I was working on an ESX upgrade project for a client last week, and had an incident (lower case "i") that I thought might be interesting to our readers.
If you've had a success story, where you've implemented a scheduled scanning process and found an unexpected issue that needed a resolution, please let us know in our comment form. Alternatively, if you've accidentally DOS'd a production service, that also makes a great comment!
=============== |
Rob VandenBrink 555 Posts ISC Handler Jan 29th 2013 |
Thread locked Subscribe |
Jan 29th 2013 7 years ago |
Who hasn't DOS'd a production service? We tied our web application firewall in knots that left us scratching our heads till we remembered that pre-scheduled Nessus scan....
|
Peter 1 Posts |
Quote |
Jan 29th 2013 7 years ago |
Fragile services are the bane of automated scanning. Reporting to vendors that a simple port scan crashes their daemon to which they respond with essentially a blank stare is the even more exciting part.
|
Carl 1 Posts |
Quote |
Jan 29th 2013 7 years ago |
A fun side effect of a regular vulnerability scan: during the discovery part, the system fires a couple of NTP probes. A storage controller decided to interpret them as fully valid (although there weren't), and shifted its internal clock to the infamous year 2038. Promptly thereafter it triggered an alarm for its backup battery, that wasn't serviced since 28 years! It took a couple of controller exchange and weekly battery failure to find out the culprit...
![]() |
Steph 7 Posts |
Quote |
Jan 29th 2013 7 years ago |
I had an old desktop PC acting as a firewall, that would go down when port scanned. Eventually I realized this was because it was configured headless, with a 9600 bps terminal interface, but I had neglected to turn off syslog messages to the console. The kernel became so busy writing out the backlog of rejected packet messages to the slow terminal interface it had no time for anything else.
|
Anonymous |
Quote |
Jan 29th 2013 7 years ago |
Well HL7 services are normally configured with single client connection, hang on forever. Guess what happens when you portscan them with a full handshake and forget to close the connection in the portscan run. We ended up firewalling off the scanner by IP address in Windows Firewall until we got the explanation. Basically ended up telling the scanner "don't scan this IP/port". We left the site to deal with the potential security problem after that (it might not be -- it is perfectly sane to consider the datacenter LAN secure).
|
Anonymous |
Quote |
Jan 29th 2013 7 years ago |
I scanned once our external network, looking for web application vulnerability scans, using Accunetix. On couple of pages there were some fill-in scripts that went crazy and sent hundreds of thousands of emails to couple of internal addresses.
Of course that this wasn't a planned "change", just a small test from my part to test the vulnerability scanner. Result - the email service was down for the whole day. The discovered the problem, and thought that the best idea would be a CAPTCHA. But... taking this responsibility was too much for some people. So.. here I was. After a year I tried again an web application vulnerability scanner (don't remember which one). Result -> no emails for the whole day, because they didn't fixed the problem. Things happens :) |
Anonymous |
Quote |
Jan 30th 2013 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!