Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Always practice safe software: a lesson from UnrealIRCd

From: David Fifield <david () bamsoftware com>
Date: Fri, 25 Jun 2010 10:27:02 -0600
On Thu, Jun 24, 2010 at 10:05:04AM -0500, Ron wrote:

The attached version of the code, in my testing, had no false
positives and no false negatives. The downside is, it's incredibly
slow. 

A mutex + 10 second delay and 20 second timeout had 5 good, 1 false
positive. A mutex + 25 second delay + 35 second timeout = perfect, 5
out of 5 on my test list with no false positives/negatives. So
basically, 25 seconds for every infected host, 35 seconds for every
host that times out, and basically no time for hosts that aren't
affected either way. 


Ron, please commit this as it stands. It is very very slow but it seems
to be accurate. In my test I got 7 servers correctly detected, with 4
false positives, in 4 hours. I will send you the list of hosts I found
off-list.

The timing data are being corrupted by the time taken for the remote
server to do reverse DNS and ident lookups. One server I saw has a
36-second timeout on ident lookups, which makes it a false positive. I'm
testing a version that receives all the server's initial banner
(including host name and ident lookups) before sending the AB command
and starting the timer. But I think the script is ready to be added to
revision control now.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: