Nessus Plugin and NW servers
stoermer at unt.edu
Fri Aug 15 16:47:09 GMT 2003
Sorry! Yes, I should have included that info.
>From Novell's TIDs - Searched on the nlm from the abend log. That's how we made the association to Nessus.
BTCPCOM CPU Hog ABEND Fix - TID2966492 (last modified 11JUL2003)
>>> usts046 at uabdpo.dpo.uab.edu 08/15/03 10:19AM >>>
Chris Stoermer, could you give us any more info on the Novell patch
for NW6? We're wanting to run the new nessus scan for ms03026
and don't want to knock off any Novell servers.
On Fri, 15 Aug 2003 08:24:19 -0500 Stan Putnam said:
>We're running NW6, but I can't find anything on the Novell site about this
>patch. Can you give me more information?
>Stan K. Putnam
>UAB Office of Technology and Research
>> -----Original Message-----
>> From: Douglas McLean [mailto:USTS046 at UABDPO.DPO.UAB.EDU]
>> Sent: Thursday, August 14, 2003 10:48 PM
>> To: TIMGROUP at UABDPO.DPO.UAB.EDU
>> Subject: (Fwd) Re: [unisog] Nessus Plugin and RPC Cleanup Webpage
>> Who has Netware6 running??? Please patch. We want to run
>> this nessus scan across the campus, and apparently you really
>> need to patch anyway.
>> HSIS: we don't scan 126.96.36.199/17
>> ------- Forwarded message follows -------
>> Date sent: Thu, 14 Aug 2003 14:22:44 -0500
>> From: "Chris Stoermer" <stoermer at unt.edu>
>> To: <unisog at sans.org>
>> Subject: Re: [unisog] Nessus Plugin and RPC
>> Cleanup Webpage
>> [ Double-click this line for list subscription options ]
>> Nessus warning for Netware users
>> THere is a patch for Netware6 servers you need to apply
>> before you run Nessus against your servers. We didn't know
>> about this until after we made our first pass. All 5 of our
>> SAN attached, replica holders abended...dead in the water.
>> Also, all our NDPS printers with IP addresses printed a junk
>> session of about 6 pages.
>> >>> <Phil.Rodrigues at uconn.edu> 08/13/03 01:43PM >>>
>> Hi all,
>> Two students here (Keith Bessette and Lina Pezzella) have
>> tweaked Nessus plugin #11808 to more return more accurate
>> info about RPC-DCOM vulnerabilities, especially when scanning
>> Windows 95/98/ME computers (that Nessus previously reported
>> as "vulnerable"). It now returns the same
>> basic info as v1.04 of EEye's tool. Find it at:
>We have developed a webpage to help support staff respond to the
>Stealther.Trojan compromises, MS Blast infections, and RPC-DCOM
>vulnerabilities in our network. It may be useful to other schools:
>We have noticed that a large number of our Windows 2000 hosts seems to have
>had TCP 135 close when RPC crashed after the worm tried unsuccessfully to
>use the Win XP offset to compromise them. Since these hosts no longer have
>TCP 135 open they do not appear as "Vulnerable" to our scanners, and thus we
>are passing over them in our sweeps. However, the guess is they will be
>vulnerable after they reboot and therefore are still at risk of being
>infected. Anyone have a solution to this?
>Philip A. Rodrigues
>Network Analyst, UITS
>University of Connecticut
>email: phil.rodrigues at uconn.edu
>web: http://www.security.uconn.edu =======================================
>------- End of forwarded message -------
More information about the unisog