For a description of this category, see malware NSE category in the Nmap documentation.
Scripts
- auth-spoof
Checks for an identd (auth) server which is spoofing its replies.
- dns-zeustracker
Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse.ch. Please review the following information before you start to scan:
- ftp-proftpd-backdoor
Tests for the presence of the ProFTPD 1.3.3c backdoor reported as BID 45150. This script attempts to exploit the backdoor using the innocuous
idcommand by default, but that can be changed with theftp-proftpd-backdoor.cmdscript argument.- ftp-vsftpd-backdoor
Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous
idcommand by default, but that can be changed with theexploit.cmdorftp-vsftpd-backdoor.cmdscript arguments.- http-google-malware
Checks if hosts are on Google's blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google's Safe Browsing service.
- http-malware-host
Looks for signature of known server compromises.
- http-virustotal
Checks whether a file has been determined as malware by Virustotal. Virustotal is a service that provides the capability to scan a file or check a checksum against a number of the major antivirus vendors. The script uses the public API which requires a valid API key and has a limit on 4 queries per minute. A key can be acquired by registering as a user on the virustotal web page:
- irc-unrealircd-backdoor
Checks if an IRC server is backdoored by running a time-based command (ping) and checking how long it takes to respond.
- smb-double-pulsar-backdoor
Checks if the target machine is running the Double Pulsar SMB backdoor.
- smtp-strangeport
Checks if SMTP is running on a non-standard port.