Nmap Development mailing list archives
Re: [NSE] Script to detect vsftpd backdoor
From: Djalal Harouni <tixxdz () opendz org>
Date: Tue, 5 Jul 2011 14:57:27 +0100
On Tue, Jul 05, 2011 at 09:17:44AM +0200, Henri Doreau wrote:
2011/7/5 Daniel Miller <bonsaiviking () gmail com>:Hey list, This was just announced yesterday. References: http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html http://pastebin.com/AetT9sS5 https://dev.metasploit.com/redmine/projects/framework/repository/revisions/13093 Hope this helps someone! The download was available from ~Feb 15 to ~Jul 3 Dan
Nice work Dan.
Hi Daniel, this is great! You were faster than the "SoC NSE vulnerability research team" for this one ;-) I have committed your script as of r24635 with the following changes: - added references in the script description (the diff of the backdoor is available via the blog post, I haven't included this one) - removed a couple unused variables The backdoor, when triggered, will bind a shell on port 6200/tcp. I wonder whether it would make sense to check if the backdoor is already listening before attempting to exploit the server? This is how the metasploit module works.
A patch that tries to connect to port 6200 is attached, however the check is not in the portrule. I've also cleaned the script, let me know if there are problems. -- tixxdz http://opendz.org
Attachment:
ftp-vsftpd-backdoor.diff
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Script to detect vsftpd backdoor Daniel Miller (Jul 04)
- Re: [NSE] Script to detect vsftpd backdoor m k (Jul 04)
- Re: [NSE] Script to detect vsftpd backdoor Henri Doreau (Jul 05)
- Re: [NSE] Script to detect vsftpd backdoor Daniel Miller (Jul 05)
- Re: [NSE] Script to detect vsftpd backdoor Djalal Harouni (Jul 05)
- Re: [NSE] Script to detect vsftpd backdoor Henri Doreau (Jul 05)
- Re: [NSE] Script to detect vsftpd backdoor Djalal Harouni (Jul 05)