On Thu, Jan 22, 2004 at 12:25:56PM +0100, Marc Croteau wrote:
Nessus is a *scanner*. I use it regularly when performing vulnerability assessment for various customers. If it now starts to modify things as it runs
It does not /start to modify things/, it just disables _a_ virus and let you know that you should have a look at the remote host. The plugin is also marked as being DESTRUCTIVE, ie: it will only run if safe checks are disabled. Other plugins, when run in non safe checks, will have the side effect of disabling other services, like nfsd or more, which might be critical for a production server.
1) Does this virus DISABLE or REMOVE itself with this test? If it REMOVEs itself, then it does /start to modify things/. If it disables, then the wording in the test is misleading at best, or just plainly wrong at worst.
It's not like the command is dangerous either - ie: we're not sending a
find -name *.pif -exec rm {} \; to the remote host, we just tell the
virus to stop spreading.
Um, no. The script takes an action that will result in the removal of file(s) off the remote system under the control of code in the virus. While you may get away with this once, twice, or even more often, eventually we are going to get bitten by this philosopy.
What is your real concern ? Do you think that there are production servers out there which won't work properly without having beagle running ?
I think my real concern has already been stated. But I will repeat it. As a philosphy, I believe it to be prudent to minimize the execution of any untrusted code on the remote system. This is regardless of whether or not the remote host has been compromised or not.
Chew on this for a moment: what is the difference between this test, where we knowingly execute a command that removes a file from the remote system, and doing the same thing if we find the box has been rooted and we have a command shell, and issuing "rm" commands to remove known viruses in known locations? Should we have a complete class of tests that takes advantage of remote shells, downloads software so that we can get a better view of the system (e.g. get a list of all rpm's installed, etc.) If not, why not? This test, IMO, is on the leading edge of a slippery slope.
Thomas
_______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
