Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers"

[Ron <ron () skullsecurity net>]

On 09/13/2009 04:12 PM, David Fifield wrote:
> What hosts should we be testing? I don't have a list of possibly
> infected hostnames. I ran the script against my server and got "appears
> to be clean" for ports 80 and 443.
I should have been more clear. In my message, I listed an infected 
server (in the part I forwarded). Assuming it's still infected, when you 
scan it, it sends you to another, and another, and so on. So using that, 
it seemed to identify all infected hosts without issue (I went a few 
deep). I was actually more concerned about false positives than anything 
else.

I don't think there will be any issues, though. It's a really simple 
script, and is basically the same as http-enum (except checking for a 
different HTTP status code). I just don't like to arbitrarily check 
things in without giving people a chance to say 'no'.


> http-infected is a vague name. What other types of things do you see
> this script checking for in the future?
I'm hoping to detect any legitimate server that's serving up malware. At 
the moment it's just the one, but I don't think it's an uncommon 
situation. I don't mind changing the name if somebody would like to 
suggest a better one. I'm not sure if the 'botnet' this detects has a 
specific name yet (though I haven't been following the stories).

> David Fifield

Ron

--
Ron Bowes
http://www.skullsecurity.org/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org