Re: [NSE] Script to detect vsftpd backdoor

[Henri Doreau <henri.doreau () greenbone net>]

2011/7/5 Daniel Miller <bonsaiviking () gmail com>:
> Hey list,
>
> This was just announced yesterday. References:
>
> http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
> http://pastebin.com/AetT9sS5
> https://dev.metasploit.com/redmine/projects/framework/repository/revisions/13093
>
> Hope this helps someone! The download was available from ~Feb 15 to ~Jul 3
>
> Dan
Hi Daniel,

this is great! You were faster than the "SoC NSE vulnerability
research team" for this one ;-)

I have committed your script as of r24635 with the following changes:
  - added references in the script description (the diff of the
backdoor is available via the blog post, I haven't included this one)
  - removed a couple unused variables

The backdoor, when triggered, will bind a shell on port 6200/tcp. I
wonder whether it would make sense to check if the backdoor is already
listening before attempting to exploit the server? This is how the
metasploit module works.

Regards.

-- 
Henri Doreau |  Greenbone Networks GmbH  |  http://www.greenbone.net
Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/