File http-malware-host
Script types:
portrule
Categories:
malware, safe
Download: http://nmap.org/svn/scripts/http-malware-host.nse
User Summary
Looks for signature of known server compromises.
Currently, the only signature it looks for is the one discussed here:
http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/.
This is done by requesting the page /ts/in.cgi?open2 and
looking for an errant 302 (it attempts to detect servers that always
return 302). Thanks to Denis from the above link for finding this
technique!
Script Arguments
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent
See the documentation for the http library.Example Usage
nmap -sV --script=http-malware-host <target>
Script Output
Interesting ports on www.sopharma.bg (84.242.167.49): PORT STATE SERVICE REASON 80/tcp open http syn-ack |_ http-malware-host: Host appears to be clean 8080/tcp open http-proxy syn-ack | http-malware-host: | | Host appears to be infected (/ts/in.cgi?open2 redirects to http://last-another-life.ru:8080/index.php) |_ |_ See: http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/
Requires
Author: Ron Bowes
License: Same as Nmap--See http://nmap.org/book/man-legal.html