>Interesting. I have seen the FireDaemon.exe check giving out false positives >on the Compaq Web Agents services, need to change the match pattern to >something besides just "FireDaemon". I think the Compaq web service is >spitting back an error containing the name of the request, can you send me >the complete output from the plugin?
All I have is the GUI report... cpq-wbem(2301/tcp)=> Possible Backdoors: FireDaemon.exe - /msadc/FireDaemon.exe FireDaemon.exe - //FireDaemon.exe FireDaemon.exe - /C/FireDaemon.exe FireDaemon.exe - /D/FireDaemon.exe >Has this plugin caused any other false positives? Every check has a defined >match pattern to look for (vs a 200/404 check), so there may be a couple >whose match patterns are triggered by web server error responses containing >the name of the requested file. hmm...I don't think that it has produced any other false positives, which is why I freaked out when I saw this. if you pass the webserver this request: http://somewebserver:2301/FireDaemon.exe it returns the attached page. What was more interesting to me was the following. After the scan, I connected to port 2301 with a browser to check it out, and I got a page that had been modified. I'm not sure which plugin caused the buffer overflow in McAffee (which apparently over wrote the compaq insight web page with what was in memory at the time -- your script's request), but it would be interesting to find out. <<compaq_404_response.html>> IMPORTANT NOTICE: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this message in error, you are hereby notified that we do not consent to any reading, dissemination, distribution or copying of this message. If you have received this communication in error, please notify the sender immediately and destroy the transmitted information.
compaq_404_response_html.DEFANGED-34
Description: application/defanged-34
