Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: NESSUS CRASHING CITRIX METAFRAME SERVERS

from [John Scherff] Network Security [Permanent Link]
Subject: RE: NESSUS CRASHING CITRIX METAFRAME SERVERS
Date: Sat, 9 Dec 2006 18:04:35 -0800 
One more piece of useful information: the same servers were scanned two
weeks ago without incident.  The difference between that scan and the
one that brought down the servers today (and a month ago): that scan
tested all ports (1-65535), authenticated with a domain admin account,
and enabled all plugins (except the unsafe ones).

 

________________________________

From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of John Scherff
Sent: Saturday, December 09, 2006 5:15 PM
To: nessus@list.nessus.org
Subject: NESSUS CRASHING CITRIX METAFRAME SERVERS

 

Tenable/List,

 

Starting last month, Nessus began crashing our Citrix Metaframe farm
(approximately 60 servers).  The same scan ran every month without
incident for over a year prior to November.  It may be the case that the
scan did not bring down all the servers, but brought down certain
services that are critical to Metaframe functionality.  Here's a quote
from the Citrix administrator:

 

It seems that somehow the scan causes the IMA (Independent Management
Architecture) service to stop on almost all the MF servers. There were
only 5 that did not have the IMA service stopped. Of course, when that
happens, they are dead to the ZDC (Zone Data Collector) which reports
them as Server Down. The IMA service is critical to the communication
between the MF servers and the ZDC.

 

Pertinent facts:

 

*       Scan authentication: none 
*       Nessus version : 3.0.4 
*       Plugin feed version : 200612082115 
*       Type of plugin feed : Direct 
*       Port scanner(s) : nessus_tcp_scanner 
*       Port range : default 
*       Thorough tests : yes 
*       Experimental tests : no 
*       Safe checks : yes 
*       Max hosts : 10 
*       Max checks : 4 
*       Scan Start Date : 2006/12/9 12:32 
*       Scan duration : 155 sec 

 

Nothing dangerous appears to be turned on, except possibly "thorough
tests."  I use Edgeos' python-based update-nessusrc.py script to keep
the config file up-to-date.  The parameters I pass to the script (which
show the plug-in families I use) are in the attached file, update.txt.

 

The same servers were scanned last week with ONLY local security checks
/ Microsoft bulletins turned on (checks for missing patches only).
Those scans use the same settings as above, only the port range is
1-65535, and Nessus authenticates to the servers with an account in the
Domain Admins group.  That scan did not impact the servers at all.

 

John Scherff

Sr. IT Security Analyst

24 Hour Fitness

jscherff@24hourfit.com

 

 


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  NESSUS CRASHING CITRIX METAFRAME SERVERS, John Scherff
Next by Date:  Re: NESSUS CRASHING CITRIX METAFRAME SERVERS, Renaud Deraison
Previous by Thread:  NESSUS CRASHING CITRIX METAFRAME SERVERS, John Scherff
Next by Thread:  Re: NESSUS CRASHING CITRIX METAFRAME SERVERS, Ferdy Riphagen
Indexes:  [Date] [Thread] [Top] [All Lists]