Just to complement, I also have seen it happening in non-patched HPUX
servers more or less a year ago...

That's why we have to think twice on running even a "simple" portscan in
production systems... :)

Adriano Dias Leite

Global -----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Brahnda A. Eleazar
Sent: Monday, May 26, 2008 4:09 AM
To: pen-test (at) securityfocus (dot) com [email concealed]
Subject: RE: Dangerous in using nmap for AS/400 730 machine configured with
3 ASPs?

Peace all,

Many thanks for your comments...

For those of you bet on the IP stack problem, you win :)
We redid the scan last weekend to make sure of this.

The problem is more of the limitation of the OS/machine being scanned.
From all the AS/400 machines being scanned, only the 730 machine was
seriously affected by nmap probes.
It automatically assign a user for the TCP/IP connection and started
numerous jobs (which had to be manually ended for them to stop).
The rest of them didn't have this problem -- newer machines and OS-es.

I agree with Jon that networking in this AS/400 is much more like an add-on
after thought :)
And it's pure luck in my opinion that no one before this brought the machine
down (they have a team which also does ports scanning to their production
servers, including this problematic one).
Oh well, at least I learned something new =)

Thanks and Regards,
=adley=

-----Original Message-----
From: Rick Zhong [mailto:sagiko (at) gmail (dot) com [email concealed]]
Sent: Saturday, May 17, 2008 2:50 PM
To: Brahnda A. Eleazar
Cc: pen-test (at) securityfocus (dot) com [email concealed]
Subject: Re: Dangerous in using nmap for AS/400 730 machine configured with
3 ASPs?

I will put my bet on the crash of IP stacks as well. Those systems
just can't handle the nmap probing packats properly. A very common
scenario is the systems open connections and allocate resources, but
fail to close them properly. I encountered these cases not only on
AS400, some old solaris OS also have similar issues.

On Fri, May 16, 2008 at 10:46 AM, Brahnda A. Eleazar
<brahnda.e (at) hermisconsulting (dot) com [email concealed]> wrote:
> Peace all,
>
> I am wondering whether this is related or not.
> I was in the middle of beginning a pentest activity for a network segment
containing quite a number of AS400 (Production).
> I started with a simple nmap first to see what I am facing.
> My command was (IPs are masked) "nmap -sV -vv -p 8470-8476 -o
firsttry_port.nmap xxx.xxx.xxx.0/24"
> This lasted for about 15 minutes.
>
> After about 2 hours later, 2 out of 50+ identifiable machines started
having problems.
> They became very slow.
> Those two machines are using ASP (Auxiliary Storage Pools), 1 ASP on the
1st machine and 2 ASPs on the 2nd.
>
> I just want to get more information whether my nmap did anything "bad"? :)
>
> Thanks and Regards,
> =adley=
>
>
> ------------------------------------------------------------------------

> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes
> in Securing Web Applications
> Find out now! Get Webinar Recording and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------

>
>

------------------------------------------------------------------------

This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?¥0?Î0?¶ 

¡³0
 *?H?÷


0o10 UUS10U
California10U
Burlingame10
U
DHL10USystems10U
DHL Global CA0
071114143344Z
081113143344Z0?10U
dhl.com10
Uprg-dc10 Uea10UAdriano Leite (DHL CZ)1)0' *?H?÷


Adriano.Dias.Leite (at) dhl (dot) com1 [email concealed]0
?&??ò,d

aleite0?0
 *?H?÷



0?Ðþ
rÛü=MlÙÔJß'ù[&ALP$é®1é?CøØ!ñ?$Ç?ï¯EY~_â*ÿ?½§ æO<? ü¨å@¶P£?ËÝqÒçw9>ªã¦éüh_ù6ìÜÛoâ?y×?³]¶ã_?2q­yUþ^§µÌV?±ß?ö®×X´7

£Ð0Í0 `?H
?øB

 0U

ÿà0%U0Adriano.Dias.Leite (at) dhl (dot) com0 [email concealed]
U#0?=¸î½Ü6và$QMËe»Ôp05+


)0'0%+
0
?http://amcm
s.dhl.com/ocsp0)U%"0 +
+

+

?7
0
 *?H?÷


?

??Æá³ÈÄkÊ7H;? M§*?¹@l$ãþ«±Qò?1o?#
ô,fU??Çd§°þ? w?wpQ&?Êæ$?G¿DƹpZ?xÎÅ
­QXYbç5ÒÕ»È?6Jö?dZÒ$FáÿÒ?aASIww}tzZøµÎ^tÕª??ª?Ãh  £u?­«zbjîó F7ì)©¢?zÛ]±?uþs
&å^H¨·-ä%?ååºüÀ¹ØÕÁ¢??4OX¡jü+?ócL ÐìÑ?à? ÄO5y08EáÄ?tܺöö?lL~ì§r¡!?V???0?Ï0?· 

0
 *?H?÷


0o10 UUS10U
California10U
Burlingame10
U
DHL10USystems10U
DHL Global CA0
010529070000Z
110529070000Z0o10 UUS10U
California10U
Burlingame10
U
DHL10USystems10U
DHL Global CA0?
"0
 *?H?÷



?
0?

?

±vkÞ/ÚÞ¾Ú¦?\Ùêz¸
Cnv¶N8L/Yï]½ûä?Ô%?ø?yåj?ù??ÅÈÐ???oÐ?¦E¹üðG?òñZç­,␠P¶?SÊ)?sì)¿,T?¨QÚ!Ofï]gú©ÃƸ
?eµW
æ=?
BÒ=Ê?õjq­¸h¨p?\päun§Év·»!ÂvÑÓ¸F¨üNÛ7¢ô;;!Ä";WV«?©Tʤ)ä?~J/ØRÃÃÂa6¹
óç?3Ôm\®£]
fQ½Ç±èÌ'Þg^rõNÚJÖV?M biø?lVû@?ªG+G-ÂD?̹

£v0t0 `?H
?øB

0U

ÿ0

ÿ0U=¸î½Ü6và$QMËe»Ôp0U#0
?=¸î½Ü6và$QMËe»Ôp0U

ÿ
?0
 *?H?÷


?

_V?8
??%XÌèI³ÁóG?Sr¨µ¸?Fð^ëKÔ¯c-óX?áð^Þ@$°¥ëM
¬ñÝF°çô?7Ðl?Ûw+AM1O-?ÊÎ;8?Ôɬ¡>xÖʧJ5>$óB5/@}ÍŸC%Ë?ÍñÕL?i_ã\Q¿´ÚÇù
7ÑéXH?ÄcɤTÈ??­LùµeÇíÜ*?8Æð^?Üc<;HWU*`²ø~Ì?ãbKf¹?#eIßróòK?
Z¹1o¹ö
ZºÉTqì[um ö
îYÎw?ÖäN*qêF??ϺÖ?=g?P?A;pJ?ÇZäkôô]rÉ o1?ø0?ô

0v0o10 UUS10U
California10U
Burlingame10
U
DHL10USystems10U
DHL Global CA
¡³0 + ?
Ø0 *?H?÷

1 *?H?÷


0 *?H?÷

1
080527073951Z0# *?H?÷

1Î-öë?¢>ÿ? ?tïâ-?[º0g *?H?÷

1Z0X0
*?H?÷
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0+0
*?H?÷
0? +

?71x0v0o10 UUS10U
California10U
Burlingame10
U
DHL10USystems10U
DHL Global CA
¡³0?*?H?÷

1x v0o10 UUS10U
California10U
Burlingame10
U
DHL10USystems10U
DHL Global CA
¡³0
 *?H?÷



??ð<g);{?Êøf??øûIZ3´¹wÇ?Â?±ObHþøÎ?£tú>fè? 6[Iûð!ä6?Ç?:ìMØý9?Ìï.«ÂY?h¯ ­?"È_0i`_³áHQØWê¶ÿ2?m>RqLõ·(ß?@$"¦¾Ìþ¡µ¤êÖr 

[ reply ]