On 08/02/07 09:16, Paul Rivers wrote: > I ran the scan without any plugins and for only a few ports and still get the > nessus_test directory created.
Odd. Does nessusd.messages confirm that no plugins were launched (you'll need log_whole_attack set)? [There will be some plugins in the ACT_SETTINGS regardless, though.] Any chance you could send me privately the pcap of the scan showing all the traffic to/from the affected host? > Port range : 20,21,25,445,1433 Is the directory still created if you only scan port 21? You may have been onto something in asking about an SMTP plugin before. Is it possible that the FTP server uses /tmp? > Running ngrep -iq 'nessus_test' I get: > > T 10.100.12.66:3173 -> 10.200.2.220:43817 [A] > drwxrwxrwx 1 owner group 0 Mar 15 2006 Archive..drwxrwx > rwx 1 owner group 0 Sep 5 2006 ArchiveUK..-rwxrwxrwx > 1 owner group 0 Aug 2 14:05 nessus_test..-rwxrwxrwx 1 > owner group 1064 Oct 6 2006 v564062791.a29..-rwxrwxrwx 1 > owner group 5516 Oct 11 2006 v564062841.a29..-rwxrwxrwx 1 > owner group 1064 Oct 12 2006 v564062851.a29..-rwxrwxrwx 1 > owner group 2108 Oct 20 2006 v564062931.a29..-rwxrwxrwx 1 > > ... and the portnumber cycles around, too? What do you mean "cycles around"? Could this be from FTP directory listings? George -- [EMAIL PROTECTED] _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
