Jump to content


Photo
- - - - -

linux scanner for common windows exploits


  • Please log in to reply
5 replies to this topic

#1 oneeyedelf1

oneeyedelf1

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 340 posts
  • Location:Vestal, NY

Posted 21 July 2004 - 09:46 PM

I have reciently reinstalled linux (gentoo) ((I never seem to get enogh time to give linux for a decent time to learn and end up formating over it, because it just sits there)), just so I can play with apache and php and mysql. And well im kinda new to poking around with webpages but I find the power of php amazing. And well I have been hired to be a rescon for my college in the fall. And the guy that hired me basically explained that the first few weeks I would be going around to peoples computers and running a scanner for something like SASSER. And I was like why should I walk around and play with everyones pc, kinda gets annoying. Don't get me wrong I will walk around and try and meet everyone. It's one of the great things to do with your spare time the first few weeks of school. But basically I just wanna do this just grap their IP with php, run the program with the IP as a parameter, and be able to get the output and parse it.

So basically I need some help cause I dont wanna forget a common worm & its ploit pair. I need a list of those common pesky worms and pointers for scanning for them on linux. I have found a few scanners for certain ploits for windows, but that doesnt really help me here. Help?

#2 bankrupt

bankrupt

    SCRiPT KiDDie

  • Members
  • 24 posts

Posted 22 July 2004 - 08:29 AM

Basicaly you can use some basic snort rules, ie trafic on well known ports used by virus. I have never done something like this but if seen it, and it is effective.

Here are a few links I found about snort ids.

a snort-user group (snort MySQL, PHP, and ACID)
Intrusion Detection with SNORT (can be adopted to virus)
some scripts
snortcenter

here are a few virus, trojan, and Backdoors ports.
ONCTek's list of known Trojan/Backdoors and the TCP/UDP ports on which they operate.
DoShelp's list of Trojan and Remote Access Service Ports
suspect ports
more trojans ports

Also I recomened looking at anti-virus sites discription of viruses to get a better rule on them.

I also suggest this as a plan B, use F-Prot on a knoppix with a usb key or remsater and go from room to room and scan the pcs.

Good luck :)

#3 oneeyedelf1

oneeyedelf1

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 340 posts
  • Location:Vestal, NY

Posted 22 July 2004 - 09:12 AM

I dont really want the webserver to scan for trojan's, I want to scan for possible windows exploits. And since windows exploits usually attack a port on a windows machine thats just usually open, a simple port scanner will not do....at least thats what im guessing. I thought about it last night, and realized something. I really dont need to scan for every windows exploit only the most recent ones. Because if they have these patched most likely they will have the older ones patched. So I would just need to scan for the latest windows windows 98/ME worm and the latest windows 2k/XP worm. As for 95 no bother with that OS anymore cause if they are running it, well ill tell them they shouldnt be. But I still run 95 upstairs so whatever.

#4 bankrupt

bankrupt

    SCRiPT KiDDie

  • Members
  • 24 posts

Posted 22 July 2004 - 09:16 AM

I thought you were going to look for virus activity but for open ports well nmap and for vulnerability nessus will do the trick.
Also just block kazaa ports because the virus are geting thrugh it. And one thing you have to realize is people don't alwase update.

Edited by bankrupt, 22 July 2004 - 09:22 AM.


#5 BlackRatchet

BlackRatchet

    Dangerous free thinker

  • Agents of the Revolution
  • 1,837 posts
  • Location:617/508

Posted 22 July 2004 - 11:46 AM

Agreed. Nessus. 'nuff said.

It's an automated security scanner, it will create pretty reports for the users saying "Your computer is vulnerable to X, go to here to fix it"

Edited by BlackRatchet, 22 July 2004 - 11:47 AM.


#6 oneeyedelf1

oneeyedelf1

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 340 posts
  • Location:Vestal, NY

Posted 22 July 2004 - 12:00 PM

yes I looked at it and this is exactly what I wanted, now I just have to play with it, thanks guys




BinRev is hosted by the great people at Lunarpages!