Re: [NSE] Script to detect vsftpd backdoor

[Djalal Harouni <tixxdz () opendz org>]

On Tue, Jul 05, 2011 at 09:17:44AM +0200, Henri Doreau wrote:
> 2011/7/5 Daniel Miller <bonsaiviking () gmail com>:
> > Hey list,
> >
> > This was just announced yesterday. References:
> >
> > http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
> > http://pastebin.com/AetT9sS5
> > https://dev.metasploit.com/redmine/projects/framework/repository/revisions/13093
> >
> > Hope this helps someone! The download was available from ~Feb 15 to ~Jul 3
> >
> > Dan
Nice work Dan.

> Hi Daniel,
>
> this is great! You were faster than the "SoC NSE vulnerability
> research team" for this one ;-)
>
> I have committed your script as of r24635 with the following changes:
>   - added references in the script description (the diff of the
> backdoor is available via the blog post, I haven't included this one)
>   - removed a couple unused variables
>
> The backdoor, when triggered, will bind a shell on port 6200/tcp. I
> wonder whether it would make sense to check if the backdoor is already
> listening before attempting to exploit the server? This is how the
> metasploit module works.
A patch that tries to connect to port 6200 is attached, however the
check is not in the portrule.

I've also cleaned the script, let me know if there are problems.

-- 
tixxdz
http://opendz.org

Attachment: ftp-vsftpd-backdoor.diff
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/