RE: NESSUS CRASHING CITRIX METAFRAME SERVERS

["John Scherff" <JScherff@24hourfit.com>]

One more piece of useful information: the same servers were scanned two weeks ago without incident.  The difference between that scan and the one that brought down the servers today (and a month ago): that scan tested all ports (1-65535), authenticated with a domain admin account, and enabled all plugins (except the unsafe ones).

 

---

From: nessus-bounces@list.nessus.org [mailto:nessus-bounces@list.nessus.org] On Behalf Of John Scherff
Sent: Saturday, December 09, 2006 5:15 PM
To: nessus@list.nessus.org
Subject: NESSUS CRASHING CITRIX METAFRAME SERVERS

 

Tenable/List,

 

Starting last month, Nessus began crashing our Citrix Metaframe farm (approximately 60 servers).  The same scan ran every month without incident for over a year prior to November.  It may be the case that the scan did not bring down all the servers, but brought down certain services that are critical to Metaframe functionality.  Here's a quote from the Citrix administrator:

 

It seems that somehow the scan causes the IMA (Independent Management Architecture) service to stop on almost all the MF servers. There were only 5 that did not have the IMA service stopped. Of course, when that happens, they are dead to the ZDC (Zone Data Collector) which reports them as Server Down. The IMA service is critical to the communication between the MF servers and the ZDC.

 

Pertinent facts:

 

• Scan authentication: none
• Nessus version : 3.0.4
• Plugin feed version : 200612082115
• Type of plugin feed : Direct
• Port scanner(s) : nessus_tcp_scanner
• Port range : default
• Thorough tests : yes
• Experimental tests : no
• Safe checks : yes
• Max hosts : 10
• Max checks : 4
• Scan Start Date : 2006/12/9 12:32
• Scan duration : 155 sec

 

Nothing dangerous appears to be turned on, except possibly “thorough tests.”  I use Edgeos' python-based update-nessusrc.py script to keep the config file up-to-date.  The parameters I pass to the script (which show the plug-in families I use) are in the attached file, update.txt.

 

The same servers were scanned last week with ONLY local security checks / Microsoft bulletins turned on (checks for missing patches only).  Those scans use the same settings as above, only the port range is 1-65535, and Nessus authenticates to the servers with an account in the Domain Admins group.  That scan did not impact the servers at all.

 

John Scherff

Sr. IT Security Analyst

24 Hour Fitness

jscherff@24hourfit.com

 

 

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus