Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Nessus: users

Code Red Plugin

 

 

Nessus users RSS feed   Index | Next | Previous | View Threaded


michael.reeves at ae

Aug 14, 2001, 11:06 AM

Post #1 of 3 (882 views)
Permalink
Code Red Plugin

This might have already been discussed but I am having trouble reaching the
archives so I will just post. I am wondering if there are any codered
specific plugins floating around out there. Also one that would detect if
the system was actually compromised. (/scripts/root.exe etc.) I am currently
using the idq filter check and it comes up but the box is patched. The
current plugin just tells you that the .ida extension is still mapped. Well
this could be valid on a box that is running index server legitimately. Any
pointers would be great thanks,

Mike


reinke at e-softinc

Aug 14, 2001, 11:27 AM

Post #2 of 3 (826 views)
Permalink
Re: Code Red Plugin [In reply to]

Already out there, scriptid 10713, called "codered_x.nasl".
It detects systems that have been compromised by trying to
get a directory listing off the remote platform.

Keep an eye on the URL http://scripts.nessus.org/ - new tests
are listed there. Code red is no longer on this, because it's
already been wrapped up into the latest stable release, 1.0.9

The source can be downloaded as part of the plugins library,
or you can view it here:
http://www.securityspace.com/smysecure/viewsrc.html?id=10713

This is off course independent of the vulnerability test itself
that you mentioned, which is a different beast, and a different
testid (iis_isapi_overflow.nasl, script id 10685)

Cheers, Thomas

"Reeves, Michael (GEAE, Compaq)" wrote:
>
> This might have already been discussed but I am having trouble reaching the
> archives so I will just post. I am wondering if there are any codered
> specific plugins floating around out there. Also one that would detect if
> the system was actually compromised. (/scripts/root.exe etc.) I am currently
> using the idq filter check and it comes up but the box is patched. The
> current plugin just tells you that the .ida extension is still mapped. Well
> this could be valid on a box that is running index server legitimately. Any
> pointers would be great thanks,
>
> Mike

--
------------------------------------------------------------
Thomas Reinke Tel: (905) 331-2260
Director of Technology Fax: (905) 331-2504
E-Soft Inc. http://www.e-softinc.com
Publishers of SecuritySpace http://www.securityspace.com


michael.reeves at ae

Aug 14, 2001, 12:32 PM

Post #3 of 3 (828 views)
Permalink
RE: Code Red Plugin [In reply to]

Ok I have the plugin enabled for finding already exploited boxes. Here is my
dilema though. Right now I am doing daily scans of a few of our class B
networks with eEye and I want to include the vulnerability check. We have
several boxes that are running index server. When I say several I mean a
couple hundred. Instead of adding these to the filter list I want just do a
check for if it is vuln. I have the signature if anyone is experienced in
writing these mugs.

Mike

-----Original Message-----
From: Thomas Reinke [mailto:reinke [at] e-softinc]
Sent: Tuesday, August 14, 2001 2:28 PM
To: Reeves, Michael (GEAE, Compaq)
Cc: 'nessus [at] list'
Subject: Re: Code Red Plugin


Already out there, scriptid 10713, called "codered_x.nasl".
It detects systems that have been compromised by trying to
get a directory listing off the remote platform.

Keep an eye on the URL http://scripts.nessus.org/ - new tests
are listed there. Code red is no longer on this, because it's
already been wrapped up into the latest stable release, 1.0.9

The source can be downloaded as part of the plugins library,
or you can view it here:
http://www.securityspace.com/smysecure/viewsrc.html?id=10713

This is off course independent of the vulnerability test itself
that you mentioned, which is a different beast, and a different
testid (iis_isapi_overflow.nasl, script id 10685)

Cheers, Thomas

"Reeves, Michael (GEAE, Compaq)" wrote:
>
> This might have already been discussed but I am having trouble reaching
the
> archives so I will just post. I am wondering if there are any codered
> specific plugins floating around out there. Also one that would detect if
> the system was actually compromised. (/scripts/root.exe etc.) I am
currently
> using the idq filter check and it comes up but the box is patched. The
> current plugin just tells you that the .ida extension is still mapped.
Well
> this could be valid on a box that is running index server legitimately.
Any
> pointers would be great thanks,
>
> Mike

--
------------------------------------------------------------
Thomas Reinke Tel: (905) 331-2260
Director of Technology Fax: (905) 331-2504
E-Soft Inc. http://www.e-softinc.com
Publishers of SecuritySpace http://www.securityspace.com

Nessus users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.