Vulnerabilities > CVE-2000-0138
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL network
low complexity
nessus
Summary
A system has a distributed denial of service (DDOS) attack master, agent, or zombie installed, such as (1) Trinoo, (2) Tribe Flood Network (TFN), (3) Tribe Flood Network 2000 (TFN2K), (4) stacheldraht, (5) mstream, or (6) shaft.
Nessus
NASL family Backdoors NASL id SHAFT.NASL description The remote host appears to be running Shaft, which is a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool). It is very likely that this host has been compromised last seen 2020-06-01 modified 2020-06-02 plugin id 10350 published 2000-03-17 reporter This script is Copyright (C) 2000-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10350 title Shaft Trojan Detection code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10350); script_version ("1.27"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_cve_id("CVE-2000-0138"); script_name(english: "Shaft Trojan Detection"); script_set_attribute(attribute:"synopsis", value: "The remote host is infected by a Trojan horse." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running Shaft, which is a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool). It is very likely that this host has been compromised" ); script_set_attribute(attribute:"solution", value: "Restore your system from backups, contact CERT and your local authorities." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_publication_date", value: "2000/03/17"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/02/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english: "Detects the presence of Shaft"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2019 Tenable Network Security, Inc."); script_family(english: "Backdoors"); script_require_keys("Settings/ThoroughTests"); exit(0); } # # The script code starts here # include('global_settings.inc'); if ( islocalhost() ) exit(0); if ( ! thorough_tests ) exit(0); if ( TARGET_IS_IPV6 ) exit(0); shaft_dstport = 18753; shaft_rctport = 20433; shaft_scmd = "alive"; shaft_spass = "tijgu"; command = string(shaft_scmd, " ", shaft_spass, " hi 5 1918"); ip = forge_ip_packet(ip_hl:5, ip_v:4, ip_off:0, ip_id:9, ip_tos:0, ip_p : IPPROTO_UDP, ip_len : 20, ip_src : compat::this_host(), ip_ttl : 255); length = 8 + strlen(command); udpip = forge_udp_packet(ip : ip, uh_sport : 1024, uh_dport : shaft_dstport, uh_ulen : length, data : command); filter = string("udp and src host ", get_host_ip(), " and dst host ", compat::this_host(), " and dst port ", shaft_rctport); rep = send_packet(udpip, pcap_filter:filter, pcap_active:TRUE); if(!isnull(rep)) { dstport = get_udp_element(udp:rep, element:"uh_dport"); if(dstport == shaft_rctport && "alive tijgu" >< rep )security_hole(port:shaft_dstport, protocol:"udp"); }
NASL family Backdoors NASL id MSTREAM_AGENT.NASL description The remote host appears to be running a mstream agent, which is a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool) It is very likely that this host has been compromised last seen 2020-06-01 modified 2020-06-02 plugin id 10390 published 2000-05-02 reporter This script is Copyright (C) 2000-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10390 title mstream DDoS Agent Detection code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(10390); script_version("1.29"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_cve_id("CVE-2000-0138"); script_name(english:"mstream DDoS Agent Detection"); script_summary(english:"Detects the presence of a mstream agent"); script_set_attribute(attribute:"synopsis", value: "The remote host has a suspicious application installed."); script_set_attribute(attribute:"description", value: "The remote host appears to be running a mstream agent, which is a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool) It is very likely that this host has been compromised"); # http://web.archive.org/web/20010828115057/http://www.whitehats.com/info/IDS111 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?455cacb3"); script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=95722093124322&w=2"); script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=95715370208598&w=2"); script_set_attribute(attribute:"solution", value: "Restore your system from known good backups or re-install the operating system."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_publication_date", value:"2000/05/02"); script_set_attribute(attribute:"vuln_publication_date", value:"2000/02/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2019 Tenable Network Security, Inc."); script_family(english:"Backdoors"); script_dependencie("find_service1.nasl"); script_require_keys("Settings/ThoroughTests"); exit(0); } # include('global_settings.inc'); if ( TARGET_IS_IPV6 ) exit(0); if ( islocalhost() ) exit(0); if (! thorough_tests ) exit(0); function detect(dport, sport) { local_var command, dstport, filter, ip, len, r, udp; command = string("ping\n"); ip = forge_ip_packet(ip_hl:5, ip_v:4, ip_off:0, ip_id:9, ip_tos:0, ip_p : IPPROTO_UDP, ip_len : 20, ip_src : compat::this_host(), ip_ttl : 255); len = 8 + strlen(command); udp = forge_udp_packet( ip:ip, uh_sport:65535, uh_dport:dport, uh_ulen : len, data:command); filter = string("udp and src host ", get_host_ip(), " and dst port ", sport, " and dst host ", compat::this_host()); r = send_packet(udp, pcap_active:TRUE, pcap_filter:filter, pcap_timeout:3); if(!isnull(r)) { dstport = get_udp_element(udp:r, element:"uh_dport"); if(dstport == sport)return(1); else return(0); } else return(0); } if(detect(sport:6838, dport:10498))security_warning(port:10498, proto:"udp"); else if(detect(sport:9325, dport:7983))security_warning(port:7983, proto:"udp");
NASL family Backdoors NASL id TRINITY.NASL description The remote host appears to be running Trinity v3, a Trojan Horse that can be used to control your system or make it attack another network (this is actually called a Distributed Denial Of Service attack tool). It is very likely that this host has been compromised last seen 2020-06-01 modified 2020-06-02 plugin id 10501 published 2000-09-05 reporter This script is Copyright (C) 2000-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10501 title Trinity v3 Trojan Detection code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10501); script_version ("1.16"); script_cvs_date("Date: 2018/06/13 18:56:25"); script_cve_id("CVE-2000-0138"); script_name(english: "Trinity v3 Trojan Detection"); script_set_attribute(attribute:"synopsis", value: "The remote host has been compromised." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running Trinity v3, a Trojan Horse that can be used to control your system or make it attack another network (this is actually called a Distributed Denial Of Service attack tool). It is very likely that this host has been compromised" ); script_set_attribute(attribute:"solution", value: "Restore your system from backups, contact CERT and your local authorities" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_publication_date", value: "2000/09/05"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/02/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english: "Detects the presence of trinity v3"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc."); script_family(english: "Backdoors"); script_require_ports(33270); exit(0); } # # The script code starts here # if(get_port_state(33270)) { soc = open_sock_tcp(33270); if(soc) { req = string("!@#\r\n"); send(socket:soc, data:req); r = recv(socket:soc, length:16000); req = string("id\r\n"); send(socket:soc, data:req); r = recv(socket:soc, length:16000); if("uid" >< r)security_hole(33270); close(soc); } }
NASL family Backdoors NASL id TRINOO.NASL description The remote host appears to be running Trin00, a Trojan Horse that can be used to control your system or make it attack another network (this is actually called a Distributed Denial Of Service attack tool). It is very likely that this host has been compromised. last seen 2020-06-01 modified 2020-06-02 plugin id 10288 published 2000-02-05 reporter This script is Copyright (C) 2000-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10288 title Trin00 Trojan Detection code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10288); script_version ("1.25"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_cve_id("CVE-2000-0138"); script_name(english: "Trin00 Trojan Detection"); script_set_attribute(attribute:"synopsis", value: "The remote host has been compromised." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running Trin00, a Trojan Horse that can be used to control your system or make it attack another network (this is actually called a Distributed Denial Of Service attack tool). It is very likely that this host has been compromised." ); script_set_attribute(attribute:"solution", value: "Restore your system from backups, contact CERT and your local authorities." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_publication_date", value: "2000/02/05"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/02/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english: "Detects the presence of trin00"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2019 Tenable Network Security, Inc."); script_family(english: "Backdoors"); script_require_keys("Settings/ThoroughTests"); exit(0); } # # The script code starts here # include('global_settings.inc'); if ( TARGET_IS_IPV6 ) exit(0); if ( islocalhost() ) exit(0); if ( ! thorough_tests ) exit(0); command = string("png l44adsl"); pong = string("PONG"); ip = forge_ip_packet(ip_hl:5, ip_v:4, ip_off:0, ip_id:9, ip_tos:0, ip_p : IPPROTO_UDP, ip_len : 20, ip_src : compat::this_host(), ip_ttl : 255); length = 8 + strlen(command); udpip = forge_udp_packet(ip : ip, uh_sport : 1024, uh_dport : 27444, uh_ulen : length, data : command); trg = get_host_ip(); me = compat::this_host(); pf = string("udp and src host ", trg, " and dst host ", me, " and dst port 31335"); rep = send_packet(udpip, pcap_filter:pf, pcap_active:TRUE); if(rep) { dstport = get_udp_element(udp:rep, element:"uh_dport"); if(dstport == 31335) { security_hole(port:27444, protocol:"udp"); } }
NASL family Backdoors NASL id MSTREAM_HANDLER.NASL description The remote host appears to be running a mstream handler, which is a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool) It is very likely that this host has been compromised last seen 2020-06-01 modified 2020-06-02 plugin id 10391 published 2000-05-02 reporter This script is Copyright (C) 2000-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10391 title mstream DDoS Handler Detection code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10391); script_version ("1.24"); script_cvs_date("Date: 2018/06/13 18:56:25"); script_cve_id("CVE-2000-0138"); script_name(english:"mstream DDoS Handler Detection"); script_set_attribute(attribute:"synopsis", value: "The remote host appears to have a suspicious program installed." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running a mstream handler, which is a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool) It is very likely that this host has been compromised" ); script_set_attribute(attribute:"solution", value: "Restore your system from known good backups or re-install the operating system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_publication_date", value: "2000/05/02"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/02/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Detects the presence of a mstream agent"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc."); script_family(english:"Backdoors"); script_require_ports(6723, 15104, 12754); script_dependencies("find_service1.nasl"); script_require_keys("Settings/ThoroughTests"); exit(0); } # include("misc_func.inc"); include('global_settings.inc'); if ( islocalhost() ) exit(0); if (! thorough_tests ) exit(0); function check(port, pass) { local_var r, soc; if(get_port_state(port)) { soc = open_sock_tcp(port); if(soc) { send(socket:soc, data:string(pass, "\r\n")); r = recv(socket:soc, length:2, timeout:2); close(soc); if(r == "> ") { security_warning(port); return(1); } } } return(0); } port = get_unknown_svc(); if(port) { if(check(port:port, pass:"sex"))exit(0); if(check(port:port, pass:"N7%diApf!"))exit(0); } else { if(check(port:6723, pass:"sex"))exit(0); if(check(port:15104, pass:"N7%diApf!"))exit(0); if(check(port:12754, pass:"N7%diApf!"))exit(0); }
NASL family Backdoors NASL id STACHELDRAHT.NASL description The remote host is running Stacheldraht, a trojan horse that can be used to control your system or make it attack another network. An ICMP ECHO reply was sent to the remote host with last seen 2020-06-01 modified 2020-06-02 plugin id 10270 published 2000-01-28 reporter This script is Copyright (C) 2000-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10270 title Stacheldraht Trojan Detection code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10270); script_version ("1.29"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_cve_id("CVE-2000-0138"); script_name(english:"Stacheldraht Trojan Detection"); script_summary(english:"Detects the presence of Stacheldraht."); script_set_attribute(attribute:"synopsis", value: "The remote host has a distributed denial of service (DDOS) agent installed."); script_set_attribute(attribute:"description", value: "The remote host is running Stacheldraht, a trojan horse that can be used to control your system or make it attack another network. An ICMP ECHO reply was sent to the remote host with 'gesundheit!' and an ID of 668. The host sent a reply with 'sicken\n' and an ID of 669. If Paranoid is enabled, the plugin will only check for the ICMP ECHO reply having ID 669. It is very likely that this host has been compromised."); script_set_attribute(attribute:"see_also", value:"http://www.sans.org/security-resources/idfaq/stacheldraht.php"); script_set_attribute(attribute:"solution", value: "Restore your system from backups, and contact CERT and your local authorities."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/02/09"); script_set_attribute(attribute:"plugin_publication_date", value: "2000/01/28"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english: "Backdoors"); script_copyright(english:"This script is Copyright (C) 2000-2019 Tenable Network Security, Inc."); script_require_keys("Settings/ThoroughTests"); exit(0); } include("global_settings.inc"); include("audit.inc"); include("misc_func.inc"); include("obj.inc"); if ( TARGET_IS_IPV6 ) audit(AUDIT_ONLY_IPV4); if ( islocalhost() ) audit(AUDIT_LOCALHOST); if ( ! thorough_tests ) audit(AUDIT_THOROUGH); src = compat::this_host(); ip = forge_ip_packet( ip_v : 4, ip_hl : 5, ip_tos : 0, ip_id : 0x1234, ip_len : 20, ip_off : 0, ip_p : IPPROTO_ICMP, ip_src : src, ip_ttl : 0x40); icmp = forge_icmp_packet( ip : ip, icmp_type : 0, icmp_code : 0, icmp_seq : 1, icmp_id : 668, data : "gesundheit!"); filter = "icmp and src host " + get_host_ip() + " and dst host " + compat::this_host(); r = send_packet(icmp, pcap_active : TRUE, pcap_filter : filter); vuln = FALSE; if (r) { type = get_icmp_element(icmp:r, element:"icmp_id"); if (type == 669) { data = get_icmp_element(icmp:r, element:"data"); report = '\nNessus was able to exploit the issue using the following ICMP ECHO reply :' + '\n' + '\n' + 'ECHO ( id = ' + get_icmp_element(icmp:icmp, element:"icmp_id") + '; data = ' + obj_rep(get_icmp_element(icmp:icmp, element:"data")) + ')' + '\n'; snip = crap(data:'-', length:30) + ' snip ' + crap(data:'-', length:30); report += '\nNessus confirmed this by examining ICMP traffic and looking for the' + '\nappropriate data in the ICMP ECHO reply. Below is the response :' + '\n\n' + snip + '\n' + 'ECHO ( id = ' + get_icmp_element(icmp:r, element:"icmp_id") + '; data = ' + obj_rep(data) + ')' + '\n' + snip + '\n'; if (report_paranoia < 2) { if ('sicken\n' >< data) vuln = TRUE; } else if (report_paranoia == 2) vuln = TRUE; } } if(vuln) { if(report_verbosity > 0) { report = '\nNessus was able to exploit the issue using the following ICMP ECHO reply :' + '\n' + '\n' + 'ECHO ( id = ' + get_icmp_element(icmp:icmp, element:"icmp_id") + '; data = ' + obj_rep(get_icmp_element(icmp:icmp, element:"data")) + ')' + '\n'; snip = crap(data:'-', length:30) + ' snip ' + crap(data:'-', length:30); report += '\nNessus confirmed this by examining ICMP traffic and looking for the' + '\nappropriate data in the ICMP ECHO reply. Below is the response :' + '\n\n' + snip + '\n' + 'ECHO ( id = ' + get_icmp_element(icmp:r, element:"icmp_id") + '; data = ' + obj_rep(data) + ')' + '\n' + snip + '\n'; security_hole(port: 0, extra: report); } else security_hole(port: 0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Backdoors NASL id TFN.NASL description The remote host appears to be running TFN (Tribe Flood Network), which is a Trojan Horse that can be used to control your system or make it attack another network. It is very likely that this host has been compromised last seen 2020-06-01 modified 2020-06-02 plugin id 10283 published 1999-12-10 reporter This script is Copyright (C) 1999-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10283 title TFN (Tribe Flood Network) Trojan Detection code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(10283); script_version("1.23"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_cve_id("CVE-2000-0138"); script_name(english:"TFN (Tribe Flood Network) Trojan Detection"); script_summary(english:"Detects the presence of TFN"); script_set_attribute(attribute:"synopsis", value:"The remote host has been compromised."); script_set_attribute(attribute:"description", value: "The remote host appears to be running TFN (Tribe Flood Network), which is a Trojan Horse that can be used to control your system or make it attack another network. It is very likely that this host has been compromised"); script_set_attribute(attribute:"solution", value: "Restore your system from backups, contact CERT and your local authorities."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"vuln_publication_date", value:"2000/02/09"); script_set_attribute(attribute:"plugin_publication_date", value:"1999/12/10"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 1999-2019 Tenable Network Security, Inc."); script_family(english:"Backdoors"); script_require_keys("Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); if(islocalhost())exit(0); if ( TARGET_IS_IPV6 ) exit(0); ip = forge_ip_packet(ip_hl:5, ip_v:4, ip_off:0, ip_id:9, ip_tos:0, ip_p : IPPROTO_ICMP, ip_len : 20, ip_src : compat::this_host(), ip_ttl : 255); # # We send the command ID_SYNPORT (678) and wait for # ID_ACK (123) # ID_ACK = 123; ID_SYNPORT = 678; icmp = forge_icmp_packet(ip:ip,icmp_type : 8, icmp_code:0, icmp_seq : 1, icmp_id : ID_SYNPORT, data:"1234"); filter = string("icmp and src host ", get_host_ip(), " and dst host ", compat::this_host()); r = send_packet(icmp, pcap_active:TRUE, pcap_filter:filter); if(r) { type = get_icmp_element(icmp:r, element:"icmp_id"); if(type == ID_ACK)security_hole(protocol:"icmp",port:0); }
NASL family Backdoors NASL id WIN_TRINOO.NASL description The remote host appears to be running Trin00 for Windows, a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool). It is very likely that this host has been compromised. last seen 2020-06-01 modified 2020-06-02 plugin id 10307 published 2000-02-28 reporter This script is Copyright (C) 2000-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10307 title Trin00 for Windows Trojan Detection code # # (C) Tenable Network Security, Inc. # include( 'compat.inc' ); if(description) { script_id(10307); script_version ("1.29"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_cve_id("CVE-2000-0138"); script_name(english:"Trin00 for Windows Trojan Detection"); script_summary(english:"Detects the presence of trin00"); script_set_attribute( attribute:'synopsis', value:'The remote service is a malicious backdoor application.' ); script_set_attribute( attribute:'description', value: "The remote host appears to be running Trin00 for Windows, a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool). It is very likely that this host has been compromised." ); script_set_attribute( attribute:'solution', value: "Restore your system from backups and contact CERT as well as your local authorities." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute( attribute:'see_also', value:'https://staff.washington.edu/dittrich/misc/trinoo.analysis' ); script_set_attribute(attribute:"plugin_publication_date", value: "2000/02/28"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/02/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2016 Tenable Network Security, Inc." ); script_family(english:"Backdoors"); script_require_keys("Settings/ThoroughTests"); exit(0); } # # The script code starts here # include('global_settings.inc'); if ( ! thorough_tests ) exit(1, "This plugin only runs if the 'Perform thorough tests' setting is enabled."); if ( islocalhost() ) exit(0, "Can't check against localhost."); if ( TARGET_IS_IPV6 ) exit(1, "This check is not implemented for IPv6 targets."); command = string("png []..Ks l44"); die = string("d1e []..Ks l44"); ip = forge_ip_packet(ip_hl:5, ip_v:4, ip_off:0, ip_id:9, ip_tos:0, ip_p : IPPROTO_UDP, ip_len : 20, ip_src : compat::this_host(), ip_ttl : 255); length = 8 + strlen(command); udpip = forge_udp_packet(ip : ip, uh_sport : 1024, uh_dport : 34555, uh_ulen : length, data : command); trg = get_host_ip(); me = compat::this_host(); pf = string("udp and src host ", trg, " and dst host ", me, " and dst port 35555"); rep = send_packet(udpip, pcap_filter:pf, pcap_active:TRUE); if(rep) { dstport = get_udp_element(udp:rep, element:"uh_dport"); data = get_udp_element(udp:rep, element:"data"); if(dstport == 35555 && "PONG" >< data) { security_hole(port:34555, protocol:"udp"); length = 8 + strlen(die); udpip2 = forge_udp_packet(ip : ip, uh_sport : 1024, uh_dport : 34555, uh_ulen : length, data : die); send_packet(udpip2, pcap_active:FALSE); exit(0); } } exit(0, "The host does not appear to be affected.");