I found this excellent writeup of a Web-server botnet on Slashdot this weekend. Since it sounded like just the thing for Nmap to detect, I wrote a quick script!
First, the attacker somehow compromises an innocent Web server (presumably via weak passwords or a similar mechanism). After the compromise, an additional Web server is started on port 8080. This server, however is malicious; it will try and exploit vulnerable browsers with typical drive-by downloads. If a non-vulnerable browser connects to it, instead of serving the malware the server redirects them (via the "302 Found" status) to another infected Web server which attempts to do the same.
This redirection is easy to detect with Nmap.
The script is called http-malware-host.nse, and I highly recommend running it against your own servers. All you need to do is check it out from svn and run it:
$ svn co --username guest --password '' svn://svn.insecure.org/nmap $ cd nmap $ ./configure && make # make install $ nmap -d -p80,443,8080 --script=http-malware-host <target>
If the host is clean, you will see no additional output. If the host is infected, you'll see the following:
$ ./nmap -p8080 --script=http-malware-host last-another-life.ru Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-09-16 09:32 CDT Warning: Hostname last-another-life.ru resolves to 5 IPs. Using 22.214.171.124. NSE: Script Scanning completed. Interesting ports on 80-69-74-73.colo.transip.net (126.96.36.199): PORT STATE SERVICE 8080/tcp open http-proxy | http-malware-host: Host appears to be infected (/ts/in.cgi?open2 redirects to http://last-another-life.ru:8080/index.php) |_ See: http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet- of-zombie-web-servers/
I highly recommend double-checking your servers for this infection!
<UPDATE> You can download the current version of the scrit (as of Sept 17, 2009) here. That version won't be kept up to date, though.