home *** CD-ROM | disk | FTP | other *** search
- Netbus detector
-
- Examines the user's computer for open Netbus (the trojan horse) port and reports the conclusion to the user.
-
-
-
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
- <html>
- <!-- Version 1.1, November 29 1998. -->
- <!-- Latest version is at http://www.mdb.ku.dk/tarvin/netbus-detector/ -->
- <head><title>Netbus detector</title>
- <meta name="description" content="Online Netbus detection utility - see if Netbus is installed on your computer">
- <meta name="keywords" content="detection, netbus">
-
- <style type="text/css">
- <!--
- body {
- background-color: white;
- color: black;
- }
- strong.bad {
- color: red;
- font-weight: bold;
- }
- strong.good {
- color: green;
- font-weight: bold;
- }
- input.submit {
- background-color: teal;
- color: white;
- }
- h1 {
- color: teal;
- }
- h2 {
- color: teal;
- }
- .permit {
- background-color: yellow;
- }
- pre {
- background-color: yellow;
- }
- p.note {
- font-size: smaller;
- }
- -->
- </style>
- </head>
-
- <body>
-
- <h1>Netbus detector</h1>
-
- <?php
-
- function connectToPort ($host, $port) {
-
- // This function is the interesting part of the script.
- // It may be called from the 'MAIN'
- // part of the script further down.
-
- // Not declared ill unless we find something
- $status = 0;
-
- print "<p><code>Trying port $port at $host...";
-
- // Open a socket to the user's computer (or proxy; in
- // this case, the result can't be trusted)
- $socket = fsockopen($host, $port, &$errno, &$errstr);
-
- if ($socket) {
- // A connection could be made. Poor user; this is probably
- // Netbus answering...
- print "<br>Port $port connection established - BAD!</code></p>";
- $status = 1;
-
- // Let's see if it's speaking
-
- // To make sure that we will not be listening for ever
- // in case of a silent (but open) port
- set_socket_blocking($socket, 0);
-
- $count = 0;
- $portOutput = "";
-
- // We will not keep trying for ever; let's stop after
- // 10000 glances
- while ($count < 10000) {
- if ($readString = fread($socket, 1)) {
-
- // Convert <, >, " and & to HTML entities
- $readString = htmlspecialchars($readString);
-
- // Add the output to the sum of output
- $portOutput .= $readString;
- }
- $count++;
- }
-
- // Enough of this. Close the connection.
- fclose($socket);
-
- if ($portOutput != "") {
- print "<p><code>Output:</code></p><pre>$portOutput</pre>";
- }
-
- } else {
- // In case we have good news:
- print "<br>Port $port connection refused - good</code></p>";
- }
-
- // Return status for the port we just examined
- return $status;
- }
-
- function printForm ($host, $uri) {
-
- // Make sure the user knows what's going on.
- // This should not be dangerous in any way, but let's ask anyway
- print "
- <form method=post action=\"$uri\">
- <p>Permission to <span class=permit>connect to ports 12345
- and 12346 at host
- <code>$host</code></span> granted: <input
- type=checkbox name=permission value=\"ok\"></p>
- <p><input class=submit type=submit></p>
- </form>
- ";
- }
-
- // **********
- // MAIN
- // **********
-
- // Some definitions - the standard Netbus ports
- $netBusPortA = 12345;
- $netBusPortB = 12346;
-
- // This may seem stupid; but if PHP is running in 'safe mode',
- // the SCRIPT_URI environment variable doesn't seem to
- // be readily available
- $uri = "http://" . $SERVER_NAME . $REQUEST_URI;
-
- // Standard CGI environment variable; we are not using CGI, but
- // fortunately, the variable is still avaliable
- $host = gethostbyaddr($REMOTE_ADDR);
-
- // Requesting host innocent until otherwise proven
- $netBusStatus = 0;
-
- // Trying to make sure that the user actually wants me
- // to scan his/her ports. - And trying to make sure that nobody is
- // directly linking to the script.
- if (!(($permission == "ok") &&
- ($REQUEST_METHOD == "POST") && ($HTTP_REFERER == $uri))) {
- // Write the permission-asking form - i.e. call the
- // previously defined 'printForm' function
- printForm($host, $uri);
- } else {
- // Paranoia checks OK. Let's do it
- print "
- <h2>Processing host $host...</h2>
- <table border=1 cellpadding=5>
- ";
-
- print "<tr><td>";
-
- // Call script and add the status to the sum of status
- // codes. The function 'connectToPort' is defined above
- $netBusStatus += connectToPort($host, $netBusPortA);
- print "</td></tr>";
-
- print "<tr><td>";
- // Call the connect-function again for the other port
- $netBusStatus += connectToPort($host, $netBusPortB);
- print "</td></tr>";
-
- print "</table>";
-
- // Summarize results
- print "<h2>Conclusion</h2>";
-
- if ($netBusStatus > 0) {
- // Damn. The sum of status codes should be zero.
- // User probably has Netbus installed.
- print "
- <p>Connection to at least one Netbus port
- succeeded. That's a <strong class=bad>bad</strong> sign!</p>
- <p>This means that you probably have Netbus installed
- on your computer. See
- <a href=\"http://www.iss.net/xforce/alerts/advise8.html\">ISS'
- alert summary</a> for removal instructions.</p>
- ";
- } else {
- // It's nice to bring good news
- print "
- <p>No Netbus ports responded at host $host.
- Congratulations - that's a <strong class=good>good</strong> sign!</p>
- <p>This may not be a definitive test, though:
- <br> - If Netbus is installed at non-standard ports or
- <br> - if you are sitting behind a firewall,
- <br>this utility will fail to detect Netbus.</p>
- <p>You may <a href=\"$uri\">try again</a>.</p>
- ";
- }
- }
-
- ?>
-
- </body>
- </html>
-
