I assume that's what this patch is for:
radmin_detect.nasl
Status: changed
Id: 11123
Name: radmin detection
Family: Backdoors
Category: infos
Summary: Detect radmin
Version: 1.4
CVE-ID(s): n/a
Changes:
12- script_version ("$Revision: 1.3 $");
12+ script_version ("$Revision: 1.4 $");
--------
44- port = get_kb_item("Services/unknown");
45- if (! port) port=4899;
44+ if(safe_checks())
45+ {
46+ port = 4899;
47+ }
48+ else
49+ {
50+ port = get_kb_item("Services/unknown");
51+ if (! port) port=4899;
52+ }
--------
97+
98+
--------
First, thanks!
Second, I'm hoping to understand the why's. Before this patch,
radmin_detect would attempt to find a known backdoor (radmin) on any unknown
service (from find_service.nes?), right? So we have limited the
effectiveness of this script unless I can provide legitimate traffic so you
can identify snmpdm, right? I.e., the script won't be able to detect the
radmin backdoor if the attacker starts it on another port.
I'm still trying to get some legitimate traffic for you.
Thanks,
Owen
