Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Disable service identification

from [Devitto, Dom] Network Security [Permanent Link]
Subject: RE: Disable service identification
Date: Fri, 13 Jul 2007 16:47:08 +0100 
Michel is still right.

 

Inetd is trying to start the non-existent executable, when a connection is
made, and can't, so terminates the connection immediately.

 

Further connections from Nessus, with a short, or nearly no delay, do the
same, and inetd will detect this *perfectly correctly*, as a misconfigured
inetd.conf.  As it's misconfigured it then backs off and doesn't allow any
further connections for a while.  This is the documented behaviour of
Solaris 8:

 

           -r  count interval

 

           count  and interval are decimal numbers that represent

           the  maximum   count  of  invocations  per interval of

           seconds a service may be started before the service is

           considered  ``broken.''

 

           Once considered ``broken,'' a server is suspended  for

           ten  minutes.   After ten minutes, inetd again enables

           service, hoping the server behaves correctly.

 

           If the -r flag is  not  specified,  inetd  behaves  as

           though -r40 60 was specified.

 

So you would expect, by default 40 connections in under 60 seconds of your
misconfigured Xaudio service to result in a 10 minute suspension of the
Xaudio service.

 

Anything beyond this behaviour (e.g. disabling telnet in any way) is a
Solaris 8 bug, and certainly nothing to do with Nessus.

 

Dom

Dom De Vitto  | Security Consultant

Virgin Media,  Crawley Court, Crawley, Winchester, Hants, SO21 2QA

M: 07855 805 271   D: 01483 87 5500   E: Dom.DeVitto@VirginMedia.co.uk

-----Original Message-----
From: nessus-bounces@list.nessus.org [mailto:nessus-bounces@list.nessus.org]
On Behalf Of Pete Duffin
Sent: 12 July 2007 22:34
To: Michel Arboi
Cc: nessus@list.nessus.org
Subject: Re: Disable service identification

 

I'll have a look in the morning regarding the messages you mentioned.

 

However, I pounded out xaudio in inetd.conf and the problem is now gone. 

Interestingly enough, this is the line in inetd.conf:

 

xaudio        stream   tcp              wait     root 

/usr/openwin/bin/Xaserver              Xaserver -noauth -inetd

 

The binary /usr/openwin/bin/Xaserver  does not exist on the box.  Not sure 

if that has something to do with it.

 

There are about 600 or so solaris 8 boxes, all with the same inetd.conf, all


with this problem.  I'm hoping xaudio was the problem.  They are servers, so


audio isn't needed.

 

 

----- Original Message ----- 

From: "Michel Arboi" <mikhail@nessus.org>

To: "Pete Duffin" <pduffin@blabbernet.net>

Cc: <nessus@list.nessus.org>

Sent: Thursday, July 12, 2007 4:40 PM

Subject: Re: Disable service identification

 

 

Le Thu, 12 Jul 2007 16:30:26 -0400,

"Pete Duffin" <pduffin@blabbernet.net> a écrit :

 


Do you recall if xaudio has ever been a problem with Nessus?


 

No.

 

I am convinced that your problem is the classical rate limitation on

inetd. Have you seen something like "telnet/tcp server failing

(looping), service terminated" on your console or in /var/log/messages?

 

Solaris is not uncommon and I'd be very surprised if a denial of

service against such a critical component would have been unnoticed

until now. 

 

_______________________________________________

Nessus mailing list

Nessus@list.nessus.org

http://mail.nessus.org/mailman/listinfo/nessus


------------------------------------------------------------------------------
Save Paper - Do you really need to print this e-mail?

Visit www.virginmedia.com for more information, and more fun.

This email and any attachments are or may be confidential and legally 
privileged and are sent solely for the attention of the addressee(s). If you 
have received this email in error, please delete it from your system: its use, 
disclosure or copying is unauthorised. Statements and opinions expressed in 
this email may not represent those of Virgin Media. Any representations or 
commitments in this email are subject to contract. Please note that we are 
migrating our email addresses to a company wide address of 
"@virginmedia.co.uk". If you are sending to a Telewest or ntl email address 
your email will be re-directed. 

Registered office: 160 Great Portland Street, London W1W 5QA. Registered in 
England and Wales with number 2591237


==============================================================================

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  scanning question, John Hally
Next by Date:  Re: Disable service identification, Pete Duffin
Previous by Thread:  Re: Disable service identification, Pete Duffin
Next by Thread:  Re: Disable service identification, Pete Duffin
Indexes:  [Date] [Thread] [Top] [All Lists]