We routinely scan our entire class B subnet monthly. As we are a
University, we are very compartmentalized and the scans are, therefore,
broken up into chunks. We have run into an issue that the nessus client
(ran from a seperate machine as the nessus daemon) receives a connection
termination from the nessus daemon in the middle of most of the larger
scans. Last month I tracked down a specific scan that was giving us a
problem and isolated the problem to one class C which, when scanned even
by itself would still cause a crash the majority of the time, but it did
actually complete the scan once. Now about 5-7 blocks larger blocks are
crashing in the middle of the scans and the issue has us pooling our
hair out.
The scans are performed in batch mode, here is the output to the console
the client is ran from for our most recent scan:
Communication closed by server
nessus: nessusd abruptly shut the communication down - the test may be
incomplete
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
Here is the end of the nessusd.dump file from that scan:
[1256] nessus_get_socket_from_connection: bad fd <-1>
[1299](/usr/lib/nessus/plugins/mdns.nasl) ord() usage : ord(char)
[1299](/usr/lib/nessus/plugins/mdns.nasl) ord() usage : ord(char)
[7665] nessus_get_socket_from_connection: bad fd <-1>
[7666] nessus_get_socket_from_connection: bad fd <-1>
[7668] nessus_get_socket_from_connection: bad fd <-1>
[7666] nessus_get_socket_from_connection: bad fd <-1>
[7666] nessus_get_socket_from_connection: bad fd <-1>
[7665] nessus_get_socket_from_connection: bad fd <-1>
[7665] nessus_get_socket_from_connection: bad fd <-1>
0
1
2
3
[13521] nessus_get_socket_from_connection: bad fd <-1>
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[301] nessus_get_socket_from_connection: bad fd <-1>
[303] nessus_get_socket_from_connection: bad fd <-1>
[305] nessus_get_socket_from_connection: bad fd <-1>
[21520] nessus_get_socket_from_connection: bad fd <-1>
[21522] nessus_get_socket_from_connection: bad fd <-1>
[22784] nessus_get_socket_from_connection: bad fd <-1>
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[5510] nessus_get_socket_from_connection: bad fd <-1>
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[10773] nessus_get_socket_from_connection: bad fd <-1>
internal_send->os_recv(4): Success
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[6586] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[14502] plug_set_key:internal_send(4)['1 SentData/11011/NOTE=A CIFS
server is running on this port;
']: Connection reset by peer
[14502] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Broken pipe
[14502] plug_set_key:internal_send(4)['3 SMB/transport=445;
']: Broken pipe
internal_send->os_recv(4): Connection reset by peer
[14502] plug_set_key:internal_send(4)['3 Services/smb=139;
']: Broken pipe
[14502] plug_set_key:internal_send(4)['1 Known/tcp/139=smb;
']: Broken pipe
[14502] plug_set_key:internal_send(4)['1 SentData/11011/NOTE=An SMB
server is running on this port;
']: Broken pipe
[14502] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Broken pipe
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[14206] plug_set_key:internal_send(4)['1 Known/tcp/445=cifs;
']: Connection reset by peer
[14206] plug_set_key:internal_send(4)['1 SentData/11011/NOTE=A CIFS
server is running on this port;
']: Broken pipe
[14206] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Broken pipe
[14206] plug_set_key:internal_send(4)['3 SMB/transport=445;
']: Broken pipe
[14206] plug_set_key:internal_send(4)['3 Services/smb=139;
']: Broken pipe
[14206] plug_set_key:internal_send(4)['1 Known/tcp/139=smb;
']: Broken pipe
[14206] plug_set_key:internal_send(4)['1 SentData/11011/NOTE=An SMB
server is running on this port;
']: Broken pipe
[14206] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Broken pipe
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[10395] plug_set_key:internal_send(4)['3 Services/smb=139;
']: Connection reset by peer
[10395] plug_set_key:internal_send(4)['1 Known/tcp/139=smb;
']: Broken pipe
[10395] plug_set_key:internal_send(4)['1 SentData/11011/NOTE=An SMB
server is running on this port;
']: Broken pipe
[10395] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Broken pipe
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[14700] plug_set_key:internal_send(4)['3 Services/www/2381/broken=1;
']: Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[7751] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Broken pipe
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[14659] plug_set_key:internal_send(4)['1 SMB/login=;
']: Connection reset by peer
[14659] plug_set_key:internal_send(4)['1 SMB/password=;
']: Broken pipe
[14659] plug_set_key:internal_send(4)['1 SMB/domain=;
']: Broken pipe
[14659] plug_set_key:internal_send(4)['1 SentData/10394/NOTE=\nSynopsis
:\n\nIt is possible to logon on the remote host.\n\nDescription :\n\nThe
remote host is running one of the Microsoft Windows operating\nsystem.
It was possible to logon using one of the following\naccount :\n\n- NULL
session\n- Guest account\n- Given Credentials\n\nSee also
:\n\nhttp://support.microsoft.com/support/kb/articles/Q143/4/74.ASP\nhttp://support.microsoft.com/support/kb/articles/Q246/2/61.ASP\n\nRisk
factor :\n\nnone\n\nPlugin output :\n\n- NULL sessions are enabled on
the remote host\n;
']: Broken pipe
[14659] plug_set_key:internal_send(4)['3 Success/10394=1;
']: Broken pipe
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[14645] plug_set_key:internal_send(4)['3 Services/www/8001/broken=1;
']: Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[12467] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Broken pipe
[12467] plug_set_key:internal_send(4)['3 SMB/transport=445;
']: Broken pipe
[12467] plug_set_key:internal_send(4)['3 Services/smb=139;
']: Broken pipe
[12467] plug_set_key:internal_send(4)['1 Known/tcp/139=smb;
']: Broken pipe
[12467] plug_set_key:internal_send(4)['1 SentData/11011/NOTE=An SMB
server is running on this port;
']: Broken pipe
[12467] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Broken pipe
[14507] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/1741=1;
']: Broken pipe
[14509] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/8010=1;
']: Broken pipe
[14514] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/8083=1;
']: Broken pipe
[14515] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/8123=1;
']: Broken pipe
[14515] plug_set_key:internal_send(4)['3 Services/www/8123/broken=1;
']: Broken pipe
[14529] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/3104=1;
']: Broken pipe
internal_send->os_recv(4): Connection reset by peer
[14162] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/2954=1;
']: Connection reset by peer
[14554] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/15858=1;
']: Broken pipe
[14606] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/1281=1;
']: Broken pipe
[14629] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/1100=1;
']: Broken pipe
[14632] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/6900=1;
']: Broken pipe
[14643] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/4242=1;
']: Broken pipe
[14657] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/22002=1;
']: Broken pipe
[14657] plug_set_key:internal_send(4)['3 Services/www/22002/broken=1;
']: Broken pipe
[14661] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/19638=1;
']: Broken pipe
[14661] plug_set_key:internal_send(4)['3 Services/www/19638/broken=1;
']: Broken pipe
[14667] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/8083=1;
']: Broken pipe
[14682] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/9433=1;
']: Broken pipe
[14075] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/10204=1;
']: Broken pipe
[14629] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/4001=1;
']: Broken pipe
Here is the end of the nessusd.messages file from that scan:
[Mon Mar 27 17:58:50 2006][3608] user - : launching check_dns_tcp.nasl
against ---- [14698]
[Mon Mar 27 17:58:50 2006][3608] user - : Not launching
cacam_overflow.nasl against ---- because the key CA/MessageQueuing is
missing (this is not an error)
[Mon Mar 27 17:58:50 2006][3608] user - : Not launching
mandrake_MDKSA-2003-030.nasl against ---- because the key
Host/Mandrake/rpm-list is missing (this is not an error)
[Mon Mar 27 17:58:50 2006][3608] user - : Not launching
solaris26_113754.nasl against ---- because the key Host/Solaris/showrev
is missing (this is not an error)
[Mon Mar 27 17:58:50 2006][3608] check_dns_tcp.nasl (process 14698)
finished its job in 0.080 seconds
[Mon Mar 27 17:58:50 2006][3608] user - : launching
airport_plaintext_credentials.nasl against ---- [14702]
[Mon Mar 27 17:58:50 2006][3608] user - : Not launching
solaris7_112604.nasl against ---- because the key Host/Solaris/showrev
is missing (this is not an error)
[Mon Mar 27 17:58:50 2006][3608] user - : Not launching
hpux_PHKL_27932.nasl against ---- because the key Host/HP-UX/swlist is
missing (this is not an error)
[Mon Mar 27 17:58:50 2006][3608] user - : Not launching
hpux_PHSS_27428.nasl against ---- because the key Host/HP-UX/swlist is
missing (this is not an error)
[Mon Mar 27 17:58:50 2006][3608] user - : Not launching nortel_webadmin.nas
Here are the arguments being passed to the client:
nessus -V -q -T xml
Here is the output from the nessus daemon
secscan1 logs # nessusd -v
nessusd (Nessus) 2.3.1 for Linux
(C) 1998 - 2004 Renaud Deraison <[EMAIL PROTECTED]>
The nessus client is the same version. This problem persists across two
separate nessus servers, any ideas?
Regards,
Kenneth Shelton
Incident Response Team
University of South Florida
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
