Here is some more info on the changing config file problem.
Here is everything that is set to yes in the config file:
# cat .nessusbugbear | grep yes
10180 = yes
log_whole_attack = yes
report_killed_plugins = yes
optimize_test = yes
safe_checks = yes
reverse_lookup = yes
unscanned_closed = yes
11135 = yes
Ping the remote host[checkbox]:Do a TCP ping = yes
Nmap[checkbox]:Identify the remote OS = yes
Nmap[checkbox]:Do not randomize the order in which ports are scanned = yes
10180 is the ping_host plugin, 11135 is the bugbear plugin.
I run my cronjob on 4 subnets on campus. Here is everything set to yes after
the cronjob finishes:
# cat .nessusbugbear | grep yes
10180 = yes
log_whole_attack = yes
report_killed_plugins = yes
optimize_test = yes
safe_checks = yes
reverse_lookup = yes
unscanned_closed = yes
11135 = yes
1 = yes
10643 = yes
10992 = yes
10624 = yes
10842 = yes
10598 = yes
999 = yes
10587 = yes
11055 = yes
10834 = yes
10792 = yes
10813 = yes
Ping the remote host[checkbox]:Do a TCP ping = yes
Nmap[checkbox]:Identify the remote OS = yes
Nmap[checkbox]:Do not randomize the order in which ports are scanned = yes
I've gotten the number down from 90, but here are the other plugins enabled:
[fgrep output on the lines with "yes" above]
/usr/local/lib/nessus/plugins/ping_host.nasl: script_id(10180);
/usr/local/lib/nessus/plugins/bugbear.nasl: script_id(11135);
/usr/local/lib/nessus/plugins/40x_cross_site.nasl: script_id(10643);
/usr/local/lib/nessus/plugins/DDI_IIS_CodeBrws_Sample.nasl: script_id(10992);
/usr/local/lib/nessus/plugins/iis_shtml_cross_site.nasl: script_id(10624);
/usr/local/lib/nessus/plugins/mrtg_traversal.nasl: script_id(10842);
/usr/local/lib/nessus/plugins/mysql_overflow.nasl: script_id(10598);
/usr/local/lib/nessus/plugins/nessus_1_0_EOL.nasl: script_id(999);
/usr/local/lib/nessus/plugins/novell_gwweb.nasl: script_id(10587);
/usr/local/lib/nessus/plugins/openssl_overflow.nasl: script_id(11055);
/usr/local/lib/nessus/plugins/smb_nt_ms01-058.nasl: script_id(10834);
/usr/local/lib/nessus/plugins/textor_information_disclosure.nasl: script_id(10792);
/usr/local/lib/nessus/plugins/wu_ftpd_weirdcwd.nasl: script_id(10813);
Not only has the plugin list changed, the output of the scan says the following
for every host it contacted:
+ xxx.ua.edu :
. List of open ports :
o general/tcp (Security hole found)
. Vulnerability found on port general/tcp :
You are using Nessus 1.0, which is deprecated.
In March 2003, the Nessus team will definitely stop
updating plugins for this version, which means that
it will not be accurate at all and will die.
Note that the Nessus team plans to continue to add
new scripts until March 2003, but they will not be
tested on Nessus 1.0. Although they should work,
we do not garantee it.
Please upgrade to Nessus 1.2, available at http://www.nessus.org/
You are also encouraged to test the new experimental Nessus 1.3.0
if you want to use something fancy.
Output of `which nessus`: /usr/local/bin/nessus
Output of `which nessusd`: /usr/local/sbin/nessusd
# nessus --version
nessus (Nessus) 1.2.7 for Linux
(C) 1998 - 2002 Renaud Deraison <[EMAIL PROTECTED]>
SSL used for client - server communication
# nessusd -v
nessusd (Nessus) 1.2.7 for Linux
(C) 1998 - 2002 Renaud Deraison <[EMAIL PROTECTED]>
The script specifically invokes /usr/local/bin/nessus
and the log file shows version 1.2.7 of the daemon running.
I'm at a complete loss here. I think its time for a reboot.
Darren Evans-Young,
The University of Alabama
Tuscaloosa, AL
P.S. - FWIW, reboot made no difference.
