On Fri, 2009-03-27 at 16:45 -0300, Andres Riancho wrote: > On Fri, Mar 27, 2009 at 12:41 PM, Anirban Banerjee > <[email protected]> wrote: > > On Fri, 2009-03-27 at 08:33 -0400, Debelle, Stephan wrote: > >> For what it is worth I did also notice some false positive using the same > >> pluggin, in fact it showed that it found so many backdoors when it was not > >> the case. > >> > > On a lighter note, when I ran this plugin against a test site I nearly > > had a heart attack, every possible backdoor was reported as > > active..whew! :D > > If you upgrade to the latest version, you shouldn't have this problem. > Upgraded to a new version, and then tried the backdoor module on another test site. Unfortunately it seems that all the false positives resurfaced. Request
[code] GET http://www.xxxxxxxxxxxxxxx.com/~nobody/NCC-Shell.php HTTP/1.1 Host: www.xxxxxxxxxxxxxxx.com Cookie: 7f19c74bba0bc7f134bd61de0cc38776=65a3f7e20e2237ed5acf90f3823d80c6 Accept-encoding: identity Accept: */* User-agent: Mozilla/4.0(compatible;xxxxxxxxxxxxxxx) [/code] Response [code] HTTP/1.1 406 Not Acceptable date: Sat, 28 Mar 2009 01:26:07 GMT transfer-encoding: chunked content-type: text/html; charset=iso-8859-1 server: Apache/1.3.41 (Unix) mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>406 Not Acceptable</TITLE> </HEAD><BODY> <H1>Not Acceptable</H1> An appropriate representation of the requested resource /~nobody/NCC-Shell.php could not be found on this server.<P> <P>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. <HR> <ADDRESS>Apache/1.3.41 Server at www.xxxxxxxxxxxxxxx.com Port 80</ADDRESS> </BODY></HTML> [/code] Am I interpreting something incorrectly? any comments :-) > >> > >> Stephan Debelle > >> Digital Marketing Services, Americas > >> https://dms.unilever.com > >> 201-894-7180 - NJ > >> 203-258-9559 - Mobile > >> 203-581-6010 - Fax > >> > >> > >> -----Original Message----- > >> From: [email protected] > >> [mailto:[email protected]] On Behalf Of Andres > >> Riancho > >> Sent: Wednesday, March 25, 2009 9:51 PM > >> To: [email protected] > >> Cc: [email protected] > >> Subject: Re: [W3af-users] w3af newbie question > >> > >> Anirban, > >> > >> On Wed, Mar 25, 2009 at 5:41 PM, Anirban Banerjee <[email protected]> > >> wrote: > >> > Dear all, > >> > I am a w3af newbie. I have searched for an answer to my > >> > question but have not found something spot on and hence this mail. > >> > > >> > I ran a scan against a site and this is what came up among other things. > >> > > >> > A web backdoor was found at: > >> > http://www.xxxxxxxxxxx.com/php-backdoor.php ; this could indicate that > >> > your server was hacked. The vulnerability was found in the request > >> > with id 326. > >> > > >> > URL : http://www.xxxxxxxxxxx.com/php-backdoor.php > >> > > >> > I have checked the server and have not found any file like this, I > >> > have used search engines to see if they picked up anything and they > >> > didn't. I have tried the URL and got 404 errors. Should I use netcat > >> > to connect or something? I have looked at the output-http.txt file and > >> > located Request/Response 326 and see a 404 error there. Any advice > >> > would be greatly appreciated :) > >> > >> Seems to be a false positive, w3af fails to detect 404 error messages > >> sometimes. > >> > >> > Thanks :-) > >> > > >> > > >> > > >> > ---------------------------------------------------------------------- > >> > -------- _______________________________________________ > >> > W3af-users mailing list > >> > [email protected] > >> > https://lists.sourceforge.net/lists/listinfo/w3af-users > >> > > >> > >> > >> > >> -- > >> Andrés Riancho > >> http://www.bonsai-sec.com/ > >> http://w3af.sourceforge.net/ > >> > >> ------------------------------------------------------------------------------ > >> _______________________________________________ > >> W3af-users mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/w3af-users > > > > > > > > > ------------------------------------------------------------------------------ _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
