[unisog] Nessus Plugin and RPC Cleanup Webpage

Ronni Wilkinson ronni at sc.edu
Thu Aug 14 01:45:50 GMT 2003

Thanks for the plugin!

We integrated the nasl plugin from Nessus into our Netreg and it
doesn't let them register until they pass the scan. We redirect them
to a local page with the patches and it tells the Win9x people they
need to place trouble tickets to get manually registered. This will
help a lot by reducing the false positives.

This doesn't help the pre-infected, but it reduces our workload
considerably and educates many of them about the existence of
the patching process.

Ronni Wilkinson
Information Technology Security Officer
Computer Services
University of South Carolina

Phil.Rodrigues at uconn.edu wrote:
> Hi all,
> Two students here (Keith Bessette and Lina Pezzella) have tweaked Nessus 
> plugin #11808 to more return more accurate info about RPC-DCOM 
> vulnerabilities, especially when scanning Windows 95/98/ME computers (that 
> Nessus previously reported as "vulnerable").  It now returns the same 
> basic info as v1.04 of EEye's tool.  Find it at:
> http://hogwash.uits.uconn.edu/msrpc.nasl
> We have developed a webpage to help support staff respond to the 
> Stealther.Trojan compromises, MS Blast infections, and RPC-DCOM 
> vulnerabilities in our network.  It may be useful to other schools:
> http://www.security.uconn.edu/rpc_procedure.html
> We have noticed that a large number of our Windows 2000 hosts seems to 
> have had TCP 135 close when RPC crashed after the worm tried 
> unsuccessfully to use the Win XP offset to compromise them.  Since these 
> hosts no longer have TCP 135 open they do not appear as "Vulnerable" to 
> our scanners, and thus we are passing over them in our sweeps.  However, 
> the guess is they will be vulnerable after they reboot and therefore are 
> still at risk of being infected.  Anyone have a solution to this?
> Phil
> =======================================
> Philip A. Rodrigues
> Network Analyst, UITS
> University of Connecticut
> email: phil.rodrigues at uconn.edu
> phone: 860.486.3743
> fax: 860.486.6580
> web: http://www.security.uconn.edu
> =======================================

More information about the unisog mailing list