HPE Community
Operating System - HP-UX
1833777 Members
2543 Online
110063 Solutions
New Discussion

Re: System panic and password file corrupted after scanned by nessus

 
yc_2
Regular Advisor

‎06-24-2004 05:44 PM

‎06-24-2004 05:44 PM

System panic and password file corrupted after scanned by nessus

Hi,

Core file generated during scanning by nessus (www.nessus.com). It caused root file system full and corrupted the password file. Strange that information from the core file points to NNM which did not installed in the system.

Anyone has encountered the above incident before and would like to share? It is our company policy to scan the servers periodically. Hence, I need to have the necessary information before the next scan to avoid another Ignite restore.

Server information:
1) N-class
2) HP-UX 11.00
3) MCSG
4) OmniBack installed
5) Oracle RDBMS


Thanks in advance,
YC
0 Kudos
Reply
5 REPLIES 5
melvyn burnard
Honored Contributor

‎06-24-2004 08:52 PM

‎06-24-2004 08:52 PM

Re: System panic and password file corrupted after scanned by nessus

If thye system is running Serviceguard, did the box TOC?
If so it is probably aused by nessus scanning all known network ports, and blocking Serviceguard traffic, hence the cmcld dies.
You do not say what version of Serviceguard, but you should ensure you are running a currently supported version, and have the latest SG patch installed.
If you are unsure of whether it was a SG TOC, get the dump checked out by your local HP Response Centre.
My house is the bank's, my money the wife's, But my opinions belong to me, not HP!
0 Kudos
Reply
yc_2
Regular Advisor

‎06-24-2004 09:22 PM

‎06-24-2004 09:22 PM

Re: System panic and password file corrupted after scanned by nessus

Hi,

Service Guard version A.11.09.

nessus was used to scan the two nodes of SG on 11 Jun (Friday) around 8:00pm.

On 14 Jun (Monday), found the first node not able to login through console, telnet, ftp and remote shell. However, other application services were running fine such as Oracle RDBMS, Oracle Financial, cron job, Service Guard, etc.

Was able to login to second node and found a core file (dated 11 Jun 8:34pm) which caused root file system 100%. The core file was move to another file system.

On the first node, I performed a control-B and reset the host to single user but failed as the system said the password file was corrupted.

Managed to bring up the first node using Ignite and retrieved the syslog.log file from the backup tape and also found a core file (dated 11 Jun 8:34pm) in the root file system.

I suspected the following events happened for the first node:
Huge core file generated by the scanning and it caused root file system full and caused password file corrupted. I was lucky that I was able to login to the second node to remove the core file.

The core file was sent to HP to analyze but HP said the core file was from NNM which non of the two nodes installed NNM.

Please advice if there is other possibility that caused the password file corrupted.



Rgds,
YC
0 Kudos
Reply
Mei Jiao
Respected Contributor

‎06-24-2004 09:47 PM

‎06-24-2004 09:47 PM

Re: System panic and password file corrupted after scanned by nessus

Hello,

This is a core file generated in root filesystem, hence causing user unable to login due to root filesystem is full.

To check what generated the core file, normally we run the following 3 commands:
# ll core
# file core
# what core

Let us know the above output please? Thanks.
0 Kudos
Reply
Tim Maletic
Valued Contributor

‎06-29-2004 12:51 AM

‎06-29-2004 12:51 AM

Re: System panic and password file corrupted after scanned by nessus

YC: please keep us up-to-date via this forum with how HP is responding to this issue. If a remote nessus scan can cause / to fill and lead to corrupt system files, then this is a serious vulnerability. In addition, many of us run nessus against our systems regularly, and need to know the root cause of this problem.

Thanks for you post. -Tim
0 Kudos
Reply
generic_1
Respected Contributor

‎06-29-2004 03:09 AM

‎06-29-2004 03:09 AM

Re: System panic and password file corrupted after scanned by nessus

Do you have an alternate filesystem setup for crash/core files on your system? You probably do, but if you dont you may want to consider setting one up. Also you you have somethings like tivoli, autosys, powerbroker, you might be able to unclog root via those tools since they have deomons that execute things as root. I know sometimes I have even had issues logging in on console when a core file fills up root real bad. Hope you find a fix.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.