I've
found the culprit. After days of searching, 10 minutes after I send this
e-mail, I narrowed it down to the "rpcinfo -p" plugin in the RPC
family.
This
scan is running against an AIX system. The system I was running against is
1 of 3 identical (or so they say) systems. The other 2 complete
normally.
Looking into the partial results of the scan for the
system that fails showed me virtually every port on the system was running an
RPC service on it. (This did not match the results of the other 2
identical systems.) That seemed a little strange to me, so I did an
rpcinfo -p locally on the system and it did not show the same results. It
appears something within the plugin or unique to this system caused the
problem.
I
disabled that plugin and the scan completed in minutes. I don't know why
the plugin and that specific system had the issue, but if I find out I'll post
to the group.
Thanks,
Todd
-----Original Message-----
From: Greene, Todd [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 07, 2002 8:18 AM
To: '[EMAIL PROTECTED]'
Subject: Nessus Scan stops/pauses at 78% completeAll,This is an interesting one. I've noticed that when I scan a device using NessusWX and it gets to 78% complete, I get a pause for ~ 20 minutes or the session just hangs. (I've left one running over a weekend and it didn't complete). At first, I thought it was the 'UDDI Detection plugin' since that was what it said was executing in the NessusWX window at the time, so I disabled it. It still pauses or stops at 78% complete, but this time at the next plugin. (UltraSeek Web Server Detect) I have also tried running directly from the client on the Nessus Server and it stops also.Has anyone else experienced this? I've tested against a single host and multiples and get the same result. Most of the time it just pauses for about 20 minutes and then completes the scan, but on the rare occasion, it freezes. Typically I'm running a non-DOS scan.I don't see anything peculiar in nessusd.messages either. Even though the session below froze on "UltraSeek Webserver detect", it appears to have progressed past that point in the log file. See below:[Wed Nov 6 11:57:42 2002][2532] user greenet : launching webserver4d.nasl against ppps01 [3649]
[Wed Nov 6 11:57:42 2002][2532] webserver4d.nasl (process 3649) finished its job in 0.254 seconds
[Wed Nov 6 11:57:43 2002][2532] upnp_xp.nasl (process 3521) finished its job in 14.608 seconds
[Wed Nov 6 11:57:46 2002][2532] citrix.nasl (process 3645) finished its job in 5.178 seconds
[Wed Nov 6 11:57:47 2002][2532] win_trinoo.nasl (process 3605) finished its job in 14.741 seconds
[Wed Nov 6 11:58:01 2002][2532] DDI_Directory_Scanner.nasl (process 2834) finished its job in 85.409 seconds
[Wed Nov 6 13:25:57 2002][2531] user greenet : stopping attack against ppps01
[Wed Nov 6 13:25:57 2002][2531] user greenet : test completeUsing NessusWX 1.4.2, Nessusd is as follows running on RedHat 7.1.This is Nessus 1.2.6 for Linux 2.4.9-34
compiled with gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-98)
Current setup :
Experimental session-saving : enabled
Experimental KB saving : enabled
Thread manager : fork
nasl : 1.2.6
libnessus : 1.2.6
SSL support : enabled
SSL is used for client / server communication
Running as euid : 0
Thanks for any thoughts.Todd
***********************************************************************
This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity named as recipients in the message. If you are not an intended recipient of this message, please notify the sender immediately and delete the material from any computer. Do not deliver, distribute or copy this message, and do not disclose its contents or take any action in reliance on the information it contains. Thank you.
