This is an alternative way to detect nimda-infected boxen. What do you
think of it / who can try it ?
----- Forwarded message from Gareth Bromley <gbbromley@hotmail.com> -----
> Delivered-To: renaud@prof.fr.nessus.org
> Delivered-To: renaud@raccoon.nessus.org
> X-Originating-IP: [62.189.94.193]
> From: "Gareth Bromley" <gbbromley@hotmail.com>
> To: deraison@cvs.nessus.org
> Subject: Another Nimda scanner
> Date: Fri, 21 Sep 2001 13:21:30 +0100
> X-OriginalArrivalTime: 21 Sep 2001 12:21:31.0012 (UTC) FILETIME=[F1F7AC40:01C14297]
>
> As subject:
>
> This is my first Nessus script ;)
>
> It checks remote hosts for a TFTP server that allow Admin.dll to be
> downloaded, thus allowing detection for email or file share infected hosts
> as well as IIS exploited systems.
>
> I haven't had chance to fully test it, as I'm on client site :(
>
> Cheers,
>
> --Gareth Bromley <gbromley@intstar.com>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
> #
> # Created by Gareth Bromley <gbromley@intstar.com>, 20th September 2001
> #
> # See the Nessus Scripts License for details
> #
>
> if(description)
> {
> script_id(10767);
> name["english"] = "Tests for Nimda Worm infected scanning hosts";
> script_name(english:name["english"]);
>
> desc["english"] = "Your server appears to have been compromised by the
> Nimda worm.It uses various known Microsoft vulnerabilities to
> compromise the server via IIS exploits, Email attachment exploits, IE
> exploits.
>
> Solution: Take this server offline immediately and rebuild it.
>
> Risk Factor: High";
>
> script_description(english:desc["english"]);
>
> summary["english"] = "Tests for Nimda Worm scanning hosts";
>
> script_summary(english:summary["english"]);
>
> script_category(ACT_GATHER_INFO);
>
> script_copyright(english:"This script is Copyright (C) 2001 Gareth
> Bromley");
> family["english"] = "CGI abuses";
> script_family(english:family["english"]);
> script_dependencie("find_service.nes");
> script_require_ports("Services/tftp", 69);
> exit(0);
> }
>
> # Check for ability to get admin.dll from a remote tftp server.
> port = get_kb_item("Services/tftp");
> if(!port)
> {
> port = 69;
> }
> if(get_port_state(port))
> {
> soc = open_socket_udp(port);
> if(soc)
> {
> # TFTP get request for Admin.dll in binary
> # 00 01 = RRQ Get request
> # 41 64 6D 69 6E 2E 64 6C 00 = Admin.dll\0
> # 6F 63 74 65 74 00 = octet\0
> rawdata = raw_string{0x00, 0x01, 0x41, 0x64, 0x6D, 0x69, 0x6E, 0x2E, 0x64,
> 0x6C, 0x6C, 0x00, 0x6F, 0x63, 0x74, 0x65, 0x74,
> 0x00};
> send(socket:soc, data:rawdata);
> # We should not get icmp port-unreachable if a TFTP server like process
> exists
> # Recv up to 100Kb. Nimda is about 52Kb in size
> data = recv(socket:soc, length:102400);
> if(data)
> {
> # Data was returned!!
> security_note(port:port, data:string("Nimda worm maybe present!");
> }
> close(soc);
> }
>
>
----- End forwarded message -----
--
Renaud Deraison
The Nessus Project
http://www.nessus.org
think of it / who can try it ?
----- Forwarded message from Gareth Bromley <gbbromley@hotmail.com> -----
> Delivered-To: renaud@prof.fr.nessus.org
> Delivered-To: renaud@raccoon.nessus.org
> X-Originating-IP: [62.189.94.193]
> From: "Gareth Bromley" <gbbromley@hotmail.com>
> To: deraison@cvs.nessus.org
> Subject: Another Nimda scanner
> Date: Fri, 21 Sep 2001 13:21:30 +0100
> X-OriginalArrivalTime: 21 Sep 2001 12:21:31.0012 (UTC) FILETIME=[F1F7AC40:01C14297]
>
> As subject:
>
> This is my first Nessus script ;)
>
> It checks remote hosts for a TFTP server that allow Admin.dll to be
> downloaded, thus allowing detection for email or file share infected hosts
> as well as IIS exploited systems.
>
> I haven't had chance to fully test it, as I'm on client site :(
>
> Cheers,
>
> --Gareth Bromley <gbromley@intstar.com>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
> #
> # Created by Gareth Bromley <gbromley@intstar.com>, 20th September 2001
> #
> # See the Nessus Scripts License for details
> #
>
> if(description)
> {
> script_id(10767);
> name["english"] = "Tests for Nimda Worm infected scanning hosts";
> script_name(english:name["english"]);
>
> desc["english"] = "Your server appears to have been compromised by the
> Nimda worm.It uses various known Microsoft vulnerabilities to
> compromise the server via IIS exploits, Email attachment exploits, IE
> exploits.
>
> Solution: Take this server offline immediately and rebuild it.
>
> Risk Factor: High";
>
> script_description(english:desc["english"]);
>
> summary["english"] = "Tests for Nimda Worm scanning hosts";
>
> script_summary(english:summary["english"]);
>
> script_category(ACT_GATHER_INFO);
>
> script_copyright(english:"This script is Copyright (C) 2001 Gareth
> Bromley");
> family["english"] = "CGI abuses";
> script_family(english:family["english"]);
> script_dependencie("find_service.nes");
> script_require_ports("Services/tftp", 69);
> exit(0);
> }
>
> # Check for ability to get admin.dll from a remote tftp server.
> port = get_kb_item("Services/tftp");
> if(!port)
> {
> port = 69;
> }
> if(get_port_state(port))
> {
> soc = open_socket_udp(port);
> if(soc)
> {
> # TFTP get request for Admin.dll in binary
> # 00 01 = RRQ Get request
> # 41 64 6D 69 6E 2E 64 6C 00 = Admin.dll\0
> # 6F 63 74 65 74 00 = octet\0
> rawdata = raw_string{0x00, 0x01, 0x41, 0x64, 0x6D, 0x69, 0x6E, 0x2E, 0x64,
> 0x6C, 0x6C, 0x00, 0x6F, 0x63, 0x74, 0x65, 0x74,
> 0x00};
> send(socket:soc, data:rawdata);
> # We should not get icmp port-unreachable if a TFTP server like process
> exists
> # Recv up to 100Kb. Nimda is about 52Kb in size
> data = recv(socket:soc, length:102400);
> if(data)
> {
> # Data was returned!!
> security_note(port:port, data:string("Nimda worm maybe present!");
> }
> close(soc);
> }
>
>
----- End forwarded message -----
--
Renaud Deraison
The Nessus Project
http://www.nessus.org