Just finished the plugin overhaul. The new plugin has a built-in URL cache
to prevent requests for the same file twice, a new reporting system that
actually describes what each file is, and a ton of new signatures for
things I have found or people have submitted.
Sample Output
===========
One or more copies of the Windows command interpreter were found, it can
be used to execute arbitrary commands on this server through the web.
One or more copies of the server-side component of the 'iise.exe' exploit
were found, it is used to gain a remote command shell with SYSTEM
privileges over the web port.
One or more copies of the Windows command line FTP utility were found, it
is often left in the web root as part of an automated attack.
One or more copies of the 'upload.asp' script were found, this ASP script
can be used to upload files to the server over the web, often used by
crackers when the target is firewalled.
One more DLL files were found which indicate the presence of the 'Remote
Administrator' tool. This tool is used to gain remote access to a
compromised server.
One or more copies of the 'kill.exe' executable were found, this tool is
used for terminating processes, it was originally bundled with the
Windows Resource Kits and has become a favorite of crackers.
One or more copies of the 'hk.exe' exploit were found, it is used to gain
SYSTEM privileges on a web server already compromised through another
method.
One or more copies of the 'list.exe' executable were found, this tool is
used for enumerating processes, it was originally bundled with the
Windows Resource Kits and has become a favorite of crackers.
One more DLL files were found which appear to be part of the 'NewGina.dll'
password logging toolkit.
One or more copies of the 'iiscrack.dll' exploit were found, it is used to
gain SYSTEM privileges on a web server already compromised through
another method.
Details:
cmd.exe - /scripts/1.exe
cmd.exe - /scripts/stromake.exe
cmd.exe - /scripts/superlol.exe
cmd.exe - /scripts/cmd1.exe
iise.exe - /scripts/idq.dll
ftp.exe - /scripts/2.exe
upload.asp - /scripts/upload.asp
radmin - /scripts/admdll.dll
radmin - /scripts/raddrv.dll
kill.exe - /scripts/kill.exe
hk.exe - /scripts/hk.exe
list.exe - /scripts/list.exe
newgina.dll - /scripts/newgina.dll
iiscrack.dll - /scripts/httpodbc.dll
On Tuesday 26 November 2002 03:03 pm, Mark G. Spencer wrote:
> I just ran Nessus 1.2.6 (partial scan) against a local Windows 2000 DNS
> Server and Nessus reported (in addition to all kinds of services
> running):
>
> "Possible Backdoors:
> iiscrack.dll - /scripts/httpodbc.dll
> iise.exe - /scripts/idq.dll"
#
# This script was written by H D Moore <[EMAIL PROTECTED]>
#
if(description)
{
script_id(11003);
script_version ("$Revision: 1.7 $");
name["english"] = "IIS Possible Compromise";
name["francais"] = "IIS Possible Compromise";
script_name(english:name["english"], francais:name["francais"]);
desc["english"] = "
One or more files were found on this host that
indicate a possible compromise.
Solution: Investigate the discovered files
Risk factor : High
";
script_description(english:desc["english"]);
summary["english"] = "Searches for traces of a system compromise.";
summary["francais"] = "Searches for traces of a system compromise.";
script_summary(english:summary["english"], francais:summary["francais"]);
script_category(ACT_ATTACK);
script_copyright( english:"This script is Copyright (C) 2002 Digital Defense Inc.",
francais:"Ce script est Copyright (C) 2002 Digital Defense
Inc.");
family["english"] = "Backdoors";
family["francais"] = "Backdoors";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("webmirror.nasl");
script_require_keys("www/iis");
exit(0);
}
#
# The script code starts here
#
include("http_func.inc");
function check(url, arg, pat)
{
str = http_get(item:string(url, arg), port:port);
soc = open_sock_tcp(port);
if(soc)
{
send(socket:soc, data:str);
r = http_recv(socket:soc, bodylength:8192);
http_close_socket(soc);
# cache files that dont exist
if(ereg(pattern:"HTTP/1\.[01] 404", string:r))
{
add_cache(url:url);
return(FALSE);
}
if (ereg(string:r, pattern:pat))
{
if(debug)display("found '", pat, "' for ", url, " [", arg, "]\n");
return(TRUE);
}
}
return(FALSE);
}
function headcheck(req)
{
str = http_head(item:req, port:port);
soc = open_sock_tcp(port);
if(soc)
{
send(socket:soc, data:str);
r = recv_line(socket:soc, length:512);
if(ereg(pattern:"^HTTP/1\.[01] (2|502)", string:r))
{
if (debug) display("HEAD FOUND: ", req, "\n");
return(TRUE);
}
close(soc);
}
return(FALSE);
}
function dllcheck(req)
{
str = http_get(item:req, port:port);
soc = open_sock_tcp(port);
if(soc)
{
send(socket:soc, data:str);
r = http_recv(socket:soc, bodylength:1024);
# cache missing dll's
if ("module could not be found" >< r) add_cache(url:req);
if ("procedure could not be found" >< r)
{
if (debug) display("DLL FOUND: ", url, "\n");
return(TRUE);
}
close(soc);
}
return(FALSE);
}
# this exploit hijacks the socket used to make the
# web request, spawning a command shell over it, so we
# cant use the normal detection methods
function iisecheck(req)
{
str = http_get(item:req, port:port);
soc = open_sock_tcp(port);
if(soc)
{
send(socket:soc, data:str);
r = recv_line(socket:soc, length:16384, timeout:20);
if(ereg(pattern:"We Got It", string:r))
{
send(socket:soc, data:string("\r\n\r\nexit\r\n\r\n"));
close(soc);
return(TRUE);
} else {
r2 = http_recv(socket:soc, bodylength:8192);
if ( ereg(pattern:"HTTP/1\.[01] 404", string:r) ||
ereg(pattern:"module could not be found", string:r2) )
{
add_cache(url:req);
return(FALSE);
}
}
close(soc);
}
return(FALSE);
}
#
# directory list management
#
dirs[0] = "/";
num_dirs = 0;
function initialize_dirs ()
{
_dir_idx = 0;
_dir_key = string("www/", port, "/content/directories/", _dir_idx);
_dir_val = get_kb_item(_dir_key);
while (_dir_val)
{
if(debug)display("adding discovered directory: ", _dir_key, " => ", _dir_val,
"\n");
add_dir_list(dir:_dir_val);
_dir_idx = _dir_idx + 1;
_dir_key = string("www/", port, "/content/directories/", _dir_idx);
_dir_val = get_kb_item(_dir_key);
}
return(_dir_idx);
}
function check_dir_list (dir)
{
for (CDL=0; dirs[CDL]; CDL=CDL+1)
{
if (dirs[CDL] == dir) return(1);
}
return(0);
}
function add_dir_list (dir)
{
if (check_dir_list(dir:dir) == 0)
{
dirs[num_dirs] = dir;
num_dirs = num_dirs + 1;
}
}
#
# cached url list management
#
cache[0] = 0;
num_cache = 0;
function check_cache (url)
{
for (CLI=0; cache[CLI]; CLI=CLI+1)
{
if (cache[CLI] == url) return(1);
}
return(0);
}
function add_cache (url)
{
if (check_cache(url:url) == 0)
{
cache[num_cache] = url;
num_cache = num_cache + 1;
return(1);
}
return(0);
}
#
# report management
#
reported_urls[0] = 0;
reported_urls_cnt = 0;
reported_tests[0] = 0;
report_header = "";
report_footer = "";
function reported(url)
{
found_it = 0;
for (rep_idx=0; rep_idx <reported_urls_cnt; rep_idx=rep_idx+1)
{
if (reported_urls[rep_idx] == url)
{
return(1);
}
}
reported_urls[reported_urls_cnt] = url;
reported_urls_cnt = reported_urls_cnt + 1;
}
function add_report(name, url)
{
if (! reported(url:url))
{
if (reported_tests[name])
{
# already added report section to the header
} else {
report_header = report_header + string(reports[name], "\n\n");
reported_tests[name] = 1;
}
report_footer = report_footer + string(name, " - ", url, "\n");
report = string(report_header, "\n\nDetails:\n", report_footer);
}
}
# for convenience
dblquot = raw_string(0x22);
##############
# test index #
##############
tests[0] = "cmd.exe";
tests[1] = "nc.exe";
tests[2] = "iise.exe";
tests[3] = "ftp.exe";
tests[4] = "pwdump.exe";
tests[5] = "cmd.asp";
tests[6] = "upload.asp";
tests[7] = "cmd.jsp";
tests[8] = "radmin";
tests[9] = "dtreg.exe";
tests[9] = "kill.exe";
tests[10] = "hk.exe";
tests[11] = "list.exe";
tests[12] = "newgina.dll";
tests[13] = "iiscrack.dll";
tests[14] = "vnc";
tests[15] = "pwdump2.exe";
tests[16] = "pwdump3.exe";
tests[17] = "servuftpd";
################
# method table #
################
method["cmd.exe"] = "GET";
method["nc.exe"] = "GET";
method["iiscrack.dll"] = "GET";
method["ftp.exe"] = "GET";
method["pwdump.exe"] = "GET";
method["cmd.asp"] = "GET";
method["upload.asp"] = "GET";
method["cmd.jsp"] = "GET";
method["radmin"] = "DLL";
method["dtreg.exe"] = "GET";
method["kill.exe"] = "GET";
method["hk.exe"] = "GET";
method["list.exe"] = "GET";
method["newgina.dll"] = "DLL";
method["iise.exe"] = "IISE"; # this one needs its own method
method["vnc"] = "DLL";
method["pwdump2.exe"] = "DLL";
method["pwdump3.exe"] = "DLL";
method["servuftpd"] = "DLL";
###################
# arguments table #
###################
args["cmd.exe"] = "?/c+echo+%25OS%25";
args["nc.exe"] = "?-h";
args["iiscrack.dll"] = "";
args["ftp.exe"] = "?/c+-h";
args["pwdump.exe"] = "?-h";
args["cmd.asp"] = "";
args["upload.asp"] = "";
args["cmd.jsp"] = "";
args["radmin"] = "";
args["dtreg.exe"] = "";
args["kill.exe"] = "";
args["hk.exe"] = "?boom";
args["list.exe"] = "";
args["newgina.dll"] = "";
args["iise.exe"] = "";
args["vnc"] = "";
args["pwdump2.exe"] = "";
args["pwdump3.exe"] = "";
args["servuftpd"] = "";
##################
# patterns table #
##################
pats["cmd.exe"] = "Windows";
pats["nc.exe"] = "this cruft";
pats["iiscrack.dll"] = "www.digitaloffense.net|Default MFC Web Server Extension";
pats["ftp.exe"] = "Suppresses display of remote server";
pats["pwdump.exe"] = "You must be running as user|Pwdump2 - dump|software based
on pwdump2";
pats["cmd.asp"] = ".CMD";
pats["upload.asp"] = string("type=", dblquot, "file", dblquot);
pats["cmd.jsp"] = "COMMANDLINE";
pats["radmin"] = "";
pats["dtreg.exe"] = "Syntax: DtReg";
pats["kill.exe"] = "missing pid or task name";
pats["hk.exe"] = "lsass pid";
pats["list.exe"] = "System Process";
pats["newgina.dll"] = "";
pats["iise.exe"] = "";
pats["vnc"] = "";
pats["pwdump2.exe"] = "";
pats["pwdump3.exe"] = "";
pats["servuftpd"] = "";
##############
# file table #
##############
files["cmd.exe_0"] = "cmd.exe";
files["cmd.exe_1"] = "root.exe";
files["cmd.exe_2"] = "bin.exe";
files["cmd.exe_3"] = "shell.exe";
files["cmd.exe_4"] = "hack.exe";
files["cmd.exe_5"] = "1.exe";
files["cmd.exe_6"] = "2.exe";
files["cmd.exe_7"] = "3.exe";
files["cmd.exe_8"] = "4.exe";
files["cmd.exe_9"] = "bip.exe";
files["cmd.exe_9"] = "stromake.exe";
files["cmd.exe_10"] = "superlol.exe";
files["cmd.exe_11"] = "cmd1.exe";
files["nc.exe_0"] = "nc.exe";
files["nc.exe_1"] = "ncx.exe";
files["nc.exe_2"] = "netcat.exe";
files["iise.exe_0"] = "iise.dll";
files["iise.exe_1"] = "httpodbc.dll";
files["iise.exe_2"] = "idq.dll";
files["iise.exe_3"] = "httpext.dll";
files["iise.exe_4"] = "ssinc.dll";
files["iise.exe_5"] = "msw3prt.dll";
files["iise.exe_6"] = "author.dll";
files["iise.exe_7"] = "admin.dll";
files["iise.exe_8"] = "shtml.dll";
files["iise.exe_9"] = "sspifilt.dll";
files["iise.exe_10"] = "compfilt.dll";
files["iise.exe_11"] = "pwsdata.dll";
files["iise.exe_12"] = "md5filt.dll";
files["iise.exe_13"] = "fpexedll.dll";
files["iiscrack.dll_0"] = "iiscrack.dll";
files["iiscrack.dll_1"] = "httpodbc.dll";
files["iiscrack.dll_2"] = "idq.dll";
files["iiscrack.dll_3"] = "httpext.dll";
files["iiscrack.dll_4"] = "ssinc.dll";
files["iiscrack.dll_5"] = "msw3prt.dll";
files["iiscrack.dll_6"] = "author.dll";
files["iiscrack.dll_7"] = "admin.dll";
files["iiscrack.dll_8"] = "shtml.dll";
files["iiscrack.dll_9"] = "sspifilt.dll";
files["iiscrack.dll_10"] = "compfilt.dll";
files["iiscrack.dll_11"] = "pwsdata.dll";
files["iiscrack.dll_12"] = "md5filt.dll";
files["iiscrack.dll_13"] = "fpexedll.dll";
files["ftp.exe_0"] = "ftp.exe";
files["ftp.exe_1"] = "ftpx.exe";
files["ftp.exe_2"] = "1.exe";
files["ftp.exe_3"] = "2.exe";
files["ftp.exe_4"] = "3.exe";
files["ftp.exe_5"] = "4.exe";
files["pwdump.exe_0"] = "pwdump.exe";
files["pwdump.exe_1"] = "pwdump2.exe";
files["pwdump.exe_2"] = "pwdump3.exe";
files["cmd.asp_0"] = "cmdasp.asp";
files["cmd.asp_1"] = "cmd.asp";
files["cmd.asp_2"] = "shell.asp";
files["cmd.asp_3"] = "own.asp";
files["cmd.asp_4"] = "0wn.asp";
files["cmd.asp_5"] = "exec.asp";
files["upload.asp_0"] = "upload.asp";
files["upload.asp_1"] = "uploadx.asp";
files["upload.asp_2"] = "up.asp";
files["upload.asp_3"] = "file.asp";
files["upload.asp_4"] = "fx.asp";
files["cmd.jsp_0"] = "cmd.jsp";
files["cmd.jsp_1"] = "shell.jsp";
files["cmd.jsp_2"] = "own.jsp";
files["cmd.jsp_3"] = "hack.jsp";
files["cmd.jsp_4"] = "exec.jsp";
files["radmin_0"] = "admdll.dll";
files["radmin_1"] = "raddrv.dll";
files["dtreg.exe_0"] = "dtreg.exe";
files["kill.exe_0"] = "kill.exe";
files["kill.exe_1"] = "tkill.exe";
files["kill.exe_2"] = "pkill.exe";
files["hk.exe_0"] = "hk.exe";
files["hk.exe_1"] = "h.exe";
files["list.exe_0"] = "list.exe";
files["list.exe_1"] = "tlist.exe";
files["list.exe_2"] = "plist.exe";
files["newgina.dll_0"] = "newgina.dll";
files["vnc_0"] = "vnchooks.dll";
files["vnc_1"] = "omnithread_rt.dll";
files["pwdump2.exe_0"] = "samdump.dll";
files["pwdump3.exe_0"] = "lsaext.dll";
files["servuftpd_0"] = "jasfv.dll";
reports["cmd.exe"] = "One or more copies of the Windows command interpreter were
found, it can be used to execute arbitrary commands on this server through the web.";
reports["nc.exe"] = "One or more copies of the 'netcat.exe' tool were found, it
can be used to either listen for or establish network connections, it includes the
ability to run an arbitrary command across that connection.";
reports["iiscrack.dll"] = "One or more copies of the 'iiscrack.dll' exploit were
found, it is used to gain SYSTEM privileges on a web server already compromised
through another method.";
reports["ftp.exe"] = "One or more copies of the Windows command line FTP utility
were found, it is often left in the web root as part of an automated attack.";
reports["pwdump.exe"] = "One or more copies of 'pwdump' were found,it is used to
dump the encrypted password hashes from a Windows server.";
reports["cmd.asp"] = "One or more copies of the 'cmd.asp' script were found,
this ASP script can be used to exectute commands over the web, on IIS 4.0 it executes
with SYSTEM privileges.";
reports["upload.asp"] = "One or more copies of the 'upload.asp' script were found,
this ASP script can be used to upload files to the server over the web, often used by
crackers when the target is firewalled.";
reports["cmd.jsp"] = "One or more copies of the 'jsp.cmd' script were found,
this JSP script can be used to execute commands over the web.";
reports["radmin"] = "One more DLL files were found which indicate the presence
of the 'Remote Administrator' tool. This tool is used to gain remote access to a
compromised server.";
reports["dtreg.exe"] = "One or more copies of the 'dtreg.exe' executable were
found, this tool is used to edit the registry, often included in batch scripts which
install a backdoor.";
reports["kill.exe"] = "One or more copies of the 'kill.exe' executable were
found, this tool is used for terminating processes, it was originally bundled with the
Windows Resource Kits and has become a favorite of crackers.";
reports["hk.exe"] = "One or more copies of the 'hk.exe' exploit were found, it
is used to gain SYSTEM privileges on a web server already compromised through another
method.";
reports["list.exe"] = "One or more copies of the 'list.exe' executable were
found, this tool is used for enumerating processes, it was originally bundled with the
Windows Resource Kits and has become a favorite of crackers.";
reports["newgina.dll"] = "One more DLL files were found which appear to be part of
the 'NewGina.dll' password logging toolkit.";
reports["iise.exe"] = "One or more copies of the server-side component of the
'iise.exe' exploit were found, it is used to gain a remote command shell with SYSTEM
privileges over the web port.";
reports["vnc"] = "One more DLL files were found which indicate the presence
of the 'VNC' remote administration utility.";
reports["pwdump2.exe"] = "One more DLL files were found which indicate the presence
of the 'pwdump2.exe' password hash dumping tool.";
reports["pwdump3.exe"] = "One more DLL files were found which indicate the presence
of the 'pwdump3.exe' password hash dumping tool.";
reports["servuftpd"] = "One more DLL files were found which indicate the presence
of the 'ServUFTPD' FTP server, commonly used by crackers to setup rogue FTP services
on compromised hosts.";
#
# initialize the plugin
#
debug = 1;
report = "";
port = get_kb_item("Services/www");
if(!port) port = 80;
initialize_dirs();
add_dir_list(dir:"/scripts");
#
# prevent false positives
#
ValidHead = 1;
if (headcheck(req:"/CompromisedScan.dll")) ValidHead = 0;
ValidDLL = 1;
if (dllcheck(req:"/CompromisedScan.dll")) ValidDLL = 0;
#
# the main loop
#
for (x=0; tests[x]; x=x+1)
{
cur_test = tests[x];
cur_meth = method[cur_test];
cur_args = args[cur_test];
cur_pat = pats[cur_test];
if(debug) display("running test ", x, " (", cur_test, ")", " [", cur_pat, "]\n");
for (d=0; dirs[d]; d=d+1)
{
stop = 0;
for (f=0; stop == 0; f=f+1)
{
filename = files[string(cur_test, "_", f)];
if (filename)
{
if (dirs[d] == "/")
{
url = string("/", filename);
} else {
url = string(dirs[d], "/", filename);
}
if(check_cache(url:url))
{
if(debug) display("ignoring cached url ", url, "\n");
} else {
if (cur_meth == "GET")
{
if (check(url:url, arg:cur_args, pat:cur_pat))
{
add_report(name:cur_test, url:url);
add_cache(url:url);
}
}
if ((ValidHead == 1) && (cur_meth == "HEAD"))
{
if (headcheck(req:url))
{
add_report(name:cur_test, url:url);
add_cache(url:url);
}
}
if ((ValidDLL == 1) && (cur_meth == "DLL"))
{
if (dllcheck(req:url))
{
add_report(name:cur_test, url:url);
add_cache(url:url);
}
}
if (cur_meth == "IISE")
{
if (iisecheck(req:url))
{
add_report(name:cur_test, url:url);
add_cache(url:url);
}
}
}
} else {
stop = 1;
}
}
}
}
if (strlen(report)) security_hole(port:port, data:report);
