: