Really interesting results, especially because the majority of the requests that plugin makes require a specific response pattern to trigger the vulnerability. For instance, requesting /images/ftp.exe should only result in an entry being added to the report if the string "Suppresses display of remote server" is found in the response.
The only thing I can think of is that the web server is returning no response at all, so the ereg() call is using a NULL string to match the pattern against, causing ALL of them to trigger. This should have been fixed in one of the recent releases of Nessus. What version are you running? The results you posted weren't complete, many of the "found" files are not listed in the report details (upload.asp, iiscrack.dll, etc). The no404.nasl dependency doesn't make much difference, as long as the webmirror and directory scanner plugins run first. -HD On Tuesday 27 May 2003 03:00 pm, Edmundson, Miles B. wrote: > As part of our penetration testing for a client, we received the > following results of a Nessus scan. The results appear to indicate a > machine that has been hacked. I have NOT seen results like this > before. > When we contacted the client to examine this machine, they reported > that the machine did NOT show any of the findings of the report. In > addition, they examined the machine locally, and coming across the > network. > My questions is: > Has anyone else seen these sorts of results where they were false > positives? > > A sample of the report (not the entire report) is listed below: > > > NESSUS SECURITY SCAN REPORT > > Created 22.05.2003 Sorted by host names > > Session Name : XXXXXXXXXXXX > Start Time : 22.05.2003 12:56:28 > Finish Time : 22.05.2003 13:31:18 > Elapsed Time : 0 day(s) 00:34:49 > > > Total security holes found : 23 > high severity : 4 > low severity : 11 > informational : 8 > > > Scanned hosts: > > Name High Low Info > ------------------------------------------------ > 192.168.1.2 4 6 5 > > Host: 192.168.1.2 > > Open ports: > > general/icmp > www (80/tcp) > general/tcp > ftp (21/tcp) > unknown (80/tcp) > > > Service: unknown (80/tcp) > Severity: High > > One or more copies of the Windows command line FTP utility were found, > it is often left in the web root as part of an automated attack. > > One or more copies of 'pwdump' were found,it is used to dump the > encrypted password hashes from a Windows server. > > One or more copies of the 'cmd.asp' script were found, this ASP script > can be used to exectute commands over the web, on IIS 4.0 it executes > with SYSTEM privileges. > > One or more copies of the 'upload.asp' script were found, this ASP > script can be used to upload files to the server over the web, often > used by crackers when the target is firewalled. > > One or more copies of the 'jsp.cmd' script were found, this JSP script > can be used to execute commands over the web. > > One more DLL files were found which indicate the presence of the > 'Remote Administrator' tool. This tool is used to gain remote access to > a compromised server. > > One or more copies of the 'kill.exe' executable were found, this tool > is used for terminating processes, it was originally bundled with the > Windows Resource Kits and has become a favorite of crackers. > > One or more copies of the 'hk.exe' exploit were found, it is used to > gain SYSTEM privileges on a web server already compromised through > another method. > > One or more copies of the 'list.exe' executable were found, this tool > is used for enumerating processes, it was originally bundled with the > Windows Resource Kits and has become a favorite of crackers. > > One more DLL files were found which appear to be part of the > 'NewGina.dll' password logging toolkit. > > One or more copies of the 'iiscrack.dll' exploit were found, it is used > to gain SYSTEM privileges on a web server already compromised through > another method. > > One more DLL files were found which indicate the presence of the 'VNC' > remote administration utility. > > Details: > ftp.exe - /images/ftp.exe > ftp.exe - /images/ftpx.exe > ftp.exe - /links/ftp.exe > ftp.exe - /links/ftpx.exe > ftp.exe - /specials/ftp.exe > ftp.exe - /specials/ftpx.exe > ftp.exe - /personalbanking/ftp.exe > ftp.exe - /personalbanking/ftpx.exe > pwdump.exe - /images/pwdump.exe > pwdump.exe - /images/pwdump2.exe > pwdump.exe - /images/pwdump3.exe > pwdump.exe - /links/pwdump.exe > pwdump.exe - /links/pwdump2.exe > pwdump.exe - /links/pwdump3.exe > > > Mr. Miles Edmundson
