Michel is still right.
Inetd is trying to start the non-existent executable, when a connection is
made, and can't, so terminates the connection immediately.
Further connections from Nessus, with a short, or nearly no delay, do the
same, and inetd will detect this *perfectly correctly*, as a misconfigured
inetd.conf. As it's misconfigured it then backs off and doesn't allow any
further connections for a while. This is the documented behaviour of
Solaris 8:
-r count interval
count and interval are decimal numbers that represent
the maximum count of invocations per interval of
seconds a service may be started before the service is
considered ``broken.''
Once considered ``broken,'' a server is suspended for
ten minutes. After ten minutes, inetd again enables
service, hoping the server behaves correctly.
If the -r flag is not specified, inetd behaves as
though -r40 60 was specified.
So you would expect, by default 40 connections in under 60 seconds of your
misconfigured Xaudio service to result in a 10 minute suspension of the
Xaudio service.
Anything beyond this behaviour (e.g. disabling telnet in any way) is a
Solaris 8 bug, and certainly nothing to do with Nessus.
Dom
Dom De Vitto | Security Consultant
Virgin Media, Crawley Court, Crawley, Winchester, Hants, SO21 2QA
M: 07855 805 271 D: 01483 87 5500 E: [EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete Duffin
Sent: 12 July 2007 22:34
To: Michel Arboi
Cc: [email protected]
Subject: Re: Disable service identification
I'll have a look in the morning regarding the messages you mentioned.
However, I pounded out xaudio in inetd.conf and the problem is now gone.
Interestingly enough, this is the line in inetd.conf:
xaudio stream tcp wait root
/usr/openwin/bin/Xaserver Xaserver -noauth -inetd
The binary /usr/openwin/bin/Xaserver does not exist on the box. Not sure
if that has something to do with it.
There are about 600 or so solaris 8 boxes, all with the same inetd.conf, all
with this problem. I'm hoping xaudio was the problem. They are servers, so
audio isn't needed.
----- Original Message -----
From: "Michel Arboi" <[EMAIL PROTECTED]>
To: "Pete Duffin" <[EMAIL PROTECTED]>
Cc: <[email protected]>
Sent: Thursday, July 12, 2007 4:40 PM
Subject: Re: Disable service identification
Le Thu, 12 Jul 2007 16:30:26 -0400,
"Pete Duffin" <[EMAIL PROTECTED]> a écrit :
> Do you recall if xaudio has ever been a problem with Nessus?
No.
I am convinced that your problem is the classical rate limitation on
inetd. Have you seen something like "telnet/tcp server failing
(looping), service terminated" on your console or in /var/log/messages?
Solaris is not uncommon and I'd be very surprised if a denial of
service against such a critical component would have been unnoticed
until now.
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
------------------------------------------------------------------------------
Save Paper - Do you really need to print this e-mail?
Visit www.virginmedia.com for more information, and more fun.
This email and any attachments are or may be confidential and legally
privileged and are sent solely for the attention of the addressee(s). If you
have received this email in error, please delete it from your system: its use,
disclosure or copying is unauthorised. Statements and opinions expressed in
this email may not represent those of Virgin Media. Any representations or
commitments in this email are subject to contract. Please note that we are
migrating our email addresses to a company wide address of
"@virginmedia.co.uk". If you are sending to a Telewest or ntl email address
your email will be re-directed.
Registered office: 160 Great Portland Street, London W1W 5QA. Registered in
England and Wales with number 2591237
==============================================================================
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
