The remote host was observed interacting with an ESX/ESXi server using the VMware vSphere client. While connecting, the installed vSphere Client version was observed.

The remote host was observed interacting with an ESX/ESXi server using the VMware vSphere client.

The remote host is running the Chef Client. Chef is a configuration management tool used to streamline the task of configuring and maintaining a company's servers, and it can integrate with cloud-based platforms such as Internap, Amazon EC2, Google Cloud Platform, OpenStack, SoftLayer, Microsoft Azure and Rackspace to automatically provision and configure new machines.

The remote host is running Chef Server. Chef is a configuration management tool used to streamline the task of configuring and maintaining a company's servers, and it can integrate with cloud-based platforms such as Internap, Amazon EC2, Google Cloud Platform, OpenStack, SoftLayer, Microsoft Azure and Rackspace to automatically provision and configure new machines.

The remote host is running the remote access software RealVNC. Traffic observed from this host indicates it is listening for incoming remote control requests.

The remote client was observed requesting a web page or other remote resource through an HTTP proxy.

The remote host is running the TLS protocol. Further, the host allows Triple-DES key exchanges during session setup. Ciphers that use 3DES are prone to birthday attacks, where an attacker who is able to cause enough cryptographic collisions can recover a stored session cookie or other sensitive information through the use of malicious Javascript.

The remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites. It is, therefore, affected by a vulnerability, known as SWEET32, due to the use of weak 64-bit block ciphers. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session. Proof-of-concepts have shown that attackers can recover authentication cookies from an HTTPS session in as little as 30 hours. Note that the ability to send a large number of requests over the same TLS connection between the client and server is an important requirement for carrying out this attack. If the number of requests allowed for a single connection were limited, this would mitigate the vulnerability.

The Advanced Package Tool (APT) is a free software user interface that works with core libraries to handle the installation and removal of software on Debian-based Linux distributions. APT simplifies the process of managing software by automating the retrieval, configuration and installation of software packages, either from precompiled files or by compiling source code.

The Yellowdog Updater, Modified (yum) is an open-source command-line package-management utility for computers running the Linux operating system. Yum allows automatic updates, package and dependency management, on RPM-based distributions like Red Hat Enterprise Linux, Fedora, and CentOS.

CPAN Minus is a Perl CPAN client that's meant to require zero configuration and runs as a standalone application. It can get, unpack, build, and install Perl modules from CPAN.

The Comprehensive Perl Archive Network (CPAN) is a repository of software modules and documentation written in Perl. The CPAN's main purpose is to help programmers download modules and programs not included in the Perl standard distribution.

The remote host was observed using a public DNS server.

The remote host has made DNS queries for domains which appear to have been generated by a Domain Generated Algorithm (DGA)

The remote host has performed a DNS lookup to a known malicious domain.

Recent traffic observed from this host indicates it is configured to automatically obtain web proxy settings from a web server.

ISATAP, or 'Intra-Site Automatic Tunnel Addressing Protocol' is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network. Traffic observed from this host indicates it has queried the network for an available ISATAP host to supply the PRL, or potential routers list.

Recent traffic observed from this host indicates it is configured to automatically obtain web proxy settings from the local network.

The remote service uses an SSL certificate that has been signed using a cryptographically weak hashing algorithm - MD5. This algorithm is known to be vulnerable to collision attacks. In theory, a determined attacker may be able to leverage this weakness to generate another certificate with the same digital signature, which could allow them to masquerade as the affected service.

The remote service uses an SSL certificate that has been signed using a cryptographically weak hashing algorithm - SHA-1. This algorithm is known to be vulnerable to collision attacks. In theory, a determined attacker may be able to leverage this weakness to generate another certificate with the same digital signature, which could allow them to masquerade as the affected service.

The remote host is the following network device or application.

The remote host is sending syslog messages to a remote server. Syslog is used for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms use the syslog standard. 

Ahref's 'AhrefsBot' recently discovered and indexed web content available on this server. Crawling is the process by which various search engine bots discover new and updated pages to be added to their search results. These automated scans are conducted regularly (or periodically) to peruse the entire public IP space (including domain listings) in order to update their search results.

Semrush's 'SemrushBot' recently discovered and indexed web content available on this server. Crawling is the process by which various search engine bots discover new and updated pages to be added to their search results. These automated scans are conducted regularly (or periodically) to peruse the entire public IP space (including domain listings) in order to update their search results.

Moz' 'DotBot' recently discovered and indexed web content available on this server. Crawling is the process by which various search engine bots discover new and updated pages to be added to their search results. These automated scans are conducted regularly (or periodically) to peruse the entire public IP space (including domain listings) in order to update their search results.

Exalead's 'Exabot' recently discovered and indexed web content available on this server. Crawling is the process by which various search engine bots discover new and updated pages to be added to their search results. These automated scans are conducted regularly (or periodically) to peruse the entire public IP space (including domain listings) in order to update their search results.

Yandex's 'YandexBot' recently discovered and indexed web content available on this server. Crawling is the process by which various search engine bots discover new and updated pages to be added to their search results. These automated scans are conducted regularly (or periodically) to peruse the entire public IP space (including domain listings) in order to update their search results.

Majestic-12's 'MJ12bot' recently discovered and indexed web content available on this server. Crawling is the process by which various search engine bots discover new and updated pages to be added to their search results. These automated scans are conducted regularly (or periodically) to peruse the entire public IP space (including domain listings) in order to update their search results.

MeanPath's 'meanpathbot' recently discovered and indexed web content available on this server. Crawling is the process by which various search engine bots discover new and updated pages to be added to their search results. These automated scans are conducted regularly (or periodically) to peruse the entire public IP space (including domain listings) in order to update their search results.

Baidu's 'Baiduspider' recently discovered and indexed web content available on this server. Crawling is the process by which various search engine bots discover new and updated pages to be added to their search results. These automated scans are conducted regularly (or periodically) to peruse the entire public IP space (including domain listings) in order to update their search results.

Microsoft's 'bingbot' recently discovered and indexed web content available on this server. Crawling is the process by which various search engine bots discover new and updated pages to be added to their search results. These automated scans are conducted regularly (or periodically) to peruse the entire public IP space (including domain listings) in order to update their search results.

Google's 'Googlebot' recently discovered and indexed web content available on this server. Crawling is the process by which various search engine bots discover new and updated pages to be added to their search results. These automated scans are conducted regularly (or periodically) to peruse the entire public IP space (including domain listings) in order to update their search results.

Online content available through this server was recently linked to from Facebook. This can occur as a result of a shared post which includes the link, or sharing a link privately through a message within Facebook. This is an automated request from Facebook's servers to ensure the link is not deemed malicious and also attempts to preload an image or logo for the linked content. Within the client request headers, NNM has observed "facebookexternalhit/".

A search engine recently discovered and indexed web content available on this server. Crawling is the process by which various search engine bots discover new and updated pages to be added to their search results. These automated scans are conducted regularly (or periodically) to peruse the entire public IP space (including domain listings) in order to update their search results.

This server has recently served up web content to a remote client. A '200 OK' message was observed in the webserver response to the client, indicating content was successfully loaded.

The remote host transmitted a DHCP message with the following information.

This host has initiated a 'STARTTLS' connection with a remote server. 'STARTTLS' is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication.

This server has recently accepted a 'STARTTLS' encryption request. 'STARTTLS' is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication.

The remote host is attempting to downgrade encryption to SSLv2. SSLv2 is a deprecated and insecure protocol which contains numerous flaws that could allow for Man-in-the-Middle (MiTM) or similar attacks.

The remote SSL server is using a certificate which is signed by Let's Encrypt (letsencrypt.org).  Let's Encrypt is a free, automated, and open certificate authority provided by Internet Security Research Group (ISRG), a California public benefit corporation.

SSLv2 is a deprecated and insecure protocol which contains a flaw in its implementation, allowing for a cross-protocol Bleichenbacher padding oracle attack (an adaptive chosen-ciphertext attack). Such an attack may allow a man-in-the-middle attacker to decrypt intercepted TLS connections via a series of specially crafted connections to an SSLv2 server that uses the same private key. The monitored connections required to conduct this attack can use any version of the SSL or TLS protocols, including TLS 1.2, as long as they all use the same RSA key exchange method. With each connection, the server response will vary enough so as to leak information to the attacker about the secret keys in use for the victim TLS connection. This information can in turn be used to eventually decrypt the entire TLS connection and gain access to all plaintext traffic between the victim and server.

The remote host is running the Plex application. Plex is a software application which allows multimedia streaming across a number of devices.

This plugin detects a watermark (the string "Tenable Nessus") intentionally included in a Nessus-generated request to enable PVS to filter out Nessus-generated requests.

The remote host is running a SIP client. This protocol is used to connect VoIP users via the Internet.

HTTP requests with excessive length or complexity that don't include the 'Referer:' request header can sometimes indicate malicious traffic. Some web advertisements and streaming content requests may also exhibit this behavior. Note, over time these results will become increasingly accurate as this type of noise is observed by NNM.

The remote host's hardware has been detected.

ID	Name	Severity
9592	VMware vSphere Client Version Detection	info
9591	VMware vSphere Client Detection	info
9574	Chef Client Detection	info
9573	Chef Server Detection	info
9563	RealVNC Server Detection	info
9535	Proxy HTTP CONNECT Detection	info
9529	Browsing via HTTP Proxy Detection	info
7223	TLS Triple-DES Key Exchange Detection (Sweet32) (deprecated)	low
7222	SSL 64-bit Block Size Cipher Suites Supported (SWEET32)	medium
9519	Software Download via APT	info
9518	Software Download via yum	info
9514	Perl Module Detection via CPAN Minus	info
9513	Perl Module Detection via CPAN	info
7213	Public DNS Server Usage Detection	info
7211	DGA Query Detection	info
7207	Malware DNS Request Detected	info
9272	Web Proxy Settings '.pac' File Download Detection	info
9271	DNS 'ISATAP' Lookup Detection	info
9270	DNS 'WPAD' Lookup Detection	info
7201	TLS Certificate Signed Using Weak Hashing Algorithm - MD5	medium
7200	TLS Certificate Signed Using Weak Hashing Algorithm - SHA-1	medium
7187	Device / Application Detection via Syslog	info
3987	Syslog Detection (TCP)	info
3986	Syslog Detection (UDP)	info
9206	Web Crawler Access Detection - AhrefsBot	info
9205	Web Crawler Access Detection - SemrushBot	info
9188	Web Crawler Access Detection - DotBot	info
9187	Web Crawler Access Detection - Exabot	info
9186	Web Crawler Access Detection - YandexBot	info
9185	Web Crawler Access Detection - MJ12bot	info
9184	Web Crawler Access Detection - meanpathbot	info
9183	Web Crawler Access Detection - Baiduspider	info
9182	Web Crawler Access Detection - Bingbot	info
9181	Web Crawler Access Detection - Googlebot	info
9180	Web Crawler Access Detection - Facebook	info
9179	Web Crawler Access Detection via HTTP	info
9178	Webserver Access Detection	info
7186	DHCP Client Detection	info
7185	DHCP Server / Client Detection	info
9133	Secure Sockets Layer (SSL) 'STARTTLS' Client Detection	info
9132	Secure Sockets Layer (SSL) 'STARTTLS' Server Detection	info
9129	SSLv2 Client Connection Request	info
9130	Let's Encrypt SSL Certificate Detection	info
9127	SSLv2 Cross-Protocol Session Decryption Vulnerability (DROWN)	medium
9106	Plex Application Detection via TLS	info
9067	Tenable Nessus Watermark Detection	info
9061	SIP Client Request Detection (UDP)	info
7182	Anomalous HTTP Request Detected	info
7180	System Hardware Fingerprinting (CPE)	info
7178	Mobile Device Fingerprinting	info

Detections

Analytics

Generic Family for Nessus Network Monitor

info

info

info

info

info

info

info

low

medium

info

info

info

info

info

info

info

info

info

info

medium

medium

info

info

info

info

info

info

info

info

info

info

info

info

info

info

info

info

info

info

info

info

info

info

medium

info

info

info

info

info

info