Script http-malware-host

Script types: portrule
Categories: malware, safe
Download: https://svn.nmap.org/nmap/scripts/http-malware-host.nse

Script Summary

Looks for signature of known server compromises.

Currently, the only signature it looks for is the one discussed here: http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/. This is done by requesting the page /ts/in.cgi?open2 and looking for an errant 302 (it attempts to detect servers that always return 302). Thanks to Denis from the above link for finding this technique!

Script Arguments

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -sV --script=http-malware-host <target>

Script Output

Interesting ports on www.sopharma.bg (84.242.167.49):
PORT     STATE SERVICE    REASON
80/tcp   open  http       syn-ack
|_ http-malware-host: Host appears to be clean
8080/tcp open  http-proxy syn-ack
| http-malware-host:
|   Host appears to be infected (/ts/in.cgi?open2 redirects to http://last-another-life.ru:8080/index.php)
|_  See: http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/

Requires

• http
• nmap
• shortport
• stdnse
• string
• table

---

Author:

• Ron Bowes

License: Same as Nmap--See https://nmap.org/book/man-legal.html