Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers"

[David Fifield <david () bamsoftware com>]

On Sun, Sep 13, 2009 at 04:40:50PM -0500, Ron wrote:
> On 09/13/2009 04:12 PM, David Fifield wrote:
> > What hosts should we be testing? I don't have a list of possibly
> > infected hostnames. I ran the script against my server and got "appears
> > to be clean" for ports 80 and 443.
> I should have been more clear. In my message, I listed an infected  
> server (in the part I forwarded). Assuming it's still infected, when you  
> scan it, it sends you to another, and another, and so on. So using that,  
> it seemed to identify all infected hosts without issue (I went a few  
> deep). I was actually more concerned about false positives than anything  
> else.
>
> I don't think there will be any issues, though. It's a really simple  
> script, and is basically the same as http-enum (except checking for a  
> different HTTP status code). I just don't like to arbitrarily check  
> things in without giving people a chance to say 'no'.

I understand now. Here is what I got. The first server redirects to the
second, which redirects to a third, which redirects back to the second.

$ ./nmap --script=http-infected -F 174.143.25.37 -v                       
Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-09-13 18:32 MDT
Host 174-143-25-37.slicehost.net (174.143.25.37) is up (0.10s latency).
Interesting ports on 174-143-25-37.slicehost.net (174.143.25.37):
Not shown: 86 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
25/tcp   open     smtp
53/tcp   open     domain
80/tcp   open     http
|_ http-infected: Server appears to be clean
110/tcp  open     pop3
143/tcp  open     imap
443/tcp  open     https
|_ http-infected: Server appears to be clean
465/tcp  open     smtps
993/tcp  open     imaps
995/tcp  open     pop3s
1720/tcp filtered H.323/Q.931
3306/tcp open     mysql
8080/tcp open     http-proxy
|_ http-infected: Server appears to be infected (/ts/in.cgi?open2 redirects to http://cechl.webhop.info:8080/index.php)

$ ./nmap --script=http-infected -F cechl.webhop.info -v
Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-09-13 18:32 MDT
Interesting ports on 67.223.232.29:
Not shown: 96 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
|_ http-infected: Server appears to be clean
1720/tcp filtered H.323/Q.931
8080/tcp open     http-proxy
|_ http-infected: Server appears to be infected (/ts/in.cgi?open2 redirects to 
http://blaauwvogelzang.servemp3.com:8080/index.php)

$ ./nmap --script=http-infected -F blaauwvogelzang.servemp3.com
Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-09-13 18:34 MDT
Warning: File ./nmap-services exists, but Nmap is using /usr/share/nmap/nmap-services for security and consistency 
reasons.  set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
NSE: Script Scanning completed.
Interesting ports on forbookings.com (85.17.237.5):
Not shown: 81 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
25/tcp   open     smtp
53/tcp   open     domain
80/tcp   open     http
|_ http-infected: Server appears to be clean
110/tcp  open     pop3
111/tcp  open     rpcbind
113/tcp  open     auth
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
143/tcp  open     imap
443/tcp  open     https
|_ http-infected: Server appears to be clean
445/tcp  filtered microsoft-ds
587/tcp  open     submission
993/tcp  open     imaps
995/tcp  open     pop3s
1720/tcp filtered H.323/Q.931
3306/tcp open     mysql
8080/tcp open     http-proxy
|_ http-infected: Server appears to be infected (/ts/in.cgi?open2 redirects to http://cechl.webhop.info:8080/index.php)

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org