The remote system responds to requests typically seen by BPFDoor, a backdoor payload for Linux that is often deployed by malware to gain re-entry to a device. This plugin will open a callback on the scanner and listen for the BPFDoor response. As such, it will not work with cloud based scanners. 

This plugin will attempt to send the BPFDoor payload to any open port on the scan target. If no ports are known to be open, it will attempt to send a packet to UDP 68, if the preference 'Consider unscanned ports as closed' is set to 'no.' The plugin will also validate that a response to the callback looks correct. If you wish to catch even unknown responses, you may set 'Show potential false alarms.'

There are one or more indicators that this system has run BPFDoor, a backdoor payload for Linux that is often deployed by malware to gain re-entry to a device.

It is recommended that the results are manually verified and appropriate remediation actions taken.

Note that Nessus has not tested for this issue but has instead looked for traces typically left by the backdoor.

The checksum of one or more files on the remote MacOS host matches one of the signatures provided using the 'Provide your own list of known bad hashes' preference (found under the 'Hash and Whitelist Files' section) in the scan policy.

Note that Nessus has only scanned MacOS executable binaries and libraries.

The checksum of one or more files on the remote MacOS host matches known malware.

Note that Nessus has only scanned MacOS executable binaries and libraries.

The checksum of one or more files on the remote Linux host matches one of the signatures provided using the 'Provide your own list of known bad hashes' preference (found under the 'Hash and Whitelist Files' section) in the scan policy.

Note that Nessus has only scanned Linux executable binaries and libraries.

The checksum of one or more files on the remote Linux host matches known malware.

Note that Nessus has only scanned Linux executable binaries and libraries.

The defined rules and Yara install have been configured on the remote host.

The defined rules and temporary Yara install have been cleaned from the remote host.

This host seems to be running an instance of Ncat that is listening over TLS.  Ncat is an open source networking tool that can be used as a backdoor to allow unauthorized entry and control of the remote host

An attacker may use it to steal your passwords, modify your data, and prevent you from working properly.

The remote SingTel router may be contain a backdoor. Certain SingTel routers had their administrative web interfaces port-forwarded to public-facing addresses by customer support after users requested customer service. Depending on the configuration, the router may require no credentials, default credentials, or weak credentials to obtain administrative privileges.

A remote attacker can both control these devices and use them as a pivot to widen the attack surface to all connected devices.

This host seems to be running WinShell. WinShell is a Trojan Horse which allows an intruder to take the control of the remote computer.

An attacker may use it to steal your passwords, modify your data, and prevent you from working properly.

The version of Piriform CCleaner installed on the remote Windows host is equal to 5.33.6162. It is, therefore, affected by a malicious backdoor in CCleaner.exe that allows remote attackers to obtain sensitive information and install unauthorized software.

Nessus detected one or more processes on the remote Linux host that match a YARA rule. Note that scanning memory requires a privileged account that can use ptrace.

Nessus detected one or more files on the remote Linux that match a YARA rule.

The hash of one or more running processes on the remote Mac OS X host matches one of the signatures provided using the 'Provide your own list of known bad hashes' preference (found under the 'Hash and Whitelist Files' section) in the scan policy.

Verify that the remote processes are legitimate and authorized in your environment.

The hash of one or more running processes on the remote Linux host matches one of the signatures provided using the 'Provide your own list of known bad hashes' preference (found under the 'Hash and Whitelist Files' section) in the scan policy.

Verify that the remote processes are legitimate and authorized in your environment.

Nessus detected a backdoor trojan known as G_Door on the remote host.
A remote attacker can exploit this to have unrestricted remote control over the system.

Nessus detected a backdoor trojan known as NetSpy on the remote host.
A remote attacker can exploit this to have unrestricted remote control over the system.

The remote host is infected by the SYNful Knock implant, a persistent backdoor introduced via a malicious IOS firmware image. A remote attacker can exploit the implant, via HTTP packets sent to the device's interface, to gain complete control of the affected device.

The remote device is an ASUS router that contains firmware which is affected by a flaw in its 'infosvr' service due to not properly checking the MAC address of a request. An unauthenticated, remote attacker, using a crafted request to UDP port 9999, can exploit this to run arbitrary commands or access configuration details (including passwords) on the device.

ZXShell is a remote access trojan backdoor that can be used to persist on your network for malicious purposes.

Detections : 

  - ZXShell HTTP server 
  - ZXShell Command and Control server

The remote host is running a Hikit backdoor client. Hikit is a remote administration tool (RAT) used to control computers infected by malware. The 'client' component is used to control those computers and is associated with malicious activity.

The remote device is a SYAC DigiEye, a digital video recorder, with a backdoor running on port 7339. An attacker can use the backdoor to run arbitrary commands or access configuration details (including passwords) on the device, with administrative (root) privileges.

The remote HP storage system running LeftHand OS has an SSH support backdoor mechanism built in that may allow a remote attacker to gain root shell access to the system.

Nessus was able to access the 'web_shell_cmd.gch' script on the device, which is a backdoor that allows administrative commands to be run on the device without authentication.

The remote host is running LusyPOS, a point-of-sale (POS) malware that uses memory scraping techniques and the Tor network to exfiltrate data.

The remote device is a DSL Modem/Router with a backdoor running on port 32764.  It is possible for an attacker to run arbitrary commands or access configuration details (including passwords) on the device.

One or more running processes on the remote macOS or Mac OS X host are not listed in a database of 'known good' software, and have never been seen in any recent (less than twelve months) scans.

The hash of one or more running processes on the remote Mac OS X host matches known malware.

One or more running processes on the remote Linux host are not listed in any database of 'known good' software, and have never been seen in any recent (less than twelve months) scans.

The hash of one or more running processes on the remote Linux host matches known malware.

The remote Windows host has files that indicate that the KINS banking Trojan has been installed.

False positives may occur if file names identical to files KINS creates are detected on the system.

The remote host seems to be infected by the Linux/Cdorked.A backdoor. This backdoor could allow an attacker remote access to the system.  It can also cause users accessing an infected web server to be redirected to malicious websites.

DNSChanger appears to be installed on the remote host.  This malware configures the host to use rogue DNS servers, which could cause requests for legitimate websites and hostnames to be routed to attacker controlled machines. 

Nessus determines the likelihood of infection by comparing the list of DNS servers configured on the host to a list of IP addresses associated with this malware.  More information can be found in the linked references.

A shell is listening on the remote port without any authentication being required. An attacker may use it by connecting to the remote port and sending commands directly.

The remote host seems to be infected by the Stuxnet worm.  This worm has several capabilities that allow an attacker to execute arbitrary code on the remote operating system. 

The remote host might also be attempting to propagate the worm to third party hosts.

The remote Windows host has files present on the system that indicate the Stuxnet worm has infected the system. This worm attempts to spread in several ways, making use of known Windows vulnerabilities and removable media. It has been seen making use of several 0-day vulnerabilities as well as attacking Siemens SCADA systems.

This plugin looks for files present on Windows systems that are generated upon infection. The Stuxnet executable uses hard-coded file names, and generates several files, such as malicious drivers that are loaded by the system. The presence of these files is indicative of a system that has been infected through one of the multiple vectors Stuxnet attempts to use.

The remote Windows host has files present on the system that indicate that the 'Here You Have' email worm is present. A user of this host likely received an email containing a malicious '.scr' (screen saver) file and infected the host as a result of running this file.

This malware has several features. The most damaging is to self-propagate and infect systems via email, removable drives, shared folders and instant messaging. The worm sends copies of itself to addresses found in Microsoft Outlook address books and Yahoo! Messenger, enticing the user to click on the attached '.scr' file, which leads to further propagation of the worm.

The malware also disables a variety of antivirus packages from a multitude of vendors, turning them off in order to ensure its survival on a newly infected system. These AV packages remain disabled while the system is infected, so an AV scan may not detect an actual infection.

The malware also attempts to recover saved passwords for things such as sites stored in Internet Explorer and Firefox, wireless network keys, and more. This stolen data is then returned to the attacker. It does this by using third-party, non-malicious tools designed for credential recovery. The way these tools are stored and used by this malware is non-standard, however, and are an indication of infection by this malware.

The remote IRC server is a version of UnrealIRCd with a backdoor that allows an attacker to execute arbitrary code on the affected host.

The remote Windows host has files that indicate that the Zeus (also known as Zbot) banking trojan has been installed, or that stolen data collected by this trojan remains on the system.

The Zeus trojan will intercept and log activity related to online banking, as well as other logins, such as web, ftp, email, etc, and report these credentials to a third party. The targeted credentials are unique per Zeus infection, so any website can be affected.

Zeus also gives the attacker complete control over the system, allowing for further malware to be installed, the ability to proxy traffic through an infected host, and other things like the ability to kill the system.

False positives may occur if file names identical to files Zeus creates are detected on the system. These file names mimic standard Windows files, and should be considered suspicious under any circumstances.

The remote Windows host includes an install of the Energizer DUO software, likely included with a Energizer DUO USB battery charger to allow a user to view the battery charging status.

The installed version of this software includes the Arugizer backdoor (Arucer.dll), which is reported to have been distributed with the Energizer DUO software.

An unauthenticated, remote attacker who connects to this port can use the backdoor to list directories, send and receive files, and execute programs.

The remote Windows host appears to be running the Arugizer backdoor. 

An unauthenticated, remote attacker who connects to this port can use the backdoor to list directories, send and receive files, and execute programs.

The remote host seems to be infected by the Conficker worm. This worm has several capabilities that allow an attacker to execute arbitrary code on the remote operating system.

The remote host might also be attempting to propagate the worm to third-party hosts.

The remote host seems to be infected by the Conficker worm. This worm has several capabilities which allow an attacker to execute arbitrary code on the remote operating system. The remote host might also be attempting to propagate the worm to third party hosts.

The remote service tries to mimic a known service. 

This is probably a backdoor.  In this case, your system may be compromised, and an attacker can control it remotely.

Although this service answers with 3 digit ASCII codes like FTP, SMTP or NNTP servers, it sends back different codes when several NOOP commands are sent in a row.

This is probably a backdoor; in this case, your system is compromised and an attacker can control it remotely.

The remote port seems to be sending the payload of a malware.  This is used by some worms when spreading by infecting other hosts. 

The system is probably infected by a worm or a Trojan horse.

The remote Windows host uses the file 'System32\drivers\etc\hosts' to fix the name resolution of some sites to localhost or internal systems. Some viruses or spyware modify this file to prevent antivirus software or other security software from obtaining updates.

Nessus has found one or more suspicious entries in this file that may prove the remote host is infected by a malicious program.

A Microsoft Windows shell is running on port 8888. This may indicate an infection by the Zotob worm, although other worms may also create a shell on this port.

This host seems to be running an ident server, but before any request is sent, the server gives an answer about a connection to port 6667.

It is very likely this system has been compromised by an IRC bot and is now a 'zombie' that can participate in 'distributed denial of service' (DDoS) attacks.

ID	Name	Severity
161761	Linux BPFDoor Detection (Direct Check)	critical
161476	Potential Exposure to BPFDoor (Local Check - Linux)	critical
126261	MacOS Malicious File Detection: User Defined Malware	critical
126260	MacOS Malicious File Detection	critical
126259	Linux Malicious File Detection: User Defined Malware	critical
126258	Linux Malicious File Detection	critical
124649	YARA Scan Setup (Linux)	info
124648	YARA Scan Cleanup (Linux)	info
122316	Ncat TLS Listener	critical
110271	SingTel Backdoor Detection (ForgotDoor)	high
106629	WinShell Trojan Detection	critical
103302	Piriform CCleaner 5.33.6162 Backdoor	critical
97863	YARA Memory Scan (Linux)	critical
97862	YARA File Scan (Linux)	critical
91224	Malicious Process Detection: User Defined Malware Running (Mac OS X)	critical
91223	Malicious Process Detection: User Defined Malware Running (Linux)	critical
90255	G_Door Malware Detection	critical
90254	NetSpy Malware Services Detection	critical
86151	Cisco IOS SYNful Knock Implant	critical
80518	ASUS Router 'infosvr' Remote Command Execution	critical
78430	ZXShell Malware Services Detection	critical
78429	Hikit Backdoor Detection	critical
77606	SYAC DigiEye Backdoor Detection	high
73461	HP StoreVirtual Storage Remote Unauthorized Access	high
73104	ZTE F460 / F660 Cable Modems web_shell_cmd.gch Administrative Backdoor	critical
80457	LusyPOS Malware Detection	critical
71807	ScMM DSL Modem/Router Backdoor Detection	critical
71264	Reputation of macOS Executables: Never seen process(es)	info
71263	Mac OS X Malicious Process Detection	critical
71262	Reputation of Linux Executables: Never seen process(es)	info
71261	Linux Malicious Process Detection	critical
69555	KINS Banking Trojan/Data Theft (credentialed check)	critical
66391	Linux/Cdorked.A Backdoor	critical
58182	DNSChanger Malware Detection	medium
51988	Bind Shell Backdoor Detection	critical
50658	Stuxnet Worm Detection (uncredentialed check)	critical
49270	Stuxnet Worm Detection	critical
49211	Here You Have Email Worm Detection	critical
46882	UnrealIRCd Backdoor Detection	critical
45085	Zeus/Zbot Banking Trojan/Data Theft (credentialed check)	critical
45006	Energizer DUO USB Battery Charger Software Backdoor (credentialed check)	critical
45005	Arugizer Backdoor Detection	critical
36217	Conficker P2P Service Detection	critical
36036	Conficker Worm Detection (uncredentialed check)	critical
33951	Generic Backdoor Detection (banner check)	critical
32376	Fake SMTP/FTP Server Detection (possible backdoor)	critical
31854	Malware Payload Code detection	critical
23910	Compromised Windows System (hosts File Check)	critical
19429	Zotob Worm Detection	critical
18392	IRC Bot Detection	critical

Detections

Analytics

Backdoors Family for Nessus

critical

critical

critical

critical

critical

critical

info

info

critical

high

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

high

high

critical

critical

critical

info

critical

info

critical

critical

critical

medium

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical