NetSphere Backdoor Detection

1999-07-0800:00:00

www.tenable.com

The NetSphere backdoor is installed on the remote host. By connecting to it, a remote attacker can gain control of the affected system.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
 script_id(10005);
 script_version("$Revision: 1.26 $");
 script_cvs_date("$Date: 2015/10/21 20:34:20 $");

 script_name(english:"NetSphere Backdoor Detection");
 script_summary(english:"Checks for the presence of NetSphere");

 script_set_attribute(attribute:"synopsis",value:
"A remote host contains a remote access trojan or backdoor." );
 script_set_attribute(attribute:"description", value:
"The NetSphere backdoor is installed on the remote host.  By connecting
to it, a remote attacker can gain control of the affected system." );
 script_set_attribute(
  attribute:"see_also", 
  value:"http://www.commodon.com/threat/threat-ns.htm"
 );
 script_set_attribute(attribute:"solution", value:
"Telnet to TCP port 30100 on the affected host, type '<KillServer>'
(without the quotes), and then press '<Enter>'.  This will stop the
NetSphere service. Then manually determine how the machine came to be
configured with a backdoor and clean it accordingly." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_attribute(attribute:"plugin_publication_date", value:"1999/07/08");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 1999-2015 Tenable Network Security, Inc.");

 script_family(english:"Backdoors");
 script_dependencie("find_service1.nasl");
 script_require_ports(30100);
 exit(0);
}

#
# The script code starts here
#

port = 30100;
if(get_port_state(port))
{
 soc = open_sock_tcp(port);
 if(soc)
 {
  a = recv_line(socket:soc, length:40);
  if("NetSphere" >< a)security_hole(port);
  close(soc);
 }
}

References

www.commodon.com/threat/threat-ns.htm

JSON