Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

File http-malware-host

Script types: portrule
Categories: malware, safe
Download: http://nmap.org/svn/scripts/http-malware-host.nse

User Summary

Looks for signature of known server compromises.

Currently, the only signature it looks for is the one discussed here: http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/. This is done by requesting the page /ts/in.cgi?open2 and looking for an errant 302 (it attempts to detect servers that always return 302). Thanks to Denis from the above link for finding this technique!

Script Arguments

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -sV --script=http-malware-host <target>

Script Output

Interesting ports on www.sopharma.bg (84.242.167.49):
PORT     STATE SERVICE    REASON
80/tcp   open  http       syn-ack
|_ http-malware-host: Host appears to be clean
8080/tcp open  http-proxy syn-ack
| http-malware-host:
|   Host appears to be infected (/ts/in.cgi?open2 redirects to http://last-another-life.ru:8080/index.php)
|_  See: http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/

Requires


Author: Ron Bowes

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]