Re: [NSE] Detection of ProFTPD backdoor

[Michael Meyer <michael.meyer () greenbone net>]

*** Michael Meyer <michael.meyer () greenbone net> wrote:
> Hello,
>
> *** David Fifield <david () bamsoftware com> wrote:
> > On Tue, Dec 07, 2010 at 03:22:49PM +0100, Michael Meyer wrote:
> > > I played around a little and got the following
> > > working. It is _not_ a finished script, just an example.
> >
> > Can you briefly explain what your script does differently?
>
> No, not realy. ;) 

What I have just seen ...

In my first tests nmap and proftpd are on the same maschine. Now i'm
doing a few test with a nmap on an other host. When doing this, the
script from Mak work _sometimes_ (2 of 10) but not always. Most times i got

NSOCK (0.1560s) Read request from IOD #1 [192.168.2.4:21] (timeout:5000ms) EID 42
NSOCK (5.1560s) Callback: READ TIMEOUT for EID 42 [192.168.2.4:21]
NSE: Can't read command response: TIMEOUT

when it fails. 

NSOCK (0.1120s) Read request from IOD #1 [192.168.2.4:21] (timeout:5000ms) EID 42
NSOCK (0.1220s) Callback: READ SUCCESS for EID 42 [192.168.2.4:21] (131 bytes)
NSE: TCP 192.168.2.20:53614 < 192.168.2.4:21 | uid=0(root) gid=0(root) Gruppen=0(root)

on success.  

Micha
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/