Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: NESSUS CRASHING CITRIX METAFRAME SERVERS

from [John Scherff] Network Security [Permanent Link]
Subject: RE: NESSUS CRASHING CITRIX METAFRAME SERVERS
Date: Tue, 12 Dec 2006 12:17:08 -0800 
Thank you, Ferdy.

I found the CTX111186 notice too, but I don't believe that's what is
causing it (though our Microsoft/Citrix team will be applying the
patch).

Turns out our backup servers, which run ArcServe 11.5 SP2, are also
crashing during the scans. In both cases (Citrix, ArcServe), the server
itself doesn't crash, but just one or two critical services stop.

But I think Renaud is going to end up being correct (as usual) about the
cause. After some investigation, I found that 'thorough tests' was
turned on the month before the problems started occurring.

John

-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of Ferdy Riphagen
Sent: Monday, December 11, 2006 11:15 AM
To: nessus@list.nessus.org
Subject: Re: NESSUS CRASHING CITRIX METAFRAME SERVERS

John Scherff wrote:


*Tenable/List*,

 

Starting last month, Nessus began crashing our Citrix Metaframe farm 
(approximately 60 servers).  _The same scan ran every month without 
incident for over a year_ prior to November.  It may be the case that 
the scan did not bring down all the servers, but brought down certain 
services that are critical to Metaframe functionality.  Here's a quote



from the Citrix administrator:

 

It seems that somehow the scan causes the IMA (Independent Management 
Architecture) service to stop on almost all the MF servers. There were



only 5 that did not have the IMA service stopped. Of course, when that



happens, they are dead to the ZDC (Zone Data Collector) which reports 
them as Server Down. The IMA service is critical to the communication 
between the MF servers and the ZDC.


You should grab any logfile or debug file from the scanner and the 
Citrix servers to correlate things between each other (timestamps a
crucial)
It's  is always possible that a service drops down, with any type of 
scan you do.

Maybe you could also look at the patch levels of these servers. I know 
there was a bug reported a month ago in the IMA architecture. It's very 
unlikely this is the problem, because no "not that I know" script is 
testing for it. It is even unclear "to me" what the attack vector is for

this bug...
http://support.citrix.com/article/CTX111186

I'll think Citrix would also want to know why there IMA drops down.....

--Ferdy--


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Window checks over SSH, Zate Berg
Next by Date:  McAfee ePolicy Orchestrator agent (8081/tcp), jfvanmeter
Previous by Thread:  Re: NESSUS CRASHING CITRIX METAFRAME SERVERS, Ferdy Riphagen
Next by Thread:  Re: NESSUS CRASHING CITRIX METAFRAME SERVERS, Renaud Deraison
Indexes:  [Date] [Thread] [Top] [All Lists]