On Monday 24 June 2002 08:59, Gilbert, Austin wrote: > >"Possible Backdoors: > >FireDaemon.exe" Port 2301. The entire box was > >searched, and the file was absent.
> After carefully examining the "directory" listing on the web page, and > verifying that none of the files were physically located on the > server, I began inspecting the pluggins that ran. The content of one > in particular matched up with the new content on our Insight Manager > web page: DDI_IIS_Compromised.nasl. Interesting. I have seen the FireDaemon.exe check giving out false positives on the Compaq Web Agents services, need to change the match pattern to something besides just "FireDaemon". I think the Compaq web service is spitting back an error containing the name of the request, can you send me the complete output from the plugin? Has this plugin caused any other false positives? Every check has a defined match pattern to look for (vs a 200/404 check), so there may be a couple whose match patterns are triggered by web server error responses containing the name of the requested file. I have had good luck with this plugin for the most part, it has found some traces which would have never been identified remotely otherwise. Any bug reports or suggestions for improvement are appreciated ;) -HD
