Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / modules / nessus-2.2.8.mo / usr / lib / nessus / plugins / webhancer_detection.nasl < prev next >

Wrap

Text File | 2005-01-14 | 4KB | 131 lines

# # Copyright (C) 2004 Tenable Network Security # # if(description) { script_id(12005); script_version("$Revision: 1.6 $"); name["english"] = "WEBHANCER detection"; script_name(english:name["english"]); desc["english"] = " The remote host is using the WEBHANCER program. You should ensure that: - the user intended to install WEBHANCER (it is sometimes silently installed) - the use of WEBHANCER matches your corporate mandates and security policies. To remove this sort of software, you may wish to check out ad-aware or spybot. See also : http://www.safersite.com/PestInfo/w/webhancer.asp Solution : Uninstall this software Risk factor : High"; script_description(english:desc["english"]); summary["english"] = "WEBHANCER detection"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004 Tenable Network Security"); family["english"] = "Windows"; script_family(english:family["english"]); script_dependencies("smb_registry_full_access.nasl"); script_require_keys("SMB/registry_full_access"); script_require_ports(139, 445); exit(0); } # start the script if ( ! get_kb_item("SMB/registry_full_access") ) exit(0); path[0] = "clsid\{c900b400-cdfe-11d3-976a-00e02913a9e0}"; path[1] = "software\classes\clsid\{c900b400-cdfe-11d3-976a-00e02913a9e0}"; path[2] = "software\classes\interface\{c89435b0-cdfe-11d3-976a-00e02913a9e0}"; path[3] = "software\classes\typelib\{c8cb3870-cdfe-11d3-976a-00e02913a9e0}"; path[4] = "software\classes\whiehelperobj.whiehelperobj.1\clsid"; path[5] = "software\classes\whiehelperobj.whiehelperobj\curver"; path[6] = "software\microsoft\windows\currentversion\app management\arpcache\whsurvey"; path[7] = "software\microsoft\windows\currentversion\explorer\browser helper objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}"; path[8] = "software\microsoft\windows\currentversion\run\webhancer agent"; path[9] = "software\microsoft\windows\currentversion\run\webhancer survey companion"; path[10] = "software\microsoft\windows\currentversion\uninstall\webhancer agent"; path[11] = "software\microsoft\windows\currentversion\uninstall\whsurvey"; path[12] = "software\webhancer"; global_var handle; include("smb_nt.inc"); x_name = kb_smb_name(); if(!x_name)exit(0); _smb_port = kb_smb_transport(); if(!_smb_port)exit(0); if(!get_port_state(_smb_port)) exit(0); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); if(!login)login = ""; if(!pass) pass = ""; soc = open_sock_tcp(_smb_port); if(!soc) exit(0); # # Request the session # r = smb_session_request(soc:soc, remote:x_name); if(!r) { close(soc); exit(0); } # # Negociate the protocol # prot = smb_neg_prot(soc:soc); if(!prot){ close(soc); exit(0); } r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain, prot:prot); if(!r){ close(soc); exit(0); } uid = session_extract_uid(reply:r); r = smb_tconx(soc:soc, name:x_name, uid:uid, share:"IPC$"); tid = tconx_extract_tid(reply:r); if(!tid){ close(soc); exit(0); } r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:"\winreg"); if(!r){ close(soc); exit(0);} pipe = smbntcreatex_extract_pipe(reply:r); r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe); if(!r){ close(soc); exit(0); } handle = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe); if ( ! handle ) exit(0); for (i=0; path[i]; i++) { key_h = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe, key:path[i], reply:handle); if(key_h != NULL) {security_hole(kb_smb_transport()); exit(0); } } close(soc);