> On Thu, Nov 11, 2004 at 09:15:01AM -0600, Sawall, Christopher L wrote:
>
> > root 4835 4795 51 08:04 pts/4 00:00:10 strace nessus -c
> > /root/.nessusrc -T nbe -V localhost 1241 amerenscan PWD testhost
> ...
> > root 4837 4739 40 08:04 ? 00:00:08 nessusd: serving
> > 127.0.0.1
>
> Actually, I'm interested in a trace of nessusd rather than
> nessus. After you start a scan, get a process list, find the
> pid of the one that says
> "nessusd: serving 127.0.0.1" and then do "strace -p $pid",
> where $pid is
> the pid you found before.
>
Alright, now things are getting really weird. I did exactly what you
stated above. I started a nessus scan and then got the PID of "nessusd:
serving 127.0.0.1" and started and strace. I let the scan go and it
hung there for over 2 1/2 hours. I finally killed the strace, nessus
and the serving statement. I was capturing the strace out to a file
(using PuTTY). For that 2 1/2 hours, there's about 182 mb of log data.
It just seems to be repeating over and over and over again. It looks
like it just keeps doing DNS queries for the host it's trying to scan.
It looks for the host on every domain and on every DNS server that I
have defined in the resolv.conf file. (3 DNS servers and I have 5
domain suffixes next to the search statement)
Here is part of the strace, which basically just keeps repeating. I
never saw anything new. Note - I replaced a few things in the trace,
I've added NETWORK, DOMAIN, DOMAINA and DOMAINB in place of the actual
data to protect the innocent.
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
connect(7, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.5")}, 28) = 0
send(7, ">,\1\0\0\1\0\0\0\0\0\0\7secmon1\0\0\1\0\1", 25, 0) = 25
gettimeofday({1100212419, 72959}, NULL) = 0
poll([{fd=7, events=POLLIN, revents=POLLIN}], 1, 6000) = 1
ioctl(7, FIONREAD, [25]) = 0
recvfrom(7, ">,\201\202\0\1\0\0\0\0\0\0\7secmon1\0\0\1\0\1", 1024, 0,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.5")}, [16]) = 25
close(7) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 7
connect(7, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1
ENOENT (No such file or directory)
close(7) = 0
open("/etc/hosts", O_RDONLY) = 7
fcntl64(7, F_GETFD) = 0
fcntl64(7, F_SETFD, FD_CLOEXEC) = 0
fstat64(7, {st_mode=S_IFREG|0644, st_size=186, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xf6fae000
read(7, "# Do not remove the following li"..., 4096) = 186
read(7, "", 4096) = 0
close(7) = 0
munmap(0xf6fae000, 4096) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
connect(7, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.4")}, 28) = 0
send(7, ">-\1\0\0\1\0\0\0\0\0\0\7secmon1\6DOMAIN\3com\0"..., 36, 0) = 36
gettimeofday({1100212419, 83030}, NULL) = 0
poll([{fd=7, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(7, FIONREAD, [105]) = 0
recvfrom(7, ">-\205\203\0\1\0\0\0\1\0\0\7secmon1\6DOMAIN\3com\0"...,
1024, 0, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.4")}, [16]) = 105
close(7) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
connect(7, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.4")}, 28) = 0
send(7, ">.\1\0\0\1\0\0\0\0\0\0\7secmon1\3dir\6DOMAIN\3"..., 40, 0) = 40
gettimeofday({1100212419, 95277}, NULL) = 0
poll([{fd=7, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(7, FIONREAD, [95]) = 0
recvfrom(7, ">.\201\203\0\1\0\0\0\1\0\0\7secmon1\3dir\6DOMAIN\3"...,
1024, 0, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.4")}, [16]) = 95
close(7) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
connect(7, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.4")}, 28) = 0
send(7, ">/\1\0\0\1\0\0\0\0\0\0\7secmon1\4DOMAIN\3dir\6am"..., 45, 0) =
45
gettimeofday({1100212419, 100901}, NULL) = 0
poll([{fd=7, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(7, FIONREAD, [117]) = 0
recvfrom(7, ">/\205\203\0\1\0\0\0\1\0\0\7secmon1\4DOMAIN\3dir\6am"...,
1024, 0, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.4")}, [16]) = 117
close(7) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
connect(7, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.4")}, 28) = 0
send(7, ">0\1\0\0\1\0\0\0\0\0\0\7secmon1\3DOMAINA\3dir\6ame"..., 44, 0)
= 44
gettimeofday({1100212419, 110393}, NULL) = 0
poll([{fd=7, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(7, FIONREAD, [95]) = 0
recvfrom(7, ">0\201\203\0\1\0\0\0\1\0\0\7secmon1\3DOMAINA\3dir\6ame"...,
1024, 0, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.4")}, [16]) = 95
close(7) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
connect(7, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.4")}, 28) = 0
send(7, ">1\1\0\0\1\0\0\0\0\0\0\7secmon1\tDOMAINB\3d"..., 50, 0) = 50
gettimeofday({1100212419, 117342}, NULL) = 0
poll([{fd=7, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(7, FIONREAD, [109]) = 0
recvfrom(7, ">1\201\203\0\1\0\0\0\1\0\0\7secmon1\tDOMAINB\3d"..., 1024,
0, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.4")}, [16]) = 109
close(7) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
connect(7, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.4")}, 28) = 0
send(7, ">2\1\0\0\1\0\0\0\0\0\0\7secmon1\0\0\1\0\1", 25, 0) = 25
gettimeofday({1100212419, 120745}, NULL) = 0
poll([{fd=7, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(7, FIONREAD, [25]) = 0
recvfrom(7, ">2\201\202\0\1\0\0\0\0\0\0\7secmon1\0\0\1\0\1", 1024, 0,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.4")}, [16]) = 25
close(7) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
connect(7, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.89.1.31")}, 28) = 0
send(7, ">2\1\0\0\1\0\0\0\0\0\0\7secmon1\0\0\1\0\1", 25, 0) = 25
gettimeofday({1100212419, 125103}, NULL) = 0
poll([{fd=7, events=POLLIN, revents=POLLIN}], 1, 3000) = 1
ioctl(7, FIONREAD, [25]) = 0
recvfrom(7, ">2\201\202\0\1\0\0\0\0\0\0\7secmon1\0\0\1\0\1", 1024, 0,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.89.1.31")}, [16]) = 25
close(7) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
connect(7, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.5")}, 28) = 0
send(7, ">2\1\0\0\1\0\0\0\0\0\0\7secmon1\0\0\1\0\1", 25, 0) = 25
gettimeofday({1100212419, 129141}, NULL) = 0
poll([{fd=7, events=POLLIN, revents=POLLIN}], 1, 6000) = 1
ioctl(7, FIONREAD, [25]) = 0
recvfrom(7, ">2\201\202\0\1\0\0\0\0\0\0\7secmon1\0\0\1\0\1", 1024, 0,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.5")}, [16]) = 25
close(7) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
connect(7, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.4")}, 28) = 0
send(7, ">2\1\0\0\1\0\0\0\0\0\0\7secmon1\0\0\1\0\1", 25, 0) = 25
gettimeofday({1100212419, 132198}, NULL) = 0
poll([{fd=7, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(7, FIONREAD, [25]) = 0
recvfrom(7, ">2\201\202\0\1\0\0\0\0\0\0\7secmon1\0\0\1\0\1", 1024, 0,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.4")}, [16]) = 25
close(7) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
connect(7, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.89.1.31")}, 28) = 0
send(7, ">2\1\0\0\1\0\0\0\0\0\0\7secmon1\0\0\1\0\1", 25, 0) = 25
gettimeofday({1100212419, 137093}, NULL) = 0
poll([{fd=7, events=POLLIN, revents=POLLIN}], 1, 3000) = 1
ioctl(7, FIONREAD, [25]) = 0
recvfrom(7, ">2\201\202\0\1\0\0\0\0\0\0\7secmon1\0\0\1\0\1", 1024, 0,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.89.1.31")}, [16]) = 25
close(7) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
connect(7, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.5")}, 28) = 0
send(7, ">2\1\0\0\1\0\0\0\0\0\0\7secmon1\0\0\1\0\1", 25, 0) = 25
gettimeofday({1100212419, 140522}, NULL) = 0
poll([{fd=7, events=POLLIN, revents=POLLIN}], 1, 6000) = 1
ioctl(7, FIONREAD, [25]) = 0
recvfrom(7, ">2\201\202\0\1\0\0\0\0\0\0\7secmon1\0\0\1\0\1", 1024, 0,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.5")}, [16]) = 25
close(7) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 7
connect(7, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1
ENOENT (No such file or directory)
close(7) = 0
open("/etc/hosts", O_RDONLY) = 7
fcntl64(7, F_GETFD) = 0
fcntl64(7, F_SETFD, FD_CLOEXEC) = 0
fstat64(7, {st_mode=S_IFREG|0644, st_size=186, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xf6fae000
read(7, "# Do not remove the following li"..., 4096) = 186
read(7, "", 4096) = 0
close(7) = 0
munmap(0xf6fae000, 4096) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
connect(7, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.4")}, 28) = 0
send(7, ">3\1\0\0\1\0\0\0\0\0\0\7secmon1\6DOMAIN\3com\0"..., 36, 0) = 36
gettimeofday({1100212419, 147858}, NULL) = 0
poll([{fd=7, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(7, FIONREAD, [105]) = 0
I hope this helps. I can run the strace again. It just looked like it
was never going to end, and it ran over twice as long as any other time,
so I killed it.
Thanks,
Chris
*******************************
The information contained in this message may be privileged and/or confidential
and
protected from disclosure. If the reader of this message is not the intended
recipient,
or an employee or agent responsible for delivering this message to the intended
recipient,
you are hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited. Note that any views or opinions presented
in this
message are solely those of the author and do not necessarily represent those
of Ameren.
All emails are subject to monitoring and archival. Finally, the recipient
should check
this message and any attachments for the presence of viruses. Ameren accepts no
liability
for any damage caused by any virus transmitted by this email. If you have
received this in
error, please notify the sender immediately by replying to the message and
deleting the
material from any computer. Ameren Corporation
*******************************
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
