Package: nessus-plugins Version: 2.2.4-2 Severity: normal /var/lib/nessus/plugins/w32_spybot_worm_variant.nasl (Nessus ID 15520) erroneously identifies nullidentd 1.0-3 as being the w32.spybot.fcd worm.
The script sends "GET \r\n" to the server and considers a worm to be found if the reply includes " : USERID : UNIX :" unless this string is *immediately* preceded by "GET". However, this is what nullidentd returns, courtesy of netcat: > 00000000 47 45 54 20 0d 0a # GET .. < 00000000 47 45 54 20 20 3a 20 55 53 45 52 49 44 20 3a 20 # GET : USERID : < 00000010 55 4e 49 58 20 3a 20 66 6f 6f 62 61 72 0d 0a # UNIX : foobar.. Note that there are two spaces before the first colon. One comes from the request and another from nullidentd's format string. I don't know how the actual worm reacts, so I will refrain from suggesting a particular fix. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.4.27makholm6 Locale: LANG=en_DK, LC_CTYPE=en_DK.iso88591 (charmap=ISO-8859-1) Versions of packages nessus-plugins depends on: ii debconf 1.4.52 Debian configuration management sy ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libnessus2 2.2.4-1 Nessus shared libraries ii libnet1 1.1.2.1-2 library for the construction and h ii libssl0.9.7 0.9.7g-1 SSL shared libraries Versions of packages nessus-plugins recommends: ii nessus 2.2.4-2 Remote network security auditor, t ii nmap 3.81-2 The Network Mapper ii snmp 5.2.1.2-1 NET SNMP (Simple Network Managemen ii wget 1.10-3+1.10.1beta1 retrieves files from the web -- debconf information: nessus-plugins/remove_unknown: false -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
