Yesterday I ran a Nessus 2.2.4 scan against my company's network.
We had several Oracle 9i database listeners go down, and various backup
problems occur while the nessus scan was taking place. Nessus
was configured as follows.
All destructive_attacks, brute force, denial of service, and local
security checks were disabled in nessus. Nessus was set to use safe-checks
to limit nessus to just using banners instead of preforming a security
check on the port, it was limited to only checking 5 hosts at a time,
and conducting 5 checks at a time. Nessus was set to use nmap as its
port scanning engine which was set to use a syn scan for TCP, and
conduct a UDP scan, Service scan, RPC scan, scan the network politely
as to not burden the network, and was asked to identify the remote
host OS. I am using the latest versions of nessus and nmap. Hydra and
nikto were not used.
Any ideas what went wrong? All the logs I can find regarding the listeners
and netbackup going down are below. Did I hit some application bugs?
Wrong Nessus settings? Any info you can offer would be helpful. My boss
is looking for answers and I am stumped.
Thanks,
Mike
________________________
Two database listeners went down on different systems. Both are Oracle 9i
listeners. We have roughly 20 listeners total but only 2 went down.
Below are the only error messages we have from Oracle's listener logs.
Database Listener #1
TNS-12560: TNS:protocol adapter error
TNS-00530: Protocol adapter error
Solaris Error: 130: Software caused connection abort
13-APR-2005 19:49:08 * 12560
TNS-12560: TNS:protocol adapter error
TNS-00530: Protocol adapter error
Solaris Error: 130: Software caused connection abort
Database Listener #2 .
13-APR-2005 20:48:01 * 12560
TNS-12560: TNS:protocol adapter error
TNS-00530: Protocol adapter error
Solaris Error: 130: Software caused connection abort
13-APR-2005 20:48:46 * service_update * TRKQA * 0
13-APR-2005 20:48:48 * service_update * PEQA * 0
13-APR-2005 20:48:50 * (CONNECT_DATA=(SERVICE_NAME=peuat.x.com)
(CID=(PROGRAM=)(HOST=lumiere)(USER=oracle))) *
(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.x.x)(PORT=37724)) * establish *
peuat.x.com * 0
13-APR-2005 20:48:51 *
(CONNECT_DATA=(SERVICE_NAME=peuat.X.com)(CID=(PROGRAM=)(HOST=lumiere)(USER=o
racle))) * (ADDRESS=(
PROTOCOL=tcp)(HOST=192.168.x.x)(PORT=37725)) * establish * peuat.X.com * 0
13-APR-2005 20:49:09 * service_update * RTDSUAT * 0
13-APR-2005 20:49:29 * service_update * IAUAT * 0
13-APR-2005 20:49:49 * service_update * TRKQA * 0
13-APR-2005 20:50:03 *
(CONNECT_DATA=(SERVICE_NAME=peuat.X.com)(CID=(PROGRAM=)(HOST=lumiere)(USER=o
racle))) * (ADDRESS=(
PROTOCOL=tcp)(HOST=192.168.x.x)(PORT=37728)) * establish * peuat.X.com * 0
13-APR-2005 20:50:03 *
(CONNECT_DATA=(SERVICE_NAME=peuat.X.com)(CID=(PROGRAM=)(HOST=lumiere)(USER=o
racle))) * (ADDRESS=(
PROTOCOL=tcp)(HOST=192.168.x.x)(PORT=37729)) * establish * peuat.X.com * 0
13-APR-2005 20:50:04 * service_update * PEUAT * 0
13-APR-2005 20:50:09 * service_update * D2UAT * 0
13-APR-2005 20:50:21 * service_update * PEQA * 0
______________________________________________________________
The netbackup server reported quite a few errors in its logs
related to the scan. vs2.X.com is the scanning server running nessus. Dumbo
is the backup server running Netbackup 3.4 and Solaris 2.6.
The scan may have locked up the Remote management unit on the ADIC Scalar
1000
tape library. In order to get the backup system running this morning, the
RMU and backup server had to be rebooted.
TIME SERVER/CLIENT TEXT
04/13/2005 14:15:45 dumbo - accept() failed, Software caused connection
abort
(130)
04/13/2005 14:15:54 dumbo - cannot determine connection host name
04/13/2005 14:28:47 dumbo - get_string() failed - network read error (0)
04/13/2005 14:28:47 dumbo - could not process request from
vs2.X.com
04/13/2005 14:28:49 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 14:28:49 dumbo - could not process request from
vs2.X.com
04/13/2005 14:28:50 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 14:28:50 dumbo - could not process request from
vs2.X.com
04/13/2005 14:29:05 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 14:29:06 dumbo - could not process request from
vs2.X.com
04/13/2005 16:04:37 dumbo - accept() failed, Software caused connection
abort
(130)
04/13/2005 16:10:34 dumbo - getpeername failed
04/13/2005 16:10:35 dumbo - cannot determine connection host name
04/13/2005 16:12:12 dumbo - get_string() failed - network read error (0)
04/13/2005 16:12:12 dumbo - could not process request from
vs2.X.com
04/13/2005 16:12:16 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 16:12:16 dumbo - could not process request from
vs2.X.com
04/13/2005 16:12:16 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 16:12:17 dumbo - could not process request from
vs2.X.com
04/13/2005 16:12:17 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 16:12:17 dumbo - could not process request from
vs2.X.com
04/13/2005 16:12:26 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 16:12:27 dumbo - could not process request from
vs2.X.com
04/13/2005 16:12:42 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 16:12:42 dumbo - could not process request from
vs2.X.com
04/13/2005 16:12:43 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 16:12:43 dumbo - could not process request from
vs2.X.com
04/13/2005 16:12:54 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 16:12:54 dumbo - could not process request from
vs2.X.com
04/13/2005 16:13:14 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 16:13:14 dumbo - could not process request from
vs2.X.com
04/13/2005 16:13:14 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 16:13:14 dumbo - could not process request from
vs2.X.com
04/13/2005 16:13:16 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 16:13:16 dumbo - could not process request from
vs2.X.com
04/13/2005 16:14:02 dumbo - get_string() failed - premature end of file
encountered (5)
04/13/2005 16:14:02 dumbo - could not process request from
vs2.X.com
04/13/2005 16:14:32 dumbo - get_string() failed - network read error (0)
04/13/2005 16:14:32 dumbo - could not process request from
vs2.X.com
04/13/2005 16:14:36 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 16:14:36 dumbo - could not process request from
vs2.X.com
04/13/2005 16:15:54 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 16:15:54 dumbo - could not process request from
vs2.X.com
04/13/2005 16:16:17 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 16:16:18 dumbo - could not process request from
vs2.X.com
04/13/2005 16:16:18 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 16:16:18 dumbo - could not process request from
vs2.X.com
04/13/2005 16:16:43 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 16:16:43 dumbo - could not process request from
vs2.X.com
04/13/2005 16:17:55 dumbo - get_string() failed - network read error (0)
04/13/2005 16:17:55 dumbo - could not process request from
vs2.X.com
04/13/2005 16:18:51 dumbo - get_string() failed - premature end of file
encountered (5)
04/13/2005 16:18:51 dumbo - could not process request from
vs2.X.com
04/13/2005 16:19:48 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 16:19:48 dumbo - could not process request from
vs2.X.com
04/13/2005 16:20:41 dumbo - get_string() failed - incoming data too large
for
buffer (0)
04/13/2005 16:20:41 dumbo - could not process request from
vs2.X.com
04/13/2005 16:25:03 dumbo - get_string() failed - premature end of file
encountered (5)
04/13/2005 16:25:03 dumbo - could not process request from
vs2.X.com
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
