[Openvas-plugins] [Openvas-discuss] "False negative" and strange UDP 32789 port
michael.meyer at intevation.de
Fri Jan 8 18:07:02 CET 2010
*** Jonas Andradas <jonas at andradas.es> wrote:
> Related to the false positive Fidel Castro reported on December 18th, I
> wanted to share a "false negative". I am scanning an APC Smart-UPS 1000 RM
> device (with version 3.5.5 of APC OS). On port 80 , there is a web server
> which, upon an empty GET request, freezes or, at least, becomes
> unresponsive. This also makes unresponsive the Telnet server running on the
> device. After a while, services are restored. OpenVAS did not report this
> issue, but Nessus 4 did report it as "Linksys WRT54G Empty GET Request
> Remote DoS".
The feed contains 'linksys_empty_GET_DoS.nasl' which send an empty
GET Request to every open HTTP-Port.
Please try to run this plugin at command-line.
openvas-nasl -X -t <target> /var/lib/openvas/plugins/linksys_empty_GET_DoS.nasl
Any result? Did the webserver freezes?
> The other issue I would like to comment and ask about is that on some of my
> recent scans, I've seen that, when there is an SNMP service with default
> credentials ("public" and/or "private", for example), sometimes I get a
> result in the report for a Security Hole on port 32789 UDP, which states
> that an SNMP server responds to these default community names. I was not
> scanning that UDP port on the Options (and I have checked the parameter that
> makes consider all unscanned ports as closed).
Port 161 and port 32789 are hardcoded in snmp_default_communities.nasl.
Please try to run this plugin at command line too. Maybe have a look
at the traffic by running tcpdump or wireshark.
I would be happy to help you, but for that I need your support. If
you're willing to do, just contact me privately. Then we can make a
Michael Meyer OpenPGP Key: 76E050B9
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
More information about the Openvas-plugins