Hi all,
I need your expertise on a problem that has ocurred recently.
In the context of the vulnerability assessment of a client's internal
network, we used Nessus to scan some servers in an Active Directory
domain, that is used for servers.
The problem first appeared after we scanned some systems in a central
Active Directory domain: the administrators reported a general failure of
ALL the servers of the domain (i.e. including servers that have not been
scanned by nessus) to connect to the Primary Domain Controllers (or better
the root servers) of the specific domain. The client fixed the problem by
rebooting the two root servers. These are the facts:
The scanning was performed on servers that run Tivoli & SWIFT
applications, a web server and an SQL server
All servers in the domain are Windows 2000 servers, exept the two root AD
servers that are Windows 2003 Advanced servers. No scanning has been
performed on these two servers.
Nessus version is the latest (2.2.4), and all the newest plug-ins (as of
19/05/2005) have been installed
Nessus is not configured to run dangerous plug-ins ("enable all but
dangerous"), and "Safe Checks" and "Optimize tests" options are enabled.
Also, no portscanning is performed ("-1").
When the problem was first reported, we had selected to scan 4 hosts at
the same time, with 6 number of tests to perform at the same time. When we
did a second scan on different hosts another day, we selected 1 host at a
time and 3 number of tests: in this case we did not have a problem. In the
third scan with different hosts again, we selected 3 hosts at a time and 3
number of tests, and once more there was a problem. Note that we have not
tested the same host more than once.
We examined the logs of the servers that we scanned and all report the
following near the time we performed the scanning:
1) ERROR - 10:56:58
EventID: 5783, Source: NETLOGON
Description: The session setup to the Windows NT or Windows 2000 Domain
Controller \\xxxxxx.xxx.xxx for the domain XXXXX is not responsive. The
current RPC call from Netlogon on \\XXXXXXX to \\xxxxxx.xxxx.xxx has been
cancelled.
2) WARNING - 10:57:55
EventID: 13, Source: MSFTPSVC
Description: The description for Event ID ( 13 ) in Source ( MSFTPSVC )
cannot be found. The local computer may not have the necessary registry
information or message DLL files to display messages from a remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this
description; see Help and Support for details. The following information
is part of the event: nessus@example.com; /
3) WARNING - 10:59:32
EventID: 100, Source: MSFTPSVC
Description: The description for Event ID ( 100 ) in Source ( MSFTPSVC )
cannot be found. The local computer may not have the necessary registry
information or message DLL files to display messages from a remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this
description; see Help and Support for details. The following information
is part of the event: nessus95544756771918212; Logon failure: unknown user
name or bad password.
A series of the same MSFTPSVC warnings follows regarding the logon failure
of user accounts (NULL, bogusbogus, BOGUS, root, admin, Administrator)
I should note that the first Error message (eventID: 5783) is reported in
ALL the servers of the domain, not only in the ones we scanned.
I should also mention that we have scanned 6 servers in the specific
domain (2 before the first reporting of the incident and 4 after the
problem appeared), without having any problems.
Has anyone come up with the same situation before? Any ideas?
Thank you all in advance, and sorry for the long e-mail :)
Barbara
___________________________________________________________________________
Barbara Daskala
Technology and Security Risk Services
Ernst & Young Business Advisory Solutions S.A
11th Km Athens-Lamia National Road, 144 51, Metamorfosi
Greece
Tel: +30 210 2886 038
Fax: +30 210 2886 901
Mobile: +30 6973773200
Lotus Notes: Varvara Daskala/ISAAS-ATHENS/ErnstYoung/GR@EYI-EMEA
E-mail: Varvara.Daskala@gr.ey.com
___________________________________________________________________________
----------------------------------------------------------
The information contained in this communication is intended solely for the use
of the individual or entity to whom it is addressed and others authorized to
receive it. It may contain confidential or legally privileged information.
If you are not the intended recipient you are hereby notified that any
disclosure, copying, distribution or taking any action in reliance on the
contents of this information is strictly prohibited and may be unlawful. If you
have received this communication in error, please notify us immediately by
responding to this email and then delete it from your system. Ernst & Young is
neither liable for the proper and complete transmission of the information
contained in this communication nor for any delay in its receipt.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
