Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Plugin 18931 problems

from [Jerry Heidtke] Network Security [Permanent Link]
Subject: Plugin 18931 problems
Date: Tue, 18 Oct 2005 17:33:53 -0500 
I'm having two problems with smtp_backdoor.nasl plugin 18931, "SMTP server 
on a strange port".

First, the script name is defined incorrectly. It is given as: " 
script_name(english: 'SMTP server on a strange port');" which shows up 
correctly in nessus clients but totally confuses Lightning - resulting in 
a blank name and being unable to view any information about the plugin.

It should be defined as follows:

 name["english"] = "SMTP server on a strange port";
 script_name(english:name["english"]);

Second, we've got several FTP servers with restrictions to only allow 
selected hosts to connect. When nessus tries to connect 
(ftpserver_detect_type_nd_version.nasl plugin 10092), the banner is given 
as "530 Connection refused, unknown IP address." but it is correctly 
identified as an ftp server.

530 is a legitimate response for an FTP server as given in RFC-959, 
defined as "Not logged in." (combination of 5yz Permanent Negative 
Completion reply and x3z Authentication and accounting - Replies for the 
login process and accounting procedures.)

However, this is being detected as an SMTP server by 
find_service_3digits.nasl plugin 14773, " Identifies services like FTP, 
SMTP, NNTP...". This then causes 18931 to complain about a "backdoor set 
up by crackers to send spam" which makes some people unhappy.

Not sure what the best way to resolve this false positive is. 

Jerry Heidtke

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Plugin 18931 problems, Jerry Heidtke <=
Previous by Date:  Re: strange UPD traceroute response, George A. Theall
Next by Date:  RE: Re: Problem wiht Plugin-update (all-2.0.tar.gz), porath
Previous by Thread:  Problem compiliing Nessus-core on Fedora core 4, Lee Jasper
Next by Thread:  scanning redirect, Max Andersen
Indexes:  [Date] [Thread] [Top] [All Lists]