On Thu, Jan 30, 2003 at 12:19:42PM -0800, Carrie Lee wrote:
> Within a few hours of running a nessus scan on a host, the host became
> infected with some viruses associated with the vulnerabilities found
> by nessus. Specifically, when I ran the scan, it said that the host
> was infected with Code Red, although it wasn't a few hours before the
> scan. About 6 hours later, the system became infected with a bunch of
> other viruses that exploit the found IIS vulnerabilities. I would
> like to find out if some of the plugins are not benign or even
> malicious. Was this a coincidence or not?
Coincidence. Nessus does not infect hosts. The only "virus" it would
send is the EICAR test string, sent to the SMTP server, and which is not
really a virus, only a string designed to make the alarms of the
antivirus beep like crazy.
> Does anyone know where I can view the source for the plugins, or if
> some of the plugins actually exploit the vulnerability and alert the
> developer? (I don't mean to offend anyone, but I need to know before
> I run it again).
The plugins are in /usr/local/lib/nessus/plugins/.
-- Renaud
