Vulnerabilities > CVE-2000-0138

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

nessus

NVD

Published: 2000-05-02

Updated: 2016-10-18

Summary

A system has a distributed denial of service (DDOS) attack master, agent, or zombie installed, such as (1) Trinoo, (2) Tribe Flood Network (TFN), (3) Tribe Flood Network 2000 (TFN2K), (4) stacheldraht, (5) mstream, or (6) shaft.

Nessus

NASL family	Backdoors
NASL id	SHAFT.NASL
description	The remote host appears to be running Shaft, which is a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool). It is very likely that this host has been compromised
last seen	2020-06-01
modified	2020-06-02
plugin id	10350
published	2000-03-17
reporter	This script is Copyright (C) 2000-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/10350
title	Shaft Trojan Detection
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10350); script_version ("1.27"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_cve_id("CVE-2000-0138"); script_name(english: "Shaft Trojan Detection"); script_set_attribute(attribute:"synopsis", value: "The remote host is infected by a Trojan horse." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running Shaft, which is a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool). It is very likely that this host has been compromised" ); script_set_attribute(attribute:"solution", value: "Restore your system from backups, contact CERT and your local authorities." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_publication_date", value: "2000/03/17"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/02/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english: "Detects the presence of Shaft"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2019 Tenable Network Security, Inc."); script_family(english: "Backdoors"); script_require_keys("Settings/ThoroughTests"); exit(0); } # # The script code starts here # include('global_settings.inc'); if ( islocalhost() ) exit(0); if ( ! thorough_tests ) exit(0); if ( TARGET_IS_IPV6 ) exit(0); shaft_dstport = 18753; shaft_rctport = 20433; shaft_scmd = "alive"; shaft_spass = "tijgu"; command = string(shaft_scmd, " ", shaft_spass, " hi 5 1918"); ip = forge_ip_packet(ip_hl:5, ip_v:4, ip_off:0, ip_id:9, ip_tos:0, ip_p : IPPROTO_UDP, ip_len : 20, ip_src : compat::this_host(), ip_ttl : 255); length = 8 + strlen(command); udpip = forge_udp_packet(ip : ip, uh_sport : 1024, uh_dport : shaft_dstport, uh_ulen : length, data : command); filter = string("udp and src host ", get_host_ip(), " and dst host ", compat::this_host(), " and dst port ", shaft_rctport); rep = send_packet(udpip, pcap_filter:filter, pcap_active:TRUE); if(!isnull(rep)) { dstport = get_udp_element(udp:rep, element:"uh_dport"); if(dstport == shaft_rctport && "alive tijgu" >< rep )security_hole(port:shaft_dstport, protocol:"udp"); }

NASL family	Backdoors
NASL id	MSTREAM_AGENT.NASL
description	The remote host appears to be running a mstream agent, which is a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool) It is very likely that this host has been compromised
last seen	2020-06-01
modified	2020-06-02
plugin id	10390
published	2000-05-02
reporter	This script is Copyright (C) 2000-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/10390
title	mstream DDoS Agent Detection
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(10390); script_version("1.29"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_cve_id("CVE-2000-0138"); script_name(english:"mstream DDoS Agent Detection"); script_summary(english:"Detects the presence of a mstream agent"); script_set_attribute(attribute:"synopsis", value: "The remote host has a suspicious application installed."); script_set_attribute(attribute:"description", value: "The remote host appears to be running a mstream agent, which is a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool) It is very likely that this host has been compromised"); # http://web.archive.org/web/20010828115057/http://www.whitehats.com/info/IDS111 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?455cacb3"); script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=95722093124322&w=2"); script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=95715370208598&w=2"); script_set_attribute(attribute:"solution", value: "Restore your system from known good backups or re-install the operating system."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_publication_date", value:"2000/05/02"); script_set_attribute(attribute:"vuln_publication_date", value:"2000/02/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2019 Tenable Network Security, Inc."); script_family(english:"Backdoors"); script_dependencie("find_service1.nasl"); script_require_keys("Settings/ThoroughTests"); exit(0); } # include('global_settings.inc'); if ( TARGET_IS_IPV6 ) exit(0); if ( islocalhost() ) exit(0); if (! thorough_tests ) exit(0); function detect(dport, sport) { local_var command, dstport, filter, ip, len, r, udp; command = string("ping\n"); ip = forge_ip_packet(ip_hl:5, ip_v:4, ip_off:0, ip_id:9, ip_tos:0, ip_p : IPPROTO_UDP, ip_len : 20, ip_src : compat::this_host(), ip_ttl : 255); len = 8 + strlen(command); udp = forge_udp_packet( ip:ip, uh_sport:65535, uh_dport:dport, uh_ulen : len, data:command); filter = string("udp and src host ", get_host_ip(), " and dst port ", sport, " and dst host ", compat::this_host()); r = send_packet(udp, pcap_active:TRUE, pcap_filter:filter, pcap_timeout:3); if(!isnull(r)) { dstport = get_udp_element(udp:r, element:"uh_dport"); if(dstport == sport)return(1); else return(0); } else return(0); } if(detect(sport:6838, dport:10498))security_warning(port:10498, proto:"udp"); else if(detect(sport:9325, dport:7983))security_warning(port:7983, proto:"udp");

NASL family	Backdoors
NASL id	TRINITY.NASL
description	The remote host appears to be running Trinity v3, a Trojan Horse that can be used to control your system or make it attack another network (this is actually called a Distributed Denial Of Service attack tool). It is very likely that this host has been compromised
last seen	2020-06-01
modified	2020-06-02
plugin id	10501
published	2000-09-05
reporter	This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/10501
title	Trinity v3 Trojan Detection
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10501); script_version ("1.16"); script_cvs_date("Date: 2018/06/13 18:56:25"); script_cve_id("CVE-2000-0138"); script_name(english: "Trinity v3 Trojan Detection"); script_set_attribute(attribute:"synopsis", value: "The remote host has been compromised." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running Trinity v3, a Trojan Horse that can be used to control your system or make it attack another network (this is actually called a Distributed Denial Of Service attack tool). It is very likely that this host has been compromised" ); script_set_attribute(attribute:"solution", value: "Restore your system from backups, contact CERT and your local authorities" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_publication_date", value: "2000/09/05"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/02/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english: "Detects the presence of trinity v3"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc."); script_family(english: "Backdoors"); script_require_ports(33270); exit(0); } # # The script code starts here # if(get_port_state(33270)) { soc = open_sock_tcp(33270); if(soc) { req = string("!@#\r\n"); send(socket:soc, data:req); r = recv(socket:soc, length:16000); req = string("id\r\n"); send(socket:soc, data:req); r = recv(socket:soc, length:16000); if("uid" >< r)security_hole(33270); close(soc); } }

NASL family	Backdoors
NASL id	TRINOO.NASL
description	The remote host appears to be running Trin00, a Trojan Horse that can be used to control your system or make it attack another network (this is actually called a Distributed Denial Of Service attack tool). It is very likely that this host has been compromised.
last seen	2020-06-01
modified	2020-06-02
plugin id	10288
published	2000-02-05
reporter	This script is Copyright (C) 2000-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/10288
title	Trin00 Trojan Detection
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10288); script_version ("1.25"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_cve_id("CVE-2000-0138"); script_name(english: "Trin00 Trojan Detection"); script_set_attribute(attribute:"synopsis", value: "The remote host has been compromised." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running Trin00, a Trojan Horse that can be used to control your system or make it attack another network (this is actually called a Distributed Denial Of Service attack tool). It is very likely that this host has been compromised." ); script_set_attribute(attribute:"solution", value: "Restore your system from backups, contact CERT and your local authorities." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_publication_date", value: "2000/02/05"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/02/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english: "Detects the presence of trin00"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2019 Tenable Network Security, Inc."); script_family(english: "Backdoors"); script_require_keys("Settings/ThoroughTests"); exit(0); } # # The script code starts here # include('global_settings.inc'); if ( TARGET_IS_IPV6 ) exit(0); if ( islocalhost() ) exit(0); if ( ! thorough_tests ) exit(0); command = string("png l44adsl"); pong = string("PONG"); ip = forge_ip_packet(ip_hl:5, ip_v:4, ip_off:0, ip_id:9, ip_tos:0, ip_p : IPPROTO_UDP, ip_len : 20, ip_src : compat::this_host(), ip_ttl : 255); length = 8 + strlen(command); udpip = forge_udp_packet(ip : ip, uh_sport : 1024, uh_dport : 27444, uh_ulen : length, data : command); trg = get_host_ip(); me = compat::this_host(); pf = string("udp and src host ", trg, " and dst host ", me, " and dst port 31335"); rep = send_packet(udpip, pcap_filter:pf, pcap_active:TRUE); if(rep) { dstport = get_udp_element(udp:rep, element:"uh_dport"); if(dstport == 31335) { security_hole(port:27444, protocol:"udp"); } }

NASL family	Backdoors
NASL id	MSTREAM_HANDLER.NASL
description	The remote host appears to be running a mstream handler, which is a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool) It is very likely that this host has been compromised
last seen	2020-06-01
modified	2020-06-02
plugin id	10391
published	2000-05-02
reporter	This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/10391
title	mstream DDoS Handler Detection
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10391); script_version ("1.24"); script_cvs_date("Date: 2018/06/13 18:56:25"); script_cve_id("CVE-2000-0138"); script_name(english:"mstream DDoS Handler Detection"); script_set_attribute(attribute:"synopsis", value: "The remote host appears to have a suspicious program installed." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running a mstream handler, which is a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool) It is very likely that this host has been compromised" ); script_set_attribute(attribute:"solution", value: "Restore your system from known good backups or re-install the operating system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_publication_date", value: "2000/05/02"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/02/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Detects the presence of a mstream agent"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc."); script_family(english:"Backdoors"); script_require_ports(6723, 15104, 12754); script_dependencies("find_service1.nasl"); script_require_keys("Settings/ThoroughTests"); exit(0); } # include("misc_func.inc"); include('global_settings.inc'); if ( islocalhost() ) exit(0); if (! thorough_tests ) exit(0); function check(port, pass) { local_var r, soc; if(get_port_state(port)) { soc = open_sock_tcp(port); if(soc) { send(socket:soc, data:string(pass, "\r\n")); r = recv(socket:soc, length:2, timeout:2); close(soc); if(r == "> ") { security_warning(port); return(1); } } } return(0); } port = get_unknown_svc(); if(port) { if(check(port:port, pass:"sex"))exit(0); if(check(port:port, pass:"N7%diApf!"))exit(0); } else { if(check(port:6723, pass:"sex"))exit(0); if(check(port:15104, pass:"N7%diApf!"))exit(0); if(check(port:12754, pass:"N7%diApf!"))exit(0); }

NASL family	Backdoors
NASL id	STACHELDRAHT.NASL
description	The remote host is running Stacheldraht, a trojan horse that can be used to control your system or make it attack another network. An ICMP ECHO reply was sent to the remote host with
last seen	2020-06-01
modified	2020-06-02
plugin id	10270
published	2000-01-28
reporter	This script is Copyright (C) 2000-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/10270
title	Stacheldraht Trojan Detection
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10270); script_version ("1.29"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_cve_id("CVE-2000-0138"); script_name(english:"Stacheldraht Trojan Detection"); script_summary(english:"Detects the presence of Stacheldraht."); script_set_attribute(attribute:"synopsis", value: "The remote host has a distributed denial of service (DDOS) agent installed."); script_set_attribute(attribute:"description", value: "The remote host is running Stacheldraht, a trojan horse that can be used to control your system or make it attack another network. An ICMP ECHO reply was sent to the remote host with 'gesundheit!' and an ID of 668. The host sent a reply with 'sicken\n' and an ID of 669. If Paranoid is enabled, the plugin will only check for the ICMP ECHO reply having ID 669. It is very likely that this host has been compromised."); script_set_attribute(attribute:"see_also", value:"http://www.sans.org/security-resources/idfaq/stacheldraht.php"); script_set_attribute(attribute:"solution", value: "Restore your system from backups, and contact CERT and your local authorities."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/02/09"); script_set_attribute(attribute:"plugin_publication_date", value: "2000/01/28"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english: "Backdoors"); script_copyright(english:"This script is Copyright (C) 2000-2019 Tenable Network Security, Inc."); script_require_keys("Settings/ThoroughTests"); exit(0); } include("global_settings.inc"); include("audit.inc"); include("misc_func.inc"); include("obj.inc"); if ( TARGET_IS_IPV6 ) audit(AUDIT_ONLY_IPV4); if ( islocalhost() ) audit(AUDIT_LOCALHOST); if ( ! thorough_tests ) audit(AUDIT_THOROUGH); src = compat::this_host(); ip = forge_ip_packet( ip_v : 4, ip_hl : 5, ip_tos : 0, ip_id : 0x1234, ip_len : 20, ip_off : 0, ip_p : IPPROTO_ICMP, ip_src : src, ip_ttl : 0x40); icmp = forge_icmp_packet( ip : ip, icmp_type : 0, icmp_code : 0, icmp_seq : 1, icmp_id : 668, data : "gesundheit!"); filter = "icmp and src host " + get_host_ip() + " and dst host " + compat::this_host(); r = send_packet(icmp, pcap_active : TRUE, pcap_filter : filter); vuln = FALSE; if (r) { type = get_icmp_element(icmp:r, element:"icmp_id"); if (type == 669) { data = get_icmp_element(icmp:r, element:"data"); report = '\nNessus was able to exploit the issue using the following ICMP ECHO reply :' + '\n' + '\n' + 'ECHO ( id = ' + get_icmp_element(icmp:icmp, element:"icmp_id") + '; data = ' + obj_rep(get_icmp_element(icmp:icmp, element:"data")) + ')' + '\n'; snip = crap(data:'-', length:30) + ' snip ' + crap(data:'-', length:30); report += '\nNessus confirmed this by examining ICMP traffic and looking for the' + '\nappropriate data in the ICMP ECHO reply. Below is the response :' + '\n\n' + snip + '\n' + 'ECHO ( id = ' + get_icmp_element(icmp:r, element:"icmp_id") + '; data = ' + obj_rep(data) + ')' + '\n' + snip + '\n'; if (report_paranoia < 2) { if ('sicken\n' >< data) vuln = TRUE; } else if (report_paranoia == 2) vuln = TRUE; } } if(vuln) { if(report_verbosity > 0) { report = '\nNessus was able to exploit the issue using the following ICMP ECHO reply :' + '\n' + '\n' + 'ECHO ( id = ' + get_icmp_element(icmp:icmp, element:"icmp_id") + '; data = ' + obj_rep(get_icmp_element(icmp:icmp, element:"data")) + ')' + '\n'; snip = crap(data:'-', length:30) + ' snip ' + crap(data:'-', length:30); report += '\nNessus confirmed this by examining ICMP traffic and looking for the' + '\nappropriate data in the ICMP ECHO reply. Below is the response :' + '\n\n' + snip + '\n' + 'ECHO ( id = ' + get_icmp_element(icmp:r, element:"icmp_id") + '; data = ' + obj_rep(data) + ')' + '\n' + snip + '\n'; security_hole(port: 0, extra: report); } else security_hole(port: 0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Backdoors
NASL id	TFN.NASL
description	The remote host appears to be running TFN (Tribe Flood Network), which is a Trojan Horse that can be used to control your system or make it attack another network. It is very likely that this host has been compromised
last seen	2020-06-01
modified	2020-06-02
plugin id	10283
published	1999-12-10
reporter	This script is Copyright (C) 1999-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/10283
title	TFN (Tribe Flood Network) Trojan Detection
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(10283); script_version("1.23"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_cve_id("CVE-2000-0138"); script_name(english:"TFN (Tribe Flood Network) Trojan Detection"); script_summary(english:"Detects the presence of TFN"); script_set_attribute(attribute:"synopsis", value:"The remote host has been compromised."); script_set_attribute(attribute:"description", value: "The remote host appears to be running TFN (Tribe Flood Network), which is a Trojan Horse that can be used to control your system or make it attack another network. It is very likely that this host has been compromised"); script_set_attribute(attribute:"solution", value: "Restore your system from backups, contact CERT and your local authorities."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"vuln_publication_date", value:"2000/02/09"); script_set_attribute(attribute:"plugin_publication_date", value:"1999/12/10"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 1999-2019 Tenable Network Security, Inc."); script_family(english:"Backdoors"); script_require_keys("Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); if(islocalhost())exit(0); if ( TARGET_IS_IPV6 ) exit(0); ip = forge_ip_packet(ip_hl:5, ip_v:4, ip_off:0, ip_id:9, ip_tos:0, ip_p : IPPROTO_ICMP, ip_len : 20, ip_src : compat::this_host(), ip_ttl : 255); # # We send the command ID_SYNPORT (678) and wait for # ID_ACK (123) # ID_ACK = 123; ID_SYNPORT = 678; icmp = forge_icmp_packet(ip:ip,icmp_type : 8, icmp_code:0, icmp_seq : 1, icmp_id : ID_SYNPORT, data:"1234"); filter = string("icmp and src host ", get_host_ip(), " and dst host ", compat::this_host()); r = send_packet(icmp, pcap_active:TRUE, pcap_filter:filter); if(r) { type = get_icmp_element(icmp:r, element:"icmp_id"); if(type == ID_ACK)security_hole(protocol:"icmp",port:0); }

NASL family	Backdoors
NASL id	WIN_TRINOO.NASL
description	The remote host appears to be running Trin00 for Windows, a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool). It is very likely that this host has been compromised.
last seen	2020-06-01
modified	2020-06-02
plugin id	10307
published	2000-02-28
reporter	This script is Copyright (C) 2000-2016 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/10307
title	Trin00 for Windows Trojan Detection
code	# # (C) Tenable Network Security, Inc. # include( 'compat.inc' ); if(description) { script_id(10307); script_version ("1.29"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_cve_id("CVE-2000-0138"); script_name(english:"Trin00 for Windows Trojan Detection"); script_summary(english:"Detects the presence of trin00"); script_set_attribute( attribute:'synopsis', value:'The remote service is a malicious backdoor application.' ); script_set_attribute( attribute:'description', value: "The remote host appears to be running Trin00 for Windows, a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool). It is very likely that this host has been compromised." ); script_set_attribute( attribute:'solution', value: "Restore your system from backups and contact CERT as well as your local authorities." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute( attribute:'see_also', value:'https://staff.washington.edu/dittrich/misc/trinoo.analysis' ); script_set_attribute(attribute:"plugin_publication_date", value: "2000/02/28"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/02/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2016 Tenable Network Security, Inc." ); script_family(english:"Backdoors"); script_require_keys("Settings/ThoroughTests"); exit(0); } # # The script code starts here # include('global_settings.inc'); if ( ! thorough_tests ) exit(1, "This plugin only runs if the 'Perform thorough tests' setting is enabled."); if ( islocalhost() ) exit(0, "Can't check against localhost."); if ( TARGET_IS_IPV6 ) exit(1, "This check is not implemented for IPv6 targets."); command = string("png []..Ks l44"); die = string("d1e []..Ks l44"); ip = forge_ip_packet(ip_hl:5, ip_v:4, ip_off:0, ip_id:9, ip_tos:0, ip_p : IPPROTO_UDP, ip_len : 20, ip_src : compat::this_host(), ip_ttl : 255); length = 8 + strlen(command); udpip = forge_udp_packet(ip : ip, uh_sport : 1024, uh_dport : 34555, uh_ulen : length, data : command); trg = get_host_ip(); me = compat::this_host(); pf = string("udp and src host ", trg, " and dst host ", me, " and dst port 35555"); rep = send_packet(udpip, pcap_filter:pf, pcap_active:TRUE); if(rep) { dstport = get_udp_element(udp:rep, element:"uh_dport"); data = get_udp_element(udp:rep, element:"data"); if(dstport == 35555 && "PONG" >< data) { security_hole(port:34555, protocol:"udp"); length = 8 + strlen(die); udpip2 = forge_udp_packet(ip : ip, uh_sport : 1024, uh_dport : 34555, uh_ulen : length, data : die); send_packet(udpip2, pcap_active:FALSE); exit(0); } } exit(0, "The host does not appear to be affected.");

Vulnerabilities > CVE-2000-0138 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2000-0138"}]}

Summary

Nessus

References

Vulnerabilities > CVE-2000-0138