Nmap Script to detect Linksys "The Moon" malware

local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"

description = [[
Attempts to retrieve the XML HNAP generated on infected Linksys router systems by "The Moon" Malware.

Quick help on NSE: to install copy script to nse scripts directory (e.g. /usr/local/share/nmap/scripts) then run "sudo nmap --update-db". Then use it like "nmap --script=http-linksys-vuln -p 8080 10.0.0.0/24"

Link:
* http://threatpost.com/moon-worm-spreading-on-linksys-home-and-smb-routers/104268
]]

---
-- @output
-- PORT   STATE SERVICE REASON
-- 8080/tcp open  http    syn-ack
-- |_LinkSys system likely INFECTED - HNAP string found in response

author = "Florian Roth"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery", "malware"}

portrule = shortport.port_or_service(8080)

action = function(host, port)
    local response
    local lines
    local infected

    -- LynkSys Malware Test
    response = http.get(host, port, "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n")

    if response.body and response.status == 200 then
        if string.match(response.body, "/HNAP1/") then
            infected = true
        end
    end

    lines = {}
    if infected then
        lines[#lines + 1] = "LinkSys system likely INFECTED - HNAP string found in response"
    end

    if #lines > 0 then
        return stdnse.strjoin("\n", lines)
    end
end