Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Detection of ProFTPD backdoor

From: Mak Kolybabi <mak () kolybabi com>
Date: Fri, 10 Dec 2010 22:15:52 -0600
On 2010-12-08 14:22, Michael Meyer wrote:

In my first tests nmap and proftpd are on the same maschine. Now i'm doing a
few test with a nmap on an other host. When doing this, the script from Mak
work _sometimes_ (2 of 10) but not always. Most times i got

NSOCK (0.1560s) Read request from IOD #1 [192.168.2.4:21] (timeout:5000ms) EID 42
NSOCK (5.1560s) Callback: READ TIMEOUT for EID 42 [192.168.2.4:21]
NSE: Can't read command response: TIMEOUT

when it fails.

NSOCK (0.1120s) Read request from IOD #1 [192.168.2.4:21] (timeout:5000ms) EID 42
NSOCK (0.1220s) Callback: READ SUCCESS for EID 42 [192.168.2.4:21] (131 bytes)
NSE: TCP 192.168.2.20:53614 < 192.168.2.4:21 | uid=0(root) gid=0(root) Gruppen=0(root)

on success.


Sorry it has taken me so long to respond, it's been a busy week.

One difference I notice between the modified script you posted a few emails back
and the original is that the modified one has

    socket:set_timeout(10000)

and the original has

    sock:set_timeout(5000)

Since it sounds like the error that you're getting is consistently a timeout,
what is the result of changing *only* that value in the script? Does that make
it work reliably? The five-second timeout I chose was completely arbitrary.

--
Mak Kolybabi
<mak () kolybabi com>

() ASCII Ribbon Campaign | Against HTML e-mail
/\  www.asciiribbon.org  | Against proprietary extensions

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: