Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Port scan causing system crashes
From: Death Star <deathstar () optonline net>
Date: Mon, 16 Jun 2003 13:50:05 -0400


The only time nmap has crashed a system in my case was when I performed
the scan on an MVS system. MVS/VMS and other legacy systems are also
very sensitive to port scans. After viewing the system logs it appears
that the system socket handling was bad, I mean most of the open sockets
were left open sitting in the queue. That's why the best way to use nmap
on systems like this is by including the Polite argv[] (-T Polite) to
minimize the number of open sockets to the system.
-----Original Message-----
From: Martin Walker [mailto:martin.walker () ctg com] 
Sent: Monday, June 16, 2003 10:17 AM
To: steve.x.jones () royalmail com; pen-test () securityfocus com
Subject: RE: Port scan causing system crashes

Yes.  In the thousand or so boxes I've scanned over the last year I've
had three crash.  One was an HP9000 box with an unpatched OS that also
had a firmware corruption (that the client knew about and ignored).
This one didn't come back up easily.  The second was a Windows 2000
server that had slammer, again, installed right off the CD and unpatched
for 3years.  This box crashed on a regular basis anyway and didn't need
much help to fall over.  The third was a Nortel Meridan PBX that, like
*EVERY* PBX/VM out there that is built on top of a UNIX, was built in a
completely INSECURE way (sorry, AT&T yours too).

The common thread?  The platforms were all incorrectly configured,
unpatched and except for the PBX crashed regularly anyway. 

-----Original Message-----
From: steve.x.jones () royalmail com [mailto:steve.x.jones () royalmail com] 
Sent: Thursday, June 12, 2003 7:23 AM
To: pen-test () securityfocus com
Subject: Port scan causing system crashes




Hello

Please can you help?  Has any-one else out there had issues with NMAP
port scans (or any other port scanner) causing systems to crash?

I use Nessus to baseline the security of our systems and have twice had
problems caused by the NMAP port scan on clustered unix boxes running
our enterprise applications.  NOTE - it was the initial port scan that
caused the problems, not the subsequent vulnerability assessment. I've
done a quick Google search and found confirmation for one of the systems
- BUGTRAQ Vulnerability 3358, "IBM HACMP Port Scan Denial of Service
Vulnerability", the other was a bespoke app running on some HP UX boxes.

Does any-one know of other systems that fall over with a simple port
scan?

Up til now I've been running port scans happily across our subnets to
look for rogue FTP, SMTP, HTTP etc, obviously I'll have to take more
care now...

Thanks in advance for any help.

Steve



This  email  and  any  attachments  are confidential and intended for
the addressee
only.   If  you are not the named recipient, you must not use, disclose,
reproduce,
copy  or  distribute the contents of this communication.  If you have
received this in error, please contact the sender and then delete this
email from your system.



------------------------------------------------------------------------
---
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the
world's premier technical IT security event! 10 tracks, 15 training
sessions,
1,800 delegates from 30 nations including all of the top experts, from
CSO's to
"underground" security specialists.  See for yourself what the buzz is
about!
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]