<?php

//特洛伊木马NETBUS的功力很强，用过的人可能印象比较深，我的影响也算是比较深的

//下面的测试只是对部分端口，而NETBUS是可以改变监听端口的。

function connectToPort ($host, $port) {

$status = 0;



print "<p><code>Trying port $port at $host...";



//打开端口

$socket = fsockopen($host, $port, &$errno, &$errstr);



if ($socket) {

//看端口是否打开，打开的话，那就糟了

print "<br>Port $port connection established - BAD!</code></p>";

$status = 1;

set_socket_blocking($socket, 0);



$count = 0;

$portOutput = "";



// We will not keep trying for ever; let's stop after

// 10000 glances

while ($count < 10000) {

if ($readString = fread($socket, 1)) {



// Convert <, >, " and & to HTML entities

$readString = htmlspecialchars($readString);



// Add the output to the sum of output

$portOutput .= $readString;

}

$count++;

}



// Enough of this. Close the connection.

fclose($socket);



if ($portOutput != "") {

print "<p><code>Output:</code></p><pre>$portOutput</pre>";

}



} else {

// In case we have good news:

print "<br>Port $port connection refused - good</code></p>";

}



// Return status for the port we just examined

return $status;

}



function printForm ($host, $uri) {



// Make sure the user knows what's going on.

// This should not be dangerous in any way, but let's ask anyway

print "

<form method=post action=\"$uri\">

<p>Permission to <span class=permit>connect to ports 12345

and 12346 at host

<code>$host</code></span>&nbsp;granted:&nbsp;&nbsp;<input

type=checkbox name=permission value=\"ok\"></p>

<p><input class=submit type=submit></p>

</form>

";

}



// **********

// MAIN

// **********



// Some definitions - the standard Netbus ports

$netBusPortA = 12345; //这是NETBUS监听的缺省端口

$netBusPortB = 12346;



// This may seem stupid; but if PHP is running in 'safe mode',

// the SCRIPT_URI environment variable doesn't seem to

// be readily available

$uri = "http://" . $SERVER_NAME . $REQUEST_URI;



// Standard CGI environment variable; we are not using CGI, but

// fortunately, the variable is still avaliable

$host = gethostbyaddr($REMOTE_ADDR);



// Requesting host innocent until otherwise proven

$netBusStatus = 0;



// Trying to make sure that the user actually wants me

// to scan his/her ports. - And trying to make sure that nobody is

// directly linking to the script.

if (!(($permission == "ok") &&

($REQUEST_METHOD == "POST") && ($HTTP_REFERER == $uri))) {

// Write the permission-asking form - i.e. call the

// previously defined 'printForm' function

printForm($host, $uri);

} else {

// Paranoia checks OK. Let's do it

print "

<h2>Processing host $host...</h2>

<table border=1 cellpadding=5>

";



print "<tr><td>";



// Call script and add the status to the sum of status

// codes. The function 'connectToPort' is defined above

$netBusStatus += connectToPort($host, $netBusPortA);

print "</td></tr>";



print "<tr><td>";

// Call the connect-function again for the other port

$netBusStatus += connectToPort($host, $netBusPortB);

print "</td></tr>";



print "</table>";



// Summarize results

print "<h2>Conclusion</h2>";



if ($netBusStatus > 0) {

// Damn. The sum of status codes should be zero.

// User probably has Netbus installed.

print "

<p>Connection to at least one Netbus port

succeeded. That's a <strong class=bad>bad</strong> sign!</p>

<p>This means that you probably have Netbus installed

on your computer. See

<a href=\"http://www.iss.net/xforce/alerts/advise8.html\">ISS'

alert summary</a> for removal instructions.</p>

";

} else {

// It's nice to bring good news

print "

<p>No Netbus ports responded at host $host.

Congratulations - that's a <strong class=good>good</strong> sign!</p>

<p>This may not be a definitive test, though:

<br> - If Netbus is installed at non-standard ports or

<br> - if you are sitting behind a firewall,

<br>this utility will fail to detect Netbus.</p>

<p>You may <a href=\"$uri\">try again</a>.</p>

";

}

}



?>