Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: More Service Detection Notes
From: "Brandon Enright" <bmenrigh () ucsd edu>
Date: Wed, 2 Aug 2006 21:10:29 -0000 (UTC)

Fyodor wrote:
On Tue, Jul 25, 2006 at 10:19:22PM -0700, doug () hcsw org wrote:
Thanks to Google's Summer of Code I was again able to spend the last
week integrating your service detection submissions! Thank you to
everybody who submitted.

Yay!  To you and the submitters.  The updates will be in the next
release.

As usual, I've added a blog entry with an edited selection of my notes:

http://www.hcsw.org/blog.pl?a=19&b=19

I discuss Skype 2.0, Cisco ACNS, protocols that consider remote
source ports, outbound filtered tcp/25, and more.

But the best part is the gallery of bizarre service banners :).
Watch out for the Browser Sux Error!

BTW, I noticed that the Haxdoor trojan signature mentioned in your
blog seems to be missing a p// element.  So I added one (after a bit
of Googling):

-match backdoor m|^A-311 Death welcome\x001\.87| i/**BACKDOOR**/
o/Windows/
+match backdoor m|^A-311 Death welcome\x001\.87| p/Haxdoor trojan/
i/**BACKDOOR**/ o/Windows/

Cheers,
-F


This pattern looks to be too specific to match all versions of Haxdoor. 
One of our hosts just returned "A-311\x20Death\x20welcome\x001\.88E!".

Perhaps the pattern should be entry should be changed to:

match backdoor m|^A-311 Death welcome\x001| p/Haxdoor trojan/
i/**BACKDOOR**/ o/Windows/

Brandon

-- 
Brandon Enright
Network Security Analyst
UCSD ACS/Network Operations
bmenrigh () ucsd edu



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]