Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers"

[Ron <ron () skullsecurity net>]

Hi Verde,

I just uploaded it to the following location:
http://www.skullsecurity.org/blogdata/http-malware-host.nse

Hope that helps!
Ron

On 09/17/2009 01:32 PM, Verde Denim wrote:
> Where can I get this script to review? I searched insecure.org and didn't
> find it. Thanks.
>
> Jack
>
> On Wed, Sep 16, 2009 at 10:38 AM, Ron<ron () skullsecurity net>  wrote:
>
> > Since nobody complained, I went ahead and committed this. I renamed it (per
> > David's comment that the name was overfly vague) and called it
> > http-malware-host.nse.
> >
> > Let me know if you have any comments!
> >
> > Also, as usual, I wrote a blog about it:
> > http://www.skullsecurity.org/blog/?p=340
> >
> > On 09/12/2009 05:39 PM, Ron wrote:
> >
> > > (Note: I've included both the blog author and the Nmap mailing list in
> > > this email)
> > >
> > > This is in response to this blog post:
> > >
> > > http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/
> > >
> > >
> > > I wrote a script to detect this botnet behaviour. Unfortunately, I don't
> > > have time to test it properly. Right now I'm looking for any server that
> > > responds with a 302 to that particular file, but not other files. I
> > > tested it against a couple servers I found, and it seems to work nicely.
> > > I wrote it really quickly, though, since I'm running late.
> > >
> > > I've attached the script. You'll have to:
> > > a) Update to the latest Nmap SVN version
> > > b) Put my script (attached) in the /scripts folder (where the other .nse
> > > files are)
> > > c) run:
> > > nmap --script=http-infected<host>
> > >
> > > It should return the fact that the server's infected, and also where it
> > > is redirecting to.
> > >
> > > I'm going to be away from my computer till later tonight (~5 hours or
> > > so). Please, if anybody can test this and let me know if it's working,
> > > that'd be great!
> > >
> > > Sample run:
> > > -
> > > $ ./nmap --script=http-infected 174.143.25.37
> > >
> > > Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-09-12 17:35 CDT
> > > NSE: Script Scanning completed.
> > > Interesting ports on 174-143-25-37.slicehost.net (174.143.25.37):
> > > Not shown: 987 closed ports
> > > PORT STATE SERVICE
> > > 21/tcp open ftp
> > > 22/tcp open ssh
> > > 25/tcp open smtp
> > > 53/tcp open domain
> > > 80/tcp open http
> > > |_ http-infected: Server appears to be clean
> > > 110/tcp open pop3
> > > 143/tcp open imap
> > > 443/tcp open https
> > > |_ http-infected: Server appears to be clean
> > > 465/tcp open smtps
> > > 993/tcp open imaps
> > > 995/tcp open pop3s
> > > 3306/tcp open mysql
> > > 8080/tcp open http-proxy
> > > |_ http-infected: Server appears to be infected (/ts/in.cgi?open2
> > > redirects to http://bllee.homelinux.org:8080/index.php)
> > >
> > > $ ./nmap -p8080 --script=http-infected bllee.homelinux.org
> > >
> > > Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-09-12 17:37 CDT
> > > NSE: Script Scanning completed.
> > > Interesting ports on ttnetdc-200-227-107-89.ttnetdc.com (95.130.174.200):
> > > PORT STATE SERVICE
> > > 8080/tcp open http-proxy
> > > |_ http-infected: Server appears to be infected (/ts/in.cgi?open2
> > > redirects to http://krymskyilya.getmyip.com:8080/index.php)
> > > -
> > >
> > > And so on.
> > >
> > > If I don't hear of any issues by the time I get home (11pm CDT, give or
> > > take), I'll commit this and write a blog of my own on how to use it.
> > >
> > > Thanks!
> > >
> > > Ron
> > >
> > > On 09/12/2009 04:55 PM, Denis Sinegubko wrote:
> > >
> > > > Hi Ron,
> > > >
> > > > Thanks for your interest in my research.
> > > >
> > > > Malicious web servers on port 8080 seem to be serving malicious
> > > > content only when they are sure that the client is vulnerable.
> > > > Otherwise they return a blank file.
> > > >
> > > > Actually, when you query the URL in the iframe src you get a 302
> > > > redirect to another server.
> > > >
> > > > -------------------
> > > > wget -U Mozilla "http://174.143.25.37:8080/ts/in.cgi?open2"; -O "in.h"
> > > > --03:53:08-- http://174.143.25.37:8080/ts/in.cgi?open2
> > > > =>  `in.h'
> > > > Connecting to 174.143.25.37:8080... connected.
> > > > HTTP request sent, awaiting response... 302 Found
> > > > Location: http://snejok131.servegame.org:8080/index.php [following]
> > > > --03:53:14-- http://snejok131.servegame.org:8080/index.php
> > > > =>  `in.h'
> > > > Resolving snejok131.servegame.org... done.
> > > > Connecting to snejok131.servegame.org[72.3.139.94]:8080... connected.
> > > > HTTP request sent, awaiting response... 200 OK
> > > > Length: 0 [text/html]
> > > > -------------------
> > > >
> > > > Something like this. Hope this helps.
> > > ------------------------------------------------------------------------
> > >
> > >
> > > _______________________________________________
> > > Sent through the nmap-dev mailing list
> > > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > > Archived at http://SecLists.Org
> >
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > Archived at http://SecLists.Org
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org