Mailing List Archive

Already out there, scriptid 10713, called "codered_x.nasl".
It detects systems that have been compromised by trying to
get a directory listing off the remote platform.

Keep an eye on the URL http://scripts.nessus.org/ - new tests
are listed there. Code red is no longer on this, because it's
already been wrapped up into the latest stable release, 1.0.9

The source can be downloaded as part of the plugins library,
or you can view it here:
http://www.securityspace.com/smysecure/viewsrc.html?id=10713

This is off course independent of the vulnerability test itself
that you mentioned, which is a different beast, and a different
testid (iis_isapi_overflow.nasl, script id 10685)

Cheers, Thomas

"Reeves, Michael (GEAE, Compaq)" wrote:
>
> This might have already been discussed but I am having trouble reaching the
> archives so I will just post. I am wondering if there are any codered
> specific plugins floating around out there. Also one that would detect if
> the system was actually compromised. (/scripts/root.exe etc.) I am currently
> using the idq filter check and it comes up but the box is patched. The
> current plugin just tells you that the .ida extension is still mapped. Well
> this could be valid on a box that is running index server legitimately. Any
> pointers would be great thanks,
>
> Mike

--
------------------------------------------------------------
Thomas Reinke Tel: (905) 331-2260
Director of Technology Fax: (905) 331-2504
E-Soft Inc. http://www.e-softinc.com
Publishers of SecuritySpace http://www.securityspace.com

Ok I have the plugin enabled for finding already exploited boxes. Here is my
dilema though. Right now I am doing daily scans of a few of our class B
networks with eEye and I want to include the vulnerability check. We have
several boxes that are running index server. When I say several I mean a
couple hundred. Instead of adding these to the filter list I want just do a
check for if it is vuln. I have the signature if anyone is experienced in
writing these mugs.

Mike

-----Original Message-----
From: Thomas Reinke [mailto:reinke@e-softinc.com]
Sent: Tuesday, August 14, 2001 2:28 PM
To: Reeves, Michael (GEAE, Compaq)
Cc: 'nessus@list.nessus.org'
Subject: Re: Code Red Plugin


Already out there, scriptid 10713, called "codered_x.nasl".
It detects systems that have been compromised by trying to
get a directory listing off the remote platform.

Keep an eye on the URL http://scripts.nessus.org/ - new tests
are listed there. Code red is no longer on this, because it's
already been wrapped up into the latest stable release, 1.0.9

The source can be downloaded as part of the plugins library,
or you can view it here:
http://www.securityspace.com/smysecure/viewsrc.html?id=10713

This is off course independent of the vulnerability test itself
that you mentioned, which is a different beast, and a different
testid (iis_isapi_overflow.nasl, script id 10685)

Cheers, Thomas

"Reeves, Michael (GEAE, Compaq)" wrote:
>
> This might have already been discussed but I am having trouble reaching
the
> archives so I will just post. I am wondering if there are any codered
> specific plugins floating around out there. Also one that would detect if
> the system was actually compromised. (/scripts/root.exe etc.) I am
currently
> using the idq filter check and it comes up but the box is patched. The
> current plugin just tells you that the .ida extension is still mapped.
Well
> this could be valid on a box that is running index server legitimately.
Any
> pointers would be great thanks,
>
> Mike

--
------------------------------------------------------------
Thomas Reinke Tel: (905) 331-2260
Director of Technology Fax: (905) 331-2504
E-Soft Inc. http://www.e-softinc.com
Publishers of SecuritySpace http://www.securityspace.com