CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS
Percentile
85.2%
One of several ports that were previously open are now closed or unresponsive.
There are several possible reasons for this :
The scan may have caused a service to freeze or stop running.
An administrator may have stopped a particular service during the scanning process.
This might be an availability problem related to the following :
A network outage has been experienced during the scan, and the remote network cannot be reached anymore by the scanner.
This scanner may has been blacklisted by the system administrator or by an automatic intrusion detection / prevention system that detected the scan.
The remote host is now down, either because a user turned it off during the scan or because a select denial of service was effective.
In any case, the audit of the remote host might be incomplete and may need to be done again.
#
# (C) Tenable Network Security, Inc.
#
# Services known to crash or freeze on a port scan:
#
# ClearCase (TCP/371)
# NetBackup
# gnome-session on Solaris
#
################
# References
################
#
# From: [email protected]
# To: [email protected], [email protected],
# [email protected]
# CC: [email protected], [email protected],
# [email protected], [email protected]
# Date: Fri, 22 Nov 2002 10:30:11 +0100
# Subject: ClearCase DoS vulnerabilty
#
# CVE-2008-5684
#
################
# Changes
################
#
# Edited by Herman Young <[email protected]>
include("compat.inc");
if (description)
{
script_id(10919);
script_version("1.47");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/06/20");
script_xref(name:"IAVB", value:"0001-B-0509");
script_name(english:"Open Port Re-check");
script_summary(english:"Check if ports are still open");
script_set_attribute(attribute:"synopsis", value:"Previously open ports are now closed.");
script_set_attribute(attribute:"description", value:
"One of several ports that were previously open are now closed or
unresponsive.
There are several possible reasons for this :
- The scan may have caused a service to freeze or stop
running.
- An administrator may have stopped a particular service
during the scanning process.
This might be an availability problem related to the following :
- A network outage has been experienced during the scan,
and the remote network cannot be reached anymore by the
scanner.
- This scanner may has been blacklisted by the system
administrator or by an automatic intrusion detection /
prevention system that detected the scan.
- The remote host is now down, either because a user
turned it off during the scan or because a select denial
of service was effective.
In any case, the audit of the remote host might be incomplete and may
need to be done again.");
script_set_attribute(attribute:"solution", value:
"Steps to resolve this issue include :
- Increase checks_read_timeout and/or reduce max_checks.
- Disable any IPS during the Nessus scan");
script_set_attribute(attribute:"risk_factor", value:"None");
script_set_attribute(attribute:"plugin_publication_date", value:"2002/03/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_END);
script_copyright(english:"This script is Copyright (C) 2002-2023 Tenable Network Security, Inc.");
script_family(english:"General");
script_dependencies("find_service1.nasl");
script_exclude_keys("Host/dead");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
function malware_is_running_on_port(port)
{
local_var l, s;
if (get_kb_item('backdoor/TCP/'+port) ||
get_kb_item('ftp/'+port+'/broken') ||
get_kb_item('ftp/'+port+'/backdoor') )
return 1;
l = get_kb_list('ftp/'+port+'/backdoor');
if ( !isnull(l) ) return 1;
l = get_kb_list('Known/tcp/'+port);
foreach s (l)
if (s == 'malware-distribution')
return 1;
else if (s == '220backdoor')
return 1;
return 0;
}
if (get_kb_item("Host/dead")) exit(0, "The remote host was found to be dead.");
#
# Do not do a false positive if netstat or the snmp
# port scanners have been used.
#
if (get_kb_item("Host/scanners/netstat")) exit(0, "The Netstat port scanner was used to enumerate ports.");
if (get_kb_item("Host/scanners/snmp_scanner") ) exit(0, "The SNMP port scanner was used to enumerate ports.");
ports = get_kb_list("Ports/tcp/*");
if (isnull(ports)) exit(0, "No TCP ports were found to be open.");
number_of_ports = 0;
closed_ports = 0;
read_timeout = get_read_timeout();
timeout = 2 * read_timeout; # Make sure we don't miss something.
myreport = "";
# Gather list of starttls ports, we will use ENCAPS_IP transport
# for them, rather than the SSL/TLS they might be marked as.
var starttls_ports = [];
foreach var key (keys(get_kb_list('*/starttls')))
{
var pieces = split(key, sep:'/', keep:FALSE);
# KB are of form '<something-something>/<port>/starttls'
if (empty_or_null(pieces[len(pieces) - 2]))
continue;
var potential_port = pieces[len(pieces) - 2];
if (potential_port =~ "^[0-9]+$")
starttls_ports = make_list(starttls_ports, potential_port);
}
foreach port (keys(ports))
{
number_of_ports ++;
port = int(port - "Ports/tcp/");
if ( port == 139 || port == 445 ) continue;
if (malware_is_running_on_port(port: port)) continue;
k = strcat('/tmp/ConnectTimeout/TCP/', port);
vk = get_kb_item(k);
if (vk)
{
replace_kb_item(name: k, value: 0);
rm_kb_item(name:k); # Works if Nessus >= 3.2
myreport = strcat(myreport, 'Port ', port, ' was detected as being open initially but was found unresponsive later.\n It is now ');
}
# Only check syn-synack-ack on starttls ports
var use_clear_text_encaps_on_starttls_port = FALSE;
foreach var starttls_port (starttls_ports)
{
if (starttls_port != port) continue;
use_clear_text_encaps_on_starttls_port = TRUE;
break;
}
then = unixtime();
if (use_clear_text_encaps_on_starttls_port)
s = open_sock_tcp(port, timeout: timeout, transport:ENCAPS_IP);
else
s = open_sock_tcp(port, timeout: timeout);
now = unixtime();
if (! s)
{
if (! vk)
myreport = strcat(myreport, 'Port ', port, " was detected as being open but is now ");
else
replace_kb_item(name: k, value: vk);
if (now - then < timeout - 1)
myreport += 'closed\n';
else
myreport += 'unresponsive\n';
closed_ports++;
}
else
{
if (vk) myreport += 'open.\n';
rm_kb_item(name:k); # Just in case
close(s);
}
}
if (number_of_ports == 0) exit(0, "No ports were retested.");
else if (closed_ports == 0) exit(0, "None of the retested ports were found to be closed.");
else
{
if (report_verbosity > 0) security_note(port:0, extra:myreport);
else security_note(0);
}