Renaud Deraison writes:
> On Tue, Sep 18, 2001 at 06:24:18PM -0400, Alan Pitts wrote:
> >
> > Hi,
> >
> > Attached is a .nasl plugin that will check to see if the server has
> > been infected by the Nimda Worm.
> >
> > This plugin will check the index page for readme.eml.
> >
> > Please comment... I would like ideas on how to improve it.
>
> Hi,
>
> Matt Moore sent me the same plugins a few minutes before you :(
Glad to know that there are multiple people trying to get a plugin out
ASAP. :0)
>
> I think that next time I'll give precedence to plugins sent to me via
> the mailing list rather than sent to me directly.
>
> Anyway, let's comment the coding style (which is the purpose of this
> mailing list after all).
>
>
Thanks for the suggestions! I knew there had to be a better way to
code this.
I had considered using egrep to check for the presence of the longer
JavaScript string that is appended to the files. My thought is the
test would be a more specific (maybe reduce false positives). However,
I could never really get a match using a regex that worked pretty well
w/ perl. Is it worth using egrep for the test ?
> (the argument "port" is needed so that NASL can then look in the KB if
> the remote server running on that port supports HTTP/1.0 or /1.1).
>
> Which makes me think : maybe doing your request is the way to go, as
> it'd return the remote web root (not the root of a virtual server).
>
> Which file is modified when the worm hits ? The web root or the root of
> the current virtual server ?
One of the people I work w/ has a honeypot that was recently
infected. He (Jared Allison) says that the worm has changed more than
just the files mentioned by Sophos. It looks like all files
w/.html, .htm, and .asp. That would mean that using http_get would
work just as well, yes ?
Suggestion: Maybe putting a pointer to the cert advisory would be
helpful for the user.
http://www.cert.org/advisories/CA-2001-26.html Cheers,
Alan
--
-----------------------------------------------------
Alan Pitts | E-Mail: amp@uu.net
UUNet Technologies | Ph: 614.723.4954
-----------------------------------------------------