« | »

Zombie Web servers: are you one?

Filed under: Malware, Nmap, Tools

Greetings!

I found this excellent writeup of a Web-server botnet on Slashdot this weekend. Since it sounded like just the thing for Nmap to detect, I wrote a quick script!

First, the attacker somehow compromises an innocent Web server (presumably via weak passwords or a similar mechanism). After the compromise, an additional Web server is started on port 8080. This server, however is malicious; it will try and exploit vulnerable browsers with typical drive-by downloads. If a non-vulnerable browser connects to it, instead of serving the malware the server redirects them (via the "302 Found" status) to another infected Web server which attempts to do the same.

This redirection is easy to detect with Nmap.

The script is called http-malware-host.nse, and I highly recommend running it against your own servers. All you need to do is check it out from svn and run it:

$ svn co --username guest --password '' svn://svn.insecure.org/nmap
$ cd nmap
$ ./configure && make
# make install
$ nmap -d -p80,443,8080 --script=http-malware-host <target>

If the host is clean, you will see no additional output. If the host is infected, you'll see the following:

$ ./nmap -p8080 --script=http-malware-host last-another-life.ru                                                                                                                                                                                                            Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-09-16 09:32 CDT
Warning: Hostname last-another-life.ru resolves to 5 IPs. Using 80.69.74.73.
NSE: Script Scanning completed.
Interesting ports on 80-69-74-73.colo.transip.net (80.69.74.73):
PORT     STATE SERVICE
8080/tcp open  http-proxy
|  http-malware-host: Host appears to be infected (/ts/in.cgi?open2 redirects
to http://last-another-life.ru:8080/index.php)
|_ See: http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-
of-zombie-web-servers/

I highly recommend double-checking your servers for this infection!

<UPDATE> You can download the current version of the scrit (as of Sept 17, 2009) here. That version won't be kept up to date, though.

Permalink Comments (3) Ron Bowes Sep 16, 2009

3 Responses to “Zombie Web servers: are you one?”

  1. jacppe Says:
    September 16th, 2009 at 15:27

    Hi Ron. I can't run the script, because I can't found it in the NSE repository.
    http://nmap.org/svn/scripts/
    Can you upload? Thanks a lot.

  2. Ron Says:
    September 16th, 2009 at 15:50

    Hi Jacppe,

    The easiest way is to get it straight from svn doing a checkout, as I mentioned in my post. If you're unable to do that, I'll upload it when I get home from work.

    Ron

  3. Ron Says:
    September 17th, 2009 at 14:10

    Hi Jacppe,

    I uploaded it to the following location:
    http://www.skullsecurity.org/blogdata/http-malware-host.nse

    Ron

Leave a Reply