Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Message-ID: <3BDDD0E7.D7BE5A49@cwusa.com>
Date: Mon, 29 Oct 2001 16:57:59 -0500
From: Sanjay Magoon <sanjay DOT magoon AT cwusa DOT com>
Reply-To: sanjay DOT magoon AT cwusa DOT com
Organization: Cable & Wireless
X-Mailer: Mozilla 4.7 [en] (X11; I; SunOS 5.8 sun4u)
X-Accept-Language: en
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: [Fwd: Problem]
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

I am using a port scanning utility called nessus, which scans servers
for vulnerabilities.  While running a scan on a customer server, it
provokes a bug with cygwin1.dll 1.3.2 which leaves the server disabled. 
I have noticed that windows server gets locked up and requires a reboot
everytime we run the utility on this box that has cygwin1.dll.  Have you
ever encountered this problem?  Please let me know. 

I have included the original e-mail that explains the problem further,
read below.
 
 Thanks,
 Sanjay
 
Please let me know if I should direct this inquiry to someone else and I
will be happy to do so. One of my customers has recently been
experiencing a problem on their server in which the RPC service seems to
die, causing the server to respond sluggishly to the point that it must
be rebooted.

We noticed that each time this error was found in the event logs just
before the RPC service died - "The description for Event ID (0) in
Source (sshd) could not be found. It contains the following insertion
string(s): sshd: Win32 Process Id = 0x17E : Cygwin  Process Id = 0x17E :
Bad protocol version identification 'GET / HTTP/ 1.0' from ip address." 
Also, on a few occasions our monitoring group noted that an error
indicating that the Guest user or a Null user login attempt had failed.

I asked around a bit and heard that ip address belongs to your group.
I'm wondering if perhaps some scans were conducted on the server that
exposed some vulnerability and caused this server's problem.  This
problem began occurring on 9/21/01 and occurred five times until
9/28/01. We have not seen it occur since.
Is there any way for you to tell me whether or not this server was being
scanned, and if so, what specifically was being scanned or checked? It
would also be helpful to know when we can expect more scans, so we can
try to fix the issue causing the RPC service to fail and verify that it
has worked.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/