Ok...we've "caught" a couple of these in the wild, and unless they are all faked backdoors, we can confirm that connecting to an infected system does not reveal a banner of any sort, nor will sending a variety of strings such as web server requests, etc. elicit a response.
Without actual analysis of the protocol through a captured binary (which we have, but honestly don't have the time to reverse engineer), we suspect that you need to know the exact commands to send in order to elicit a response. If someone else has the time to rip it apart, be my guest. Without that assessment, we won't be able to do much better than connecting to the port in question. Thomas Michel Arboi wrote: > Thomas Reinke <[EMAIL PROTECTED]> writes: > > >>Enjoy. > > > Shouldn't we test at least that a web server is running on the 36794 > port? And the banner, if any... > > Something like: > svc = known_service(port: 36794); > if (svc == "http") security_hole(36794); > > Note that this works only if find_service looked at the port. > > BTW, I updated my "false positive generator" :-) > http://mapage.noos.fr/arboi/trojan_horses.nasl > > - > [EMAIL PROTECTED]: general discussions about Nessus. > * To unsubscribe, send a mail to [EMAIL PROTECTED] with > "unsubscribe nessus" in the body. > - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body.
