HTTP Backdoor Detection

Critical Nessus Plugin ID 35322


The remote host may be compromised.


Regardless of the request that's made, the remote web server returns a Microsoft executable. This is highly suspicious and may be indication of a worm. For example, the Conficker.A / Downadup worm is known to propagate in this fashion.


Check the host and disinfect / reinstall it if necessary.

Plugin Details

Severity: Critical

ID: 35322

File Name: fake_http_server.nasl

Version: $Revision: 1.9 $

Type: remote

Published: 2009/01/08

Modified: 2013/01/25

Dependencies: 10582, 17975

Risk Information

Risk Factor: Critical


Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C