Business Network Solutions Vulnerability Scan Report

This report gives details on hosts that were tested and issues that were found.
Please follow the recommended steps and procedures to eradicate these threats.

Scan Details
Hosts which where alive and responding during test 9
Number of security holes found 54
Number of security warnings found 113


Host List
Host(s) Possible Issue
10.163.156.10 Security hole(s) found
10.163.156.9 Security hole(s) found
10.163.155.4 Security hole(s) found
10.163.155.3 Security hole(s) found
10.163.155.2 Security hole(s) found
10.163.156.1 Security hole(s) found
10.163.155.6 Security hole(s) found
10.163.156.205 Security hole(s) found
10.163.156.16 Security hole(s) found
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.163.156.10 echo (7/tcp) Security warning(s) found
10.163.156.10 telnet (23/tcp) Security hole found
10.163.156.10 ssh (22/tcp) Security hole found
10.163.156.10 ftp (21/tcp) Security hole found
10.163.156.10 chargen (19/tcp) Security warning(s) found
10.163.156.10 daytime (13/tcp) Security warning(s) found
10.163.156.10 discard (9/tcp) No Information
10.163.156.10 smtp (25/tcp) Security hole found
10.163.156.10 time (37/tcp) Security notes found
10.163.156.10 finger (79/tcp) Security warning(s) found
10.163.156.10 sunrpc (111/tcp) Security notes found
10.163.156.10 login (513/tcp) Security warning(s) found
10.163.156.10 exec (512/tcp) Security warning(s) found
10.163.156.10 printer (515/tcp) Security notes found
10.163.156.10 shell (514/tcp) Security warning(s) found
10.163.156.10 uucp (540/tcp) Security notes found
10.163.156.10 sometimes-rpc16 (32776/udp) Security warning(s) found
10.163.156.10 sometimes-rpc14 (32775/udp) Security warning(s) found
10.163.156.10 sometimes-rpc10 (32773/udp) Security hole found
10.163.156.10 lockd (4045/udp) Security warning(s) found
10.163.156.10 snmp (161/udp) Security hole found
10.163.156.10 sometimes-rpc22 (32779/udp) Security hole found
10.163.156.10 general/tcp Security notes found
10.163.156.10 sometimes-rpc18 (32777/udp) Security hole found
10.163.156.10 sometimes-rpc20 (32778/udp) Security warning(s) found
10.163.156.10 dtspc (6112/tcp) Security hole found
10.163.156.10 sometimes-rpc13 (32775/tcp) Security hole found
10.163.156.10 sometimes-rpc9 (32773/tcp) Security hole found
10.163.156.10 sunrpc (111/udp) Security notes found
10.163.156.10 sometimes-rpc8 (32772/udp) Security notes found
10.163.156.10 sometimes-rpc5 (32771/tcp) Security notes found
10.163.156.10 sometimes-rpc12 (32774/udp) Security warning(s) found
10.163.156.10 sometimes-rpc7 (32772/tcp) Security notes found
10.163.156.10 sometimes-rpc11 (32774/tcp) Security notes found
10.163.156.10 lockd (4045/tcp) Security notes found
10.163.156.10 sometimes-rpc24 (32780/udp) Security warning(s) found
10.163.156.10 sometimes-rpc15 (32776/tcp) Security notes found
10.163.156.10 unknown (32785/udp) Security notes found
10.163.156.10 sometimes-rpc19 (32778/tcp) Security hole found
10.163.156.10 unknown (32788/udp) Security notes found
10.163.156.10 sometimes-rpc21 (32779/tcp) Security notes found
10.163.156.10 xdmcp (177/udp) Security warning(s) found
10.163.156.10 font-service (7100/tcp) Security hole found
10.163.156.10 echo (7/udp) Security warning(s) found
10.163.156.10 daytime (13/udp) Security warning(s) found


Security Issues and Fixes: 10.163.156.10
Type Port Issue and Fix
Warning echo (7/tcp) The 'echo' port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.

Risk factor : Low

Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103
Nessus ID : 10061
Informational echo (7/tcp) An echo server is running on this port
Nessus ID : 10330
Vulnerability telnet (23/tcp)
The Telnet server does not return an expected number of replies
when it receives a long sequence of 'Are You There' commands.
This probably means it overflows one of its internal buffers and
crashes. It is likely an attacker could abuse this bug to gain
control over the remote host's superuser.

For more information, see:
http://www.team-teso.net/advisories/teso-advisory-011.tar.gz

Solution: Comment out the 'telnet' line in /etc/inetd.conf.
Risk factor : High
CVE : CVE-2001-0554
BID : 3064
Nessus ID : 10709
Vulnerability telnet (23/tcp)
It is possible to reboot the remote host by connecting to the telnet
port and providing a bad username and password.


This vulnerability is documented as Cisco Bug ID CSCdw81244.

An attacker may use this flaw to prevent your access point from
working properly.

Solution : http://www.cisco.com/warp/public/707/Aironet-Telnet.shtml
Risk factor : High
CVE : CAN-2002-0545
BID : 4461
Nessus ID : 11014
Warning telnet (23/tcp) The Telnet service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the telnet client
and the telnet server. This includes logins
and passwords.

You should disable this service and use OpenSSH instead.
(www.openssh.com)

Solution : Comment out the 'telnet' line in /etc/inetd.conf.

Risk factor : Low
CVE : CAN-1999-0619
Nessus ID : 10280
Informational telnet (23/tcp) A telnet server seems to be running on this port
Nessus ID : 10330
Informational telnet (23/tcp) Remote telnet banner :


SunOS 5.8

Nessus ID : 10281
Vulnerability ssh (22/tcp)
You are running a version of OpenSSH which is older than 3.4

There is a flaw in this version that can be exploited remotely to
give an attacker a shell on this host.

Note that several distribution patched this hole without changing
the version number of OpenSSH. Since Nessus solely relied on the
banner of the remote SSH server to perform this check, this might
be a false positive.

If you are running a RedHat host, make sure that the command :
rpm -q openssh-server

Returns :
openssh-server-3.1p1-6


Solution : Upgrade to OpenSSH 3.4 or contact your vendor for a patch
Risk factor : High
CVE : CAN-2002-0639, CAN-2002-0640
BID : 5093
Nessus ID : 11031
Vulnerability ssh (22/tcp)
You are running a version of OpenSSH which is older than 3.0.2.

Versions prior than 3.0.2 are vulnerable to an environment
variables export that can allow a local user to execute
command with root privileges.
This problem affect only versions prior than 3.0.2, and when
the UseLogin feature is enabled (usually disabled by default)

Solution : Upgrade to OpenSSH 3.0.2 or apply the patch for prior
versions. (Available at: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH)

Risk factor : High (If UseLogin is enabled, and locally)
CVE : CVE-2001-0872
BID : 3614
Nessus ID : 10823
Vulnerability ssh (22/tcp)
You are running a version of OpenSSH which is older than 3.0.1.

Versions older than 3.0.1 are vulnerable to a flaw in which
an attacker may authenticate, provided that Kerberos V support
has been enabled (which is not the case by default).
It is also vulnerable as an excessive memory clearing bug,
believed to be unexploitable.

*** You may ignore this warning if this host is not using
*** Kerberos V

Solution : Upgrade to OpenSSH 3.0.1
Risk factor : Low (if you are not using Kerberos) or High (if kerberos is enabled)
CVE : CVE-2002-0083
BID : 3560, 4560, 4241
Nessus ID : 10802
Vulnerability ssh (22/tcp)
You are running a version of OpenSSH older than OpenSSH 3.2.1

A buffer overflow exists in the daemon if AFS is enabled on
your system, or if the options KerberosTgtPassing or
AFSTokenPassing are enabled. Even in this scenario, the
vulnerability may be avoided by enabling UsePrivilegeSeparation.

Versions prior to 2.9.9 are vulnerable to a remote root
exploit. Versions prior to 3.2.1 are vulnerable to a local
root exploit.

Solution :
Upgrade to the latest version of OpenSSH

Risk factor : High
CVE : CAN-2002-0575
BID : 4560
Nessus ID : 10954
Warning ssh (22/tcp)
The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.

These protocols are not completely cryptographically
safe so they should not be used.

Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'

Risk factor : Low
Nessus ID : 10882
Informational ssh (22/tcp) An ssh server is running on this port
Nessus ID : 10330
Informational ssh (22/tcp) The remote SSH daemon supports the following versions of the
SSH protocol :

. 1.33
. 1.5
. 1.99
. 2.0

Nessus ID : 10881
Informational ssh (22/tcp) Remote SSH version : SSH-1.99-OpenSSH_2.3.0p1
Nessus ID : 10267
Vulnerability ftp (21/tcp)
The remote FTP server seems to be vulnerable to an exhaustion
attack which may makes it consume all available memory on the remote
host when it receives the command :

NLST /../*/../*/../*/../*/../*/../*/../*/../*/../*/../


Solution : upgrade to ProFTPd 1.2.2 if the remote server is proftpd,
or contact your vendor for a patch.

Reference : http://online.securityfocus.com/archive/1/169069

Risk factor : High
Nessus ID : 10634
Vulnerability ftp (21/tcp) You seem to be running an FTP server which is vulnerable to the 'glob heap corruption'
flaw, which is known to be exploitable remotely against this server. An attacker may use
this flaw to execute arbitrary commands on this host.

Solution: Upgrade your ftp server software to the latest version.
Risk factor : High

CVE : CVE-2001-0550
BID : 3581
Nessus ID : 10821
Warning ftp (21/tcp) This FTP service allows anonymous logins. If you do not
want to share data with anyone you do not know, then you should deactivate
the anonymous account, since it can only cause troubles.
Under most Unix system, doing :
echo ftp >> /etc/ftpusers
will correct this.

Risk factor : Low
CVE : CAN-1999-0497
Nessus ID : 10079
Warning ftp (21/tcp) It is possible to gather the
real path of the public area of the ftp server
(like /home/ftp) by issuing the following
command :

CWD

This problem may help an attacker to find where
to put a .rhost file using other security
flaws.

Risk factor : Low
CVE : CVE-1999-0201
Nessus ID : 10087
Warning ftp (21/tcp) The remote FTP server allows users to make any amount
of PASV commands, thus blocking the free ports for legitimate services and
consuming file descriptors.

Solution: upgrade your FTP server to a version which solves this problem.

Risk factor : Medium
CVE : CVE-1999-0079
BID : 271
Nessus ID : 10085
Informational ftp (21/tcp) An FTP server is running on this port.
Here is its banner :
220 unknown FTP server (SunOS 5.8) ready.
Nessus ID : 10330
Informational ftp (21/tcp) Remote FTP server banner :
220 unknown FTP server (SunOS 5.8) ready.
Nessus ID : 10092
Warning chargen (19/tcp) The chargen service is running.
The 'chargen' service should only be enabled when testing the machine.

When contacted, chargen responds with some random characters (something
like all the characters in the alphabet in a row). When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.

An easy attack is 'pingpong' in which an attacker spoofs a packet between two
machines running chargen. This will cause them to spew characters at each
other, slowing the machines down and saturating the network.

Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10043
Informational chargen (19/tcp) Chargen is running on this port
Nessus ID : 10330
Warning daytime (13/tcp) The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.

In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.

Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052
Vulnerability smtp (25/tcp)
The remote sendmail server, according to its version number,
may be vulnerable to the -bt overflow attack which
allows any local user to execute arbitrary commands as root.

Solution : upgrade to the latest version of Sendmail
Risk factor : High
Note : This vulnerability is _local_ only
Nessus ID : 10809
Vulnerability smtp (25/tcp)
The remote sendmail server, according to its version number,
may be vulnerable to a buffer overflow its DNS handling code.

The owner of a malicious name server could use this flaw
to execute arbitrary code on this host.


Solution : Upgrade to Sendmail 8.12.5
Risk factor : High
CVE : CAN-2002-0906
BID : 5122
Nessus ID : 11232
Warning smtp (25/tcp) The remote SMTP server
answers to the EXPN and/or VRFY commands.

The EXPN command can be used to find
the delivery address of mail aliases, or
even the full name of the recipients, and
the VRFY command may be used to check the
validity of an account.


Your mailer should not allow remote users to
use any of these commands, because it gives
them too much information.


Solution : if you are using Sendmail, add the
option
O PrivacyOptions=goaway
in /etc/sendmail.cf.

Risk factor : Low
CVE : CAN-1999-0531
Nessus ID : 10249
Warning smtp (25/tcp)
The remote SMTP server is vulnerable to a redirection
attack. That is, if a mail is sent to :

user@hostname1@victim

Then the remote SMTP server (victim) will happily send the
mail to :
user@hostname1

Using this flaw, an attacker may route a message
through your firewall, in order to exploit other
SMTP servers that can not be reached from the
outside.

*** THIS WARNING MAY BE A FALSE POSITIVE, SINCE
SOME SMTP SERVERS LIKE POSTFIX WILL NOT
COMPLAIN BUT DROP THIS MESSAGE ***


Solution : if you are using sendmail, then at the top
of ruleset 98, in /etc/sendmail.cf, insert :
R$*@$*@$* $#error $@ 5.7.1 $: '551 Sorry, no redirections.'

Risk factor : Low
Nessus ID : 10250
Warning smtp (25/tcp) The remote SMTP server allows the relaying. This means that
it allows spammers to use your mail server to send their mails to
the world, thus wasting your network bandwidth.

Risk factor : Low/Medium

Solution : configure your SMTP server so that it can't be used as a relay
any more.
CVE : CAN-1999-0512
Nessus ID : 10262
Warning smtp (25/tcp)
The remote SMTP server allows anyone to
use it as a mail relay, provided that the source address
is set to '<>'.
This problem allows any spammer to use your mail server
to spam the world, thus blacklisting your mailserver, and
using your network resources.

Risk factor : Medium

Solution : reconfigure this server properly
CVE : CVE-1999-0819
Nessus ID : 10167
Warning smtp (25/tcp)
The remote sendmail server, according to its version number,
might be vulnerable to a queue destruction when a local user
runs
sendmail -q -h1000

If you system does not allow users to process the queue (which
is the default), you are not vulnerable.

Solution : upgrade to the latest version of Sendmail or
do not allow users to process the queue (RestrictQRun option)
Risk factor : Low
Note : This vulnerability is _local_ only
CVE : CAN-2001-0714
BID : 3378
Nessus ID : 11087
Warning smtp (25/tcp)
According to the version number of the remote mail server,
a local user may be able to obtain the complete mail configuration
and other interesting information about the mail queue even if
he is not allowed to access those information directly, by running
sendmail -q -d0-nnnn.xxx
where nnnn & xxx are debugging levels.

If users are not allowed to process the queue (which is the default)
then you are not vulnerable.

Solution : upgrade to the latest version of Sendmail or
do not allow users to process the queue (RestrictQRun option)
Risk factor : Very low / none
Note : This vulnerability is _local_ only
CVE : CAN-2001-0715
BID : 3898
Nessus ID : 11088
Informational smtp (25/tcp) An SMTP server is running on this port
Here is its banner :
220 sparky.fr.nessus.org ESMTP Sendmail 8.9.3+Sun/8.9.3; Fri, 21 Feb 2003 15:53:28 GMT
Nessus ID : 10330
Informational smtp (25/tcp) Remote SMTP server banner :
220 sparky.fr.nessus.org ESMTP Sendmail 8.9.3+Sun/8.9.3; Fri, 21 Feb 2003 15:54:20 GMT

Nessus ID : 10263
Informational time (37/tcp) A time server seems to be running on this port
Nessus ID : 10330
Warning finger (79/tcp) The 'finger' service provides useful information
to attackers, since it allow them to gain usernames, check if a machine
is being used, and so on...

Risk factor : Low

Solution : comment out the 'finger' line in /etc/inetd.conf
CVE : CVE-1999-0612
Nessus ID : 10068
Warning finger (79/tcp) The remote finger daemon accepts
to redirect requests. That is, users can perform
requests like :
finger user@host@victim

This allows an attacker to use your computer
as a relay to gather information on another
network, making the other network think you
are making the requests.

Solution: disable your finger daemon (comment out
the finger line in /etc/inetd.conf) or
install a more secure one.

Risk factor : Low
CVE : CAN-1999-0105
Nessus ID : 10073
Warning finger (79/tcp) There is a bug in the finger service
which will make it display the list of the accounts that
have never been used, when anyone issues the request :

finger 'a b c d e f g h'@target

This list will help an attacker to guess the operating
system type. It will also tell him which accounts have
never been used, which will often make him focus his
attacks on these accounts.

Solution : disable the finger service in /etc/inetd.conf, or
apply the patches from Sun.

Risk factor : Medium
BID : 3457
Nessus ID : 10788
Informational finger (79/tcp) A finger server seems to be running on this port
Nessus ID : 10330
Informational sunrpc (111/tcp) RPC program #100000 version 4 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
Informational sunrpc (111/tcp) RPC program #100000 version 3 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
Informational sunrpc (111/tcp) RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
Warning login (513/tcp) The rlogin service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rlogin client
and the rlogin server. This includes logins
and passwords.

You should disable this service and use openssh instead
(www.openssh.com)

Solution : Comment out the 'rlogin' line in /etc/inetd.conf.

Risk factor : Low
CVE : CAN-1999-0651
Nessus ID : 10205
Warning exec (512/tcp)
The rexecd service is open.
Because rexecd does not provide any good
means of authentication, it can be
used by an attacker to scan a third party
host, giving you troubles or bypassing
your firewall.

Solution : comment out the 'exec' line
in /etc/inetd.conf.

Risk factor : Medium
CVE : CAN-1999-0618
Nessus ID : 10203
Informational printer (515/tcp) A LPD server seems to be running on this port
Nessus ID : 10330
Warning shell (514/tcp) The rsh service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rsh client
and the rsh server. This includes logins
and passwords.

You should disable this service and use ssh instead.

Solution : Comment out the 'rsh' line in /etc/inetd.conf.

Risk factor : Low
CVE : CAN-1999-0651
Nessus ID : 10245
Informational uucp (540/tcp) An UUCP server seems to be running on this port
Nessus ID : 10330
Warning sometimes-rpc16 (32776/udp)
The sprayd RPC service is running.
If you do not use this service, then
disable it as it may become a security
threat in the future, if a vulnerability
is discovered.

Risk factor : Low
CVE : CAN-1999-0613
Nessus ID : 10234
Informational sometimes-rpc16 (32776/udp) RPC program #100012 version 1 'sprayd' (spray) is running on this port
Nessus ID : 11111
Warning sometimes-rpc14 (32775/udp)
The rusersd RPC service is running.
It provides an attacker interesting
information such as how often the
system is being used, the names of
the users, and so on.

It usually not a good idea to leave this
service open.


Risk factor : Low
CVE : CVE-1999-0626
Nessus ID : 10228
Informational sometimes-rpc14 (32775/udp) RPC program #100002 version 2 'rusersd' (rusers) is running on this port
Nessus ID : 11111
Informational sometimes-rpc14 (32775/udp) RPC program #100002 version 3 'rusersd' (rusers) is running on this port
Nessus ID : 11111
Vulnerability sometimes-rpc10 (32773/udp)
The sadmin RPC service is running.
There is a bug in Solaris versions of
this service that allow an intruder to
execute arbitrary commands on your system.

Solution : disable this service
Risk factor : High
CVE : CVE-1999-0977
BID : 866
Nessus ID : 10229
Informational sometimes-rpc10 (32773/udp) RPC program #100232 version 10 'sadmind' is running on this port
Nessus ID : 11111
Warning lockd (4045/udp)
The nlockmgr RPC service is running.
If you do not use this service, then
disable it as it may become a security
threat in the future, if a vulnerability
is discovered.

Risk factor : Low
CVE : CVE-2000-0508
BID : 1372
Nessus ID : 10220
Informational lockd (4045/udp) RPC program #100021 version 1 'nlockmgr' is running on this port
Nessus ID : 11111
Informational lockd (4045/udp) RPC program #100021 version 2 'nlockmgr' is running on this port
Nessus ID : 11111
Informational lockd (4045/udp) RPC program #100021 version 3 'nlockmgr' is running on this port
Nessus ID : 11111
Informational lockd (4045/udp) RPC program #100021 version 4 'nlockmgr' is running on this port
Nessus ID : 11111
Vulnerability snmp (161/udp) The device answered to more than 4 community strings.
This may be a false positive or a community-less SNMP server
HP printers answer to all community strings.

SNMP Agent responded as expected with community name: public
SNMP Agent responded as expected with community name: private
SNMP Agent responded as expected with community name: write
SNMP Agent responded as expected with community name: all
SNMP Agent responded as expected with community name: monitor
SNMP Agent responded as expected with community name: agent
SNMP Agent responded as expected with community name: manager
SNMP Agent responded as expected with community name: OrigEquipMfr
SNMP Agent responded as expected with community name: admin
SNMP Agent responded as expected with community name: default
SNMP Agent responded as expected with community name: password
SNMP Agent responded as expected with community name: tivoli
SNMP Agent responded as expected with community name: openview
SNMP Agent responded as expected with community name: community
SNMP Agent responded as expected with community name: snmp
SNMP Agent responded as expected with community name: snmpd
SNMP Agent responded as expected with community name: Secret C0de
SNMP Agent responded as expected with community name: security
SNMP Agent responded as expected with community name: all private
SNMP Agent responded as expected with community name: rmon
SNMP Agent responded as expected with community name: rmon_admin
SNMP Agent responded as expected with community name: hp_admin
SNMP Agent responded as expected with community name: NoGaH$@!
SNMP Agent responded as expected with community name: 0392a0
SNMP Agent responded as expected with community name: xyzzy
SNMP Agent responded as expected with community name: agent_steal
SNMP Agent responded as expected with community name: freekevin
SNMP Agent responded as expected with community name: fubar
SNMP Agent responded as expected with community name: secret
SNMP Agent responded as expected with community name: cisco
SNMP Agent responded as expected with community name: apc
SNMP Agent responded as expected with community name: ANYCOM
SNMP Agent responded as expected with community name: cable-docsis
SNMP Agent responded as expected with community name: c
SNMP Agent responded as expected with community name: cc
SNMP Agent responded as expected with community name: Cisco router
SNMP Agent responded as expected with community name: cascade
SNMP Agent responded as expected with community name: comcomcom
CVE : CAN-1999-0186
BID : 177
Nessus ID : 10264
Vulnerability snmp (161/udp)
It was possible to disable the remote SNMP daemon by sending
a malformed packet advertising bogus length fields.

An attacker may use this flaw to prevent you from using
SNMP to administer your network (or use other flaws
to execute arbitrary code with the privileges of the
SNMP daemon)

Solution : see www.cert.org/advisories/CA-2002-03.html
Risk factor : High
CVE : CAN-2002-0013
Nessus ID : 10857
Warning snmp (161/udp) A SNMP server is running on this host
Nessus ID : 10265
Informational snmp (161/udp) Using SNMP, we could determine that the remote operating system is :
Sun SNMP Agent, Ultra-1
Nessus ID : 10800
Vulnerability sometimes-rpc22 (32779/udp)
The cmsd RPC service is running.
This service has a long history of
security holes, so you should really
know what you are doing if you decide
to let it run.

* NO SECURITY HOLE REGARDING THIS
PROGRAM HAS BEEN TESTED, SO
THIS MIGHT BE A FALSE POSITIVE *

We suggest that you disable this
service.


Risk factor : High
CVE : CVE-1999-0320, CVE-1999-0696
BID : 428
Nessus ID : 10213
Informational sometimes-rpc22 (32779/udp) RPC program #100068 version 2 is running on this port
Nessus ID : 11111
Informational sometimes-rpc22 (32779/udp) RPC program #100068 version 3 is running on this port
Nessus ID : 11111
Informational sometimes-rpc22 (32779/udp) RPC program #100068 version 4 is running on this port
Nessus ID : 11111
Informational sometimes-rpc22 (32779/udp) RPC program #100068 version 5 is running on this port
Nessus ID : 11111
Informational general/tcp QueSO has found out that the remote host OS is
* Standard: Solaris 2.x, Linux 2.1.???, Linux 2.2, MacOS


CVE : CAN-1999-0454
Nessus ID : 10337
Vulnerability sometimes-rpc18 (32777/udp)
The rpc.walld RPC service is running.
Some versions of this server allow an attacker to gain
root access remotely, by consuming the resources of the
remote host then sending a specially formed packet with
format strings to this host.

Solaris 2.5.1, 2.6, 7 and 8 are vulnerable to this
issue. Other operating systems might be affected as well.

*** Nessus did not check for this vulnerability,
*** so this might be a false positive

Solution : Deactivate this service.
Risk factor : High
CVE : CAN-2002-0573
BID : 4639
Nessus ID : 10950
Warning sometimes-rpc18 (32777/udp)
The walld RPC service is running.
It is usually used by the administrator
to tell something to the users of a
network by making a message appear
on their screen.

Since this service lacks any kind
of authentication, an attacker
may use it to trick users into
doing something (change their password,
leave the console, or worse), by sending
a message which would appear to be
written by the administrator.

It can also be used as a denial of service
attack, by continually sending garbage
to the users screens, preventing them
from working properly.

Solution : Deactivate this service.

Risk factor : Medium
CVE : CVE-1999-0181
Nessus ID : 10240
Informational sometimes-rpc18 (32777/udp) RPC program #100008 version 1 'walld' (rwall shutdown) is running on this port
Nessus ID : 11111
Warning sometimes-rpc20 (32778/udp)
The rstatd RPC service is running.
It provides an attacker interesting
information such as :

- the CPU usage
- the system uptime
- its network usage
- and more

Usually, it is not a good idea to let this
service open


Risk factor : Low
CVE : CAN-1999-0624
Nessus ID : 10227
Informational sometimes-rpc20 (32778/udp) RPC program #100001 version 2 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port
Nessus ID : 11111
Informational sometimes-rpc20 (32778/udp) RPC program #100001 version 3 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port
Nessus ID : 11111
Informational sometimes-rpc20 (32778/udp) RPC program #100001 version 4 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port
Nessus ID : 11111
Vulnerability dtspc (6112/tcp)
The 'dtspcd' service is running.

Some versions of this daemon are vulnerable to
a buffer overflow attack which allows an attacker
to gain root privileges

*** This warning might be a false positive,
*** as no real overflow was performed

Solution : See http://www.cert.org/advisories/CA-2001-31.html
to determine if you are vulnerable or deactivate
this service (comment out the line 'dtspc' in /etc/inetd.conf)

Risk factor : High
CVE : CVE-2001-0803
BID : 3517
Nessus ID : 10833
Vulnerability sometimes-rpc13 (32775/tcp)
The cachefsd RPC service is running.
Some versions of this server allow an attacker to gain
root access remotely, by consuming the resources of the
remote host then sending a specially formed packet with
format strings to this host.

Solaris 2.5.1, 2.6, 7 and 8 are vulnerable to this
issue. Other operating systems might be affected as well.

*** Nessus did not check for this vulnerability,
*** so this might be a false positive

Solution : Deactivate this service - there is no patch at this time
/etc/init.d/cachefs.daemon stop
Risk factor : High
CVE : CAN-2002-0084, CAN-2002-0033
BID : 4631
Nessus ID : 10951
Informational sometimes-rpc13 (32775/tcp) RPC program #100235 version 1 is running on this port
Nessus ID : 11111
Vulnerability sometimes-rpc9 (32773/tcp)
The tooltalk RPC service is running.

There is a format string bug in many versions
of this service, which allow an attacker to gain
root remotely.

In addition to this, several versions of this service
allow remote attackers to overwrite abitrary memory
locations with a zero and possibly gain privileges
via a file descriptor argument in an AUTH_UNIX
procedure call which is used as a table index by the
_TT_ISCLOSE procedure.

*** This warning may be a false positive since the presence
*** of the bug was not verified locally.

Solution : Disable this service or patch it
See also : CERT Advisories CA-2001-27 and CA-2002-20

Risk factor : High
CVE : CAN-2002-0677, CVE-2001-0717, CVE-2002-0679
BID : 3382
Nessus ID : 10787
Informational sometimes-rpc9 (32773/tcp) RPC program #100083 version 1 is running on this port
Nessus ID : 11111
Informational sunrpc (111/udp) RPC program #100000 version 4 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
Informational sunrpc (111/udp) RPC program #100000 version 3 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
Informational sunrpc (111/udp) RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
Informational sometimes-rpc8 (32772/udp) RPC program #100300 version 3 'nisd' (rpc.nisd) is running on this port
Nessus ID : 11111
Informational sometimes-rpc5 (32771/tcp) RPC program #100300 version 3 'nisd' (rpc.nisd) is running on this port
Nessus ID : 11111
Warning sometimes-rpc12 (32774/udp)
The rquotad RPC service is running.
If you do not use this service, then
disable it as it may become a security
threat in the future, if a vulnerability
is discovered.

Risk factor : Low
CVE : CAN-1999-0625
Nessus ID : 10226
Informational sometimes-rpc12 (32774/udp) RPC program #100011 version 1 'rquotad' (rquotaprog quota rquota) is running on this port
Nessus ID : 11111
Informational sometimes-rpc7 (32772/tcp) RPC program #100002 version 2 'rusersd' (rusers) is running on this port
Nessus ID : 11111
Informational sometimes-rpc7 (32772/tcp) RPC program #100002 version 3 'rusersd' (rusers) is running on this port
Nessus ID : 11111
Informational sometimes-rpc11 (32774/tcp) RPC program #100221 version 1 is running on this port
Nessus ID : 11111
Informational lockd (4045/tcp) RPC program #100021 version 1 'nlockmgr' is running on this port
Nessus ID : 11111
Informational lockd (4045/tcp) RPC program #100021 version 2 'nlockmgr' is running on this port
Nessus ID : 11111
Informational lockd (4045/tcp) RPC program #100021 version 3 'nlockmgr' is running on this port
Nessus ID : 11111
Informational lockd (4045/tcp) RPC program #100021 version 4 'nlockmgr' is running on this port
Nessus ID : 11111
Warning sometimes-rpc24 (32780/udp)
The statd RPC service is running.
This service has a long history of
security holes, so you should really
know what you are doing if you decide
to let it run.

* NO SECURITY HOLES REGARDING THIS
PROGRAM HAVE BEEN TESTED, SO
THIS MIGHT BE A FALSE POSITIVE *

We suggest that you disable this
service.


Risk factor : High
CVE : CVE-1999-0493
BID : 450
Nessus ID : 10235
Informational sometimes-rpc24 (32780/udp) RPC program #100024 version 1 'status' is running on this port
Nessus ID : 11111
Informational sometimes-rpc24 (32780/udp) RPC program #100133 version 1 is running on this port
Nessus ID : 11111
Informational sometimes-rpc15 (32776/tcp) RPC program #100024 version 1 'status' is running on this port
Nessus ID : 11111
Informational sometimes-rpc15 (32776/tcp) RPC program #100133 version 1 is running on this port
Nessus ID : 11111
Informational unknown (32785/udp) RPC program #100249 version 1 is running on this port
Nessus ID : 11111
Vulnerability sometimes-rpc19 (32778/tcp)
The remote RPC service 100249 (snmpXdmid) is vulnerable
to a heap overflow which allows any user to obtain a root
shell on this host.

Solution : disable this service (/etc/init.d/init.dmi stop) if you don't use
it, or contact Sun for a patch
Risk factor : High
CVE : CVE-2001-0236
BID : 2417
Nessus ID : 10659
Informational sometimes-rpc19 (32778/tcp) RPC program #100249 version 1 is running on this port
Nessus ID : 11111
Informational unknown (32788/udp) RPC program #300598 version 1 is running on this port
Nessus ID : 11111
Informational unknown (32788/udp) RPC program #805306368 version 1 is running on this port
Nessus ID : 11111
Informational sometimes-rpc21 (32779/tcp) RPC program #300598 version 1 is running on this port
Nessus ID : 11111
Informational sometimes-rpc21 (32779/tcp) RPC program #805306368 version 1 is running on this port
Nessus ID : 11111
Warning xdmcp (177/udp)
The remote host is running XDMCP.

This protocol is used to provide X display connections for
X terminals. XDMCP is completely insecure, since the traffic and
passwords are not encrypted.

An attacker may use this flaw to capture all the keystrokes of
the users using this host through their X terminal, including
passwords.

Risk factor : Medium
Solution : Disable XDMCP
Nessus ID : 10891
Vulnerability font-service (7100/tcp)
The remote X Font Service (xfs) might be vulnerable to a buffer
overflow.

An attacker may use this flaw to gain root on this host
remotely.

*** Note that Nessus did not actually check for the flaw
*** as details about this vulnerability are still unknown

Solution : See CERT Advisory CA-2002-34
Risk factor : High
CVE : CAN-2002-1317
Nessus ID : 11188
Warning echo (7/udp) The 'echo' port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.

Risk factor : Low

Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103
Nessus ID : 10061
Warning daytime (13/udp) The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.

In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.

Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.163.156.9 smtp (25/tcp) Security hole found
10.163.156.9 ftp (21/tcp) Security hole found
10.163.156.9 chargen (19/tcp) Security warning(s) found
10.163.156.9 qotd (17/tcp) Security warning(s) found
10.163.156.9 daytime (13/tcp) Security warning(s) found
10.163.156.9 discard (9/tcp) No Information
10.163.156.9 echo (7/tcp) Security warning(s) found
10.163.156.9 nameserver (42/tcp) No Information
10.163.156.9 http (80/tcp) Security hole found
10.163.156.9 nntp (119/tcp) Security notes found
10.163.156.9 loc-srv (135/tcp) Security warning(s) found
10.163.156.9 netbios-ssn (139/tcp) Security hole found
10.163.156.9 microsoft-ds (445/tcp) No Information
10.163.156.9 https (443/tcp) Security notes found
10.163.156.9 printer (515/tcp) Security notes found
10.163.156.9 afpovertcp (548/tcp) Security notes found
10.163.156.9 nntps (563/tcp) Security notes found
10.163.156.9 blackjack (1025/tcp) Security notes found
10.163.156.9 unknown (1028/tcp) Security notes found
10.163.156.9 unknown (1035/tcp) Security notes found
10.163.156.9 netinfo (1033/tcp) Security notes found
10.163.156.9 iad2 (1031/tcp) Security notes found
10.163.156.9 ms-sql-s (1433/tcp) Security notes found
10.163.156.9 ms-sql-m (1434/udp) Security warning(s) found
10.163.156.9 general/tcp Security warning(s) found
10.163.156.9 general/udp Security notes found
10.163.156.9 snmp (161/udp) Security hole found
10.163.156.9 netbios-ns (137/udp) Security warning(s) found
10.163.156.9 echo (7/udp) Security warning(s) found
10.163.156.9 ms-term-serv (3389/tcp) Security notes found
10.163.156.9 daytime (13/udp) Security warning(s) found
10.163.156.9 qotd (17/udp) Security warning(s) found
10.163.156.9 iad1 (1030/udp) Security notes found
10.163.156.9 chargen (19/udp) Security warning(s) found
10.163.156.9 iad3 (1032/udp) Security notes found


Security Issues and Fixes: 10.163.156.9
Type Port Issue and Fix
Vulnerability smtp (25/tcp)

The remote SMTP server did not complain when issued the
command :
MAIL FROM: root@this_host
RCPT TO: /tmp/nessus_test

This probably means that it is possible to send mail directly
to files, which is a serious threat, since this allows
anyone to overwrite any file on the remote server.

*** This security hole might be a false positive, since
*** some MTAs will not complain to this test, but instead
*** just drop the message silently.
*** Check for the presence of file 'nessus_test' in /tmp !

Solution : upgrade your MTA or change it.

Risk factor : High
Nessus ID : 10259
Vulnerability smtp (25/tcp)

The remote SMTP server did not complain when issued the
command :
MAIL FROM: |testing

This probably means that it is possible to send mail
that will be bounced to a program, which is
a serious threat, since this allows anyone to execute
arbitrary commands on this host.

*** This security hole might be a false positive, since
*** some MTAs will not complain to this test, but instead
*** just drop the message silently

Solution : upgrade your MTA or change it.

Risk factor : High
CVE : CVE-1999-0203
BID : 2308
Nessus ID : 10258
Vulnerability smtp (25/tcp)

The remote SMTP server did not complain when issued the
command :
MAIL FROM: root@this_host
RCPT TO: |testing

This probably means that it is possible to send mail directly
to programs, which is a serious threat, since this allows
anyone to execute arbitrary commands on this host.

*** This security hole might be a false positive, since
*** some MTAs will not complain to this test, but instead
*** just drop the message silently.

Solution : upgrade your MTA or change it.

Risk factor : High
CVE : CAN-1999-0163
Nessus ID : 10261
Informational smtp (25/tcp) An SMTP server is running on this port
Here is its banner :
220 gabbo Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Fri, 21 Feb 2003 15:45:19 -0800
Nessus ID : 10330
Informational smtp (25/tcp) Remote SMTP server banner :
220 gabbo Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Fri, 21 Feb 2003 15:48:26 -0800

Nessus ID : 10263
Informational smtp (25/tcp) For some reason, we could not send the EICAR test string to this MTA
Nessus ID : 11034
Vulnerability ftp (21/tcp) The remote FTP server closes
the connection when one of the commands is given
a too long argument.

This probably due to a buffer overflow, which
allows anyone to execute arbitrary code
on the remote host.

This problem is threatening, because
the attackers don't need an account
to exploit this flaw.

Solution : Upgrade your FTP server or change it
Risk factor : High
CVE : CAN-2000-0133
BID : 961
Nessus ID : 10084
Warning ftp (21/tcp) This FTP service allows anonymous logins. If you do not
want to share data with anyone you do not know, then you should deactivate
the anonymous account, since it can only cause troubles.
Under most Unix system, doing :
echo ftp >> /etc/ftpusers
will correct this.

Risk factor : Low
CVE : CAN-1999-0497
Nessus ID : 10079
Informational ftp (21/tcp) An FTP server is running on this port.
Here is its banner :
220 gabbo Microsoft FTP Service (Version 5.0).
Nessus ID : 10330
Informational ftp (21/tcp) Remote FTP server banner :
220 gabbo Microsoft FTP Service (Version 5.0).
Nessus ID : 10092
Warning chargen (19/tcp) The chargen service is running.
The 'chargen' service should only be enabled when testing the machine.

When contacted, chargen responds with some random characters (something
like all the characters in the alphabet in a row). When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.

An easy attack is 'pingpong' in which an attacker spoofs a packet between two
machines running chargen. This will cause them to spew characters at each
other, slowing the machines down and saturating the network.

Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10043
Informational chargen (19/tcp) Chargen is running on this port
Nessus ID : 10330
Warning qotd (17/tcp) The quote service (qotd) is running.

A server listens for TCP connections on TCP port 17. Once a connection
is established a short message is sent out the connection (and any
data received is thrown away). The service closes the connection
after sending the quote.

Another quote of the day service is defined as a datagram based
application on UDP. A server listens for UDP datagrams on UDP port 17.
When a datagram is received, an answering datagram is sent containing
a quote (the data in the received datagram is ignored).


An easy attack is 'pingpong' which IP spoofs a packet between two machines
running qotd. This will cause them to spew characters at each other,
slowing the machines down and saturating the network.



Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10198
Informational qotd (17/tcp) qotd seems to be running on this port
Nessus ID : 11153
Warning daytime (13/tcp) The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.

In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.

Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052
Warning echo (7/tcp) The 'echo' port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.

Risk factor : Low

Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103
Nessus ID : 10061
Informational echo (7/tcp) An echo server is running on this port
Nessus ID : 10330
Vulnerability http (80/tcp)
The IIS server appears to have the .HTR ISAPI filter mapped.

At least one remote vulnerability has been discovered for the .HTR
filter. This is detailed in Microsoft Advisory
MS02-018, and gives remote SYSTEM level access to the web server.

It is recommended that even if you have patched this vulnerability that
you unmap the .HTR extension, and any other unused ISAPI extensions
if they are not required for the operation of your site.

Solution:
To unmap the .HTR extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .htr from the list.

Risk factor : High
CVE : CAN-2002-0071
BID : 4474
Nessus ID : 10932
Vulnerability http (80/tcp)
The web server is probably susceptible to a common IIS vulnerability discovered by
'Rain Forest Puppy'. This vulnerability enables an attacker to execute arbitrary
commands on the server with Administrator Privileges.

*** Nessus solely relied on the presence of the file /msadc/msadcs.dll
*** so this might be a false positive

See Microsoft security bulletin (MS99-025) for patch information.
Also, BUGTRAQ ID 529 on www.securityfocus.com ( http://www.securityfocus.com/bid/529 )

Risk factor : High
CVE : CVE-1999-1011
BID : 529
Nessus ID : 10357
Warning http (80/tcp)
The IIS server appears to have the .IDA ISAPI filter mapped.

At least one remote vulnerability has been discovered for the .IDA
(indexing service) filter. This is detailed in Microsoft Advisory
MS01-033, and gives remote SYSTEM level access to the web server.

It is recommended that even if you have patched this vulnerability that
you unmap the .IDA extension, and any other unused ISAPI extensions
if they are not required for the operation of your site.

Solution:
To unmap the .IDA extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .ida from the list.

Risk factor : Medium
CVE : CAN-2002-0071
BID : 4474
Nessus ID : 10695
Warning http (80/tcp)
IIS 5 has support for the Internet Printing Protocol(IPP), which is
enabled in a default install. The protocol is implemented in IIS5 as an
ISAPI extension. At least one security problem (a buffer overflow)
has been found with that extension in the past, so we recommend
you disable it if you do not use this functionality.

Solution:
To unmap the .printer extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .printer from the list.

Reference : http://online.securityfocus.com/archive/1/181109

Risk factor : Low
Nessus ID : 10661
Warning http (80/tcp)
Your webserver supports the TRACE and/or TRACK methods. It has been
shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
'Cross-Site-Tracing', when used in conjunction with
various weaknesses in browsers.

An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.

Solution: Disable these methods.


If you are using Apache, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE
requests or to permit only the methods needed to meet site requirements
and policy.



See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html

Risk factor : Medium
Nessus ID : 11213
Warning http (80/tcp)
It is possible to retrieve the listing of the remote
directories accessible via HTTP, rather than their index.html,
using the Index Server service which provides WebDav capabilities
to this server.

This problem allows an attacker to gain more knowledge
about the remote host, and may make him aware of hidden
HTML files.

Solution : disable the Index Server service, or
see http://www.microsoft.com/technet/support/kb.asp?ID=272079
Risk factor : Low
CVE : CVE-2000-0951
BID : 1756
Nessus ID : 10526
Warning http (80/tcp)
The remote web server appears to be running with
Frontpage extensions.

You should double check the configuration since
a lot of security problems have been found with
FrontPage when the configuration file is
not well set up.

Risk factor : High if your configuration file is
not well set up
CVE : CAN-2000-0114
Nessus ID : 10077
Informational http (80/tcp) A web server is running on this port
Nessus ID : 10330
Informational http (80/tcp) The remote web server type is :

Microsoft-IIS/5.0

Solution : You can use urlscan to change reported server for IIS.
Nessus ID : 10107
Informational http (80/tcp) The following directories were discovered:
/_vti_bin, /images
The following directories require authentication:
/printers
Nessus ID : 11032
Informational nntp (119/tcp) An NNTP server is running on this port
Nessus ID : 10330
Informational nntp (119/tcp) Remote NNTP server version : 200 NNTP Service 5.00.0984 Version: 5.0.2195.5329 Posting Allowed

Nessus ID : 10159
Informational nntp (119/tcp) This NNTP server allows unauthenticated connections
For your information, we counted 4 newsgroups on this NNTP server:
0 in the alt hierarchy, 0 in rec, 0 in biz, 0 in sci, 0 in soc, 0 in misc, 0 in news, 0 in comp, 0 in talk, 0 in humanities.
Although this server says it allows posting, we were unable to send a message
(posted in alt.test)

Nessus ID : 11033
Warning loc-srv (135/tcp)
DCE services running on the remote can be enumerated
by connecting on port 135 and doing the appropriate
queries.

An attacker may use this fact to gain more knowledge
about the remote host.

Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45, version 1
Endpoint: ncacn_np:\\GABBO[\pipe\WinsPipe]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncalrpc[LRPC00000238.00000001]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncalrpc[LRPC00000238.00000001]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncalrpc[LRPC00000238.00000001]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncalrpc[LRPC00000238.00000001]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncalrpc[LRPC000004a0.00000001]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncalrpc[LRPC000004a0.00000001]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncalrpc[ntsvcs]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_np:\\GABBO[\PIPE\ntsvcs]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_np:\\GABBO[\PIPE\scerpc]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncalrpc[DNSResolver]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2
Endpoint: ncalrpc[OLEc]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2
Endpoint: ncalrpc[INETINFO_LPC]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2
Endpoint: ncacn_np:\\GABBO[\PIPE\INETINFO]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3
Endpoint: ncalrpc[OLEc]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3
Endpoint: ncalrpc[INETINFO_LPC]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3
Endpoint: ncacn_np:\\GABBO[\PIPE\INETINFO]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3
Endpoint: ncalrpc[SMTPSVC_LPC]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3
Endpoint: ncacn_np:\\GABBO[\PIPE\SMTPSVC]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncalrpc[OLEc]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncalrpc[INETINFO_LPC]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncacn_np:\\GABBO[\PIPE\INETINFO]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncalrpc[SMTPSVC_LPC]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncacn_np:\\GABBO[\PIPE\SMTPSVC]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncacn_at_dspGABBO[DynEpt 590.1]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4
Endpoint: ncalrpc[OLEc]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4
Endpoint: ncalrpc[INETINFO_LPC]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4
Endpoint: ncacn_np:\\GABBO[\PIPE\INETINFO]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4
Endpoint: ncalrpc[SMTPSVC_LPC]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4
Endpoint: ncacn_np:\\GABBO[\PIPE\SMTPSVC]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4
Endpoint: ncacn_at_dspGABBO[DynEpt 590.1]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4
Endpoint: ncalrpc[NNTPSVC_LPC]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4
Endpoint: ncacn_np:\\GABBO[\PIPE\NNTPSVC]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 3d267954-eeb7-11d1-b94e-00c04fa3080d, version 1
Endpoint: ncalrpc[LRPC00000504.00000001]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 3d267954-eeb7-11d1-b94e-00c04fa3080d, version 1
Endpoint: ncacn_np:\\GABBO[\pipe\HydraLsPipe]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 12d4b7c8-77d5-11d1-8c24-00c04fa3080d, version 1
Endpoint: ncalrpc[LRPC00000504.00000001]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 12d4b7c8-77d5-11d1-8c24-00c04fa3080d, version 1
Endpoint: ncacn_np:\\GABBO[\pipe\HydraLsPipe]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 493c451c-155c-11d3-a314-00c04fb16103, version 1
Endpoint: ncalrpc[LRPC00000504.00000001]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 493c451c-155c-11d3-a314-00c04fb16103, version 1
Endpoint: ncacn_np:\\GABBO[\pipe\HydraLsPipe]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1
Endpoint: ncalrpc[LRPC0000053c.00000001]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1
Endpoint: ncacn_np:\\GABBO[\pipe\WinsPipe]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45, version 1
Endpoint: ncalrpc[LRPC0000053c.00000001]

Nessus ID : 10736
Vulnerability netbios-ssn (139/tcp)
. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html

. All the smb tests will be done as ''/''
CVE : CVE-2000-0222
BID : 990
Nessus ID : 10394
Warning netbios-ssn (139/tcp) The domain SID can be obtained remotely. Its value is :

COOLDOMAIN : 0-0-0-0-0

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10398
Warning netbios-ssn (139/tcp) The host SID can be obtained remotely. Its value is :

GABBO : 5-21-842925246-1563985344-2146861395

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859
Warning netbios-ssn (139/tcp) The host SID could be used to enumerate the names of the local users
of this host.
(we only enumerated users name whose ID is between 1000 and 1020
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- TsInternetUser (id 1000)
- NetShowServices (id 1001)
- NetShow Administrators (id 1002)
- IUSR_GABBO (id 1003)
- IWAM_GABBO (id 1004)
- DHCP Users (id 1005)
- DHCP Administrators (id 1006)
- WINS Users (id 1007)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10860
Warning netbios-ssn (139/tcp) Here is the browse list of the remote host :

GABBO -


This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for

Solution : filter incoming traffic to this port
Risk factor : Low

Nessus ID : 10397
Informational netbios-ssn (139/tcp) The remote native lan manager is : Windows 2000 LAN Manager
The remote Operating System is : Windows 5.0
The remote SMB Domain Name is : COOLDOMAIN

Nessus ID : 10785
Informational https (443/tcp) An unknown service is running on this port.
It is usually reserved for HTTPS
Nessus ID : 10330
Informational printer (515/tcp) An unknown server is running on this port.
If you know what it is, please send this banner to the Nessus team:
00: 01 .


Nessus ID : 11154
Informational afpovertcp (548/tcp) This host is running an AppleShare File Services over IP.
Machine type: Windows NT
Server name: GABBO
UAMs: ClearTxt Passwrd/Microsoft V1.0/MS2.0
AFP Versions: AFPVersion 2.0/AFPVersion 2.1/AFP2.2

Nessus ID : 10666
Informational nntps (563/tcp) An unknown service is running on this port.
It is usually reserved for NNTPS
Nessus ID : 10330
Informational blackjack (1025/tcp) A DCE service is listening on this port
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:10.163.156.9[1025]

Nessus ID : 10736
Informational blackjack (1025/tcp) A DCE service is listening on this port
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:10.163.156.9[1025]

Nessus ID : 10736
Informational blackjack (1025/tcp) A DCE service is listening on this port
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:10.163.156.9[1025]

Nessus ID : 10736
Informational blackjack (1025/tcp) A DCE service is listening on this port
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:10.163.156.9[1025]

Nessus ID : 10736
Informational unknown (1028/tcp) A DCE service is listening on this port
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:10.163.156.9[1028]

Nessus ID : 10736
Informational unknown (1028/tcp) A DCE service is listening on this port
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:10.163.156.9[1028]

Nessus ID : 10736
Informational unknown (1035/tcp) A DCE service is listening on this port
UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1
Endpoint: ncacn_ip_tcp:10.163.156.9[1035]

Nessus ID : 10736
Informational unknown (1035/tcp) A DCE service is listening on this port
UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45, version 1
Endpoint: ncacn_ip_tcp:10.163.156.9[1035]

Nessus ID : 10736
Informational netinfo (1033/tcp) A DCE service is listening on this port
UUID: 3d267954-eeb7-11d1-b94e-00c04fa3080d, version 1
Endpoint: ncacn_ip_tcp:10.163.156.9[1033]

Nessus ID : 10736
Informational netinfo (1033/tcp) A DCE service is listening on this port
UUID: 12d4b7c8-77d5-11d1-8c24-00c04fa3080d, version 1
Endpoint: ncacn_ip_tcp:10.163.156.9[1033]

Nessus ID : 10736
Informational netinfo (1033/tcp) A DCE service is listening on this port
UUID: 493c451c-155c-11d3-a314-00c04fb16103, version 1
Endpoint: ncacn_ip_tcp:10.163.156.9[1033]

Nessus ID : 10736
Informational iad2 (1031/tcp) A DCE service is listening on this port
UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2
Endpoint: ncacn_ip_tcp:10.163.156.9[1031]

Nessus ID : 10736
Informational iad2 (1031/tcp) A DCE service is listening on this port
UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3
Endpoint: ncacn_ip_tcp:10.163.156.9[1031]

Nessus ID : 10736
Informational iad2 (1031/tcp) A DCE service is listening on this port
UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncacn_ip_tcp:10.163.156.9[1031]

Nessus ID : 10736
Informational iad2 (1031/tcp) A DCE service is listening on this port
UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4
Endpoint: ncacn_ip_tcp:10.163.156.9[1031]

Nessus ID : 10736
Informational ms-sql-s (1433/tcp) It is possible that Microsoft's SQL Server is installed on the remote computer.
CVE : CAN-1999-0652
Nessus ID : 10144
Warning ms-sql-m (1434/udp) Here is the reply to a MS SQL 'ping' request :
ServerName;GABBO;InstanceName;MSSQLSERVER;IsClustered;No;Version;8.00.194;tcp;1433;np;\\GABBO\pipe\\sql\query;;
*** Note that the version number might be inaccurate, as Microsoft
*** decided to not increase it with new releases of its software
It is suggested you filter incoming traffic to this port
Nessus ID : 10674
Warning general/tcp
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.

An attacker may use this feature to determine if the remote
host sent a packet in reply to another request. This may be
used for portscanning and other things.

Solution : Contact your vendor for a patch
Risk factor : Low
Nessus ID : 10201
Informational general/tcp QueSO has found out that the remote host OS is
* WindowsNT, Cisco 11.2(10a), HP/3000 DTC, BayStack Switch


CVE : CAN-1999-0454
Nessus ID : 10337
Informational general/udp For your information, here is the traceroute to 10.163.156.9 :
?
10.163.156.9

Nessus ID : 10287
Vulnerability snmp (161/udp)
SNMP Agent responded as expected with community name: public
CVE : CAN-1999-0186
BID : 177
Nessus ID : 10264
Warning snmp (161/udp) It was possible to obtain the list of SMB users of the
remote host via SNMP :

. Guest
. IUSR_GABBO
. IWAM_GABBO
. Administrator
. TsInternetUser
. NetShowServices

An attacker may use this information to set up brute force
attacks or find an unused account.

Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Medium
Nessus ID : 10546
Warning snmp (161/udp) It was possible to obtain the list of Lanman services of the
remote host via SNMP :

. Server
. Alerter
. Event Log
. Messenger
. Telephony
. DNS Client
. DHCP Client
. MSSQLSERVER
. Workstation
. SNMP Service
. Plug and Play
. Print Spooler
. RunAs Service
. Task Scheduler
. Computer Browser
. Indexing Service
. Automatic Updates
. COM+ Event System
. IIS Admin Service
. Protected Storage
. Removable Storage
. Terminal Services
. IPSEC Policy Agent
. Remote Storage File
. TCP/IP Print Server
. Logical Disk Manager
. Remote Storage Media
. Remote Storage Engine
. FTP Publishing Service
. Simple TCP/IP Services
. Distributed File System
. License Logging Service
. Remote Registry Service
. File Server for Macintosh
. Security Accounts Manager
. System Event Notification
. Print Server for Macintosh
. Remote Procedure Call (RPC)
. Terminal Services Licensing
. TCP/IP NetBIOS Helper Service
. Windows Media Monitor Service
. Windows Media Program Service
. Windows Media Station Service
. Windows Media Unicast Service
. Internet Authentication Service
. NT LM Security Support Provider
. Distributed Link Tracking Client
. World Wide Web Publishing Service
. Windows Management Instrumentation
. Distributed Transaction Coordinator
. Windows Internet Name Service (WINS)
. Simple Mail Transport Protocol (SMTP)
. Network News Transport Protocol (NNTP)
. Windows Management Instrumentation Driver Extensions

An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
Nessus ID : 10547
Warning snmp (161/udp) It was possible to obtain the list of network interfaces of the
remote host via SNMP :

. MS TCP Loopback interface
. Realtek RTL8029(AS) Ethernet Adapt

An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
Nessus ID : 10551
Informational snmp (161/udp) Using SNMP, we could determine that the remote operating system is :
Hardware: x86 Family 6 Model 6 Stepping 0 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)
Nessus ID : 10800
Warning netbios-ns (137/udp) . The following 9 NetBIOS names have been gathered :
GABBO
GABBO
COOLDOMAIN
COOLDOMAIN
GABBO
COOLDOMAIN
__MSBROWSE__
INet~Services
IS~GABBO
. The remote host has the following MAC address on its adapter :
0x00 0x40 0x05 0x65 0x01 0xa2

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
Nessus ID : 10150
Warning echo (7/udp) The 'echo' port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.

Risk factor : Low

Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103
Nessus ID : 10061
Informational ms-term-serv (3389/tcp)
The Terminal Services are enabled on the remote host.

Terminal Services allow a Windows user to remotely obtain
a graphical login (and therefore act as a local user on the
remote host).

If an attacker gains a valid login and password, he may
be able to use this service to gain further access
on the remote host.


Solution : Disable the Terminal Services if you do not use them
Risk factor : Low
Nessus ID : 10940
Warning daytime (13/udp) The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.

In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.

Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052
Warning qotd (17/udp) The quote service (qotd) is running.

A server listens for TCP connections on TCP port 17. Once a connection
is established a short message is sent out the connection (and any
data received is thrown away). The service closes the connection
after sending the quote.

Another quote of the day service is defined as a datagram based
application on UDP. A server listens for UDP datagrams on UDP port 17.
When a datagram is received, an answering datagram is sent containing
a quote (the data in the received datagram is ignored).


An easy attack is 'pingpong' which IP spoofs a packet between two machines
running qotd. This will cause them to spew characters at each other,
slowing the machines down and saturating the network.



Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10198
Informational iad1 (1030/udp) A DCE service is listening on this port
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncadg_ip_udp:10.163.156.9[1030]
Annotation: Messenger Service

Nessus ID : 10736
Warning chargen (19/udp) The chargen service is running.
The 'chargen' service should only be enabled when testing the machine.

When contacted, chargen responds with some random characters (something
like all the characters in the alphabet in a row). When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.

An easy attack is 'pingpong' in which an attacker spoofs a packet between two
machines running chargen. This will cause them to spew characters at each
other, slowing the machines down and saturating the network.

Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10043
Informational iad3 (1032/udp) A DCE service is listening on this port
UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncadg_ip_udp:10.163.156.9[1032]

Nessus ID : 10736
Informational iad3 (1032/udp) A DCE service is listening on this port
UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4
Endpoint: ncadg_ip_udp:10.163.156.9[1032]

Nessus ID : 10736
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.163.155.4 ftp (21/tcp) Security notes found
10.163.155.4 http (80/tcp) Security hole found
10.163.155.4 loc-srv (135/tcp) Security warning(s) found
10.163.155.4 netbios-ssn (139/tcp) Security hole found
10.163.155.4 microsoft-ds (445/tcp) No Information
10.163.155.4 blackjack (1025/tcp) Security notes found
10.163.155.4 general/tcp Security notes found
10.163.155.4 general/udp Security notes found
10.163.155.4 netbios-ns (137/udp) Security warning(s) found
10.163.155.4 unknown (1026/udp) Security notes found


Security Issues and Fixes: 10.163.155.4
Type Port Issue and Fix
Informational ftp (21/tcp) The service closed the connection after 0 seconds without sending any data
It might be protected by some TCP wrapper

Nessus ID : 10330
Vulnerability http (80/tcp)
The remote proxy server seems to be ooops 1.4.6 or older.

This proxy is vulnerable to a buffer overflow that
allows an attacker to gain a shell on this host.

*** Note that this check made the remote proxy crash

Solution : Upgrade to the latest version of this software
Risk factor : High
CVE : CAN-2001-0029
BID : 2099
Nessus ID : 10578
Warning http (80/tcp) The misconfigured proxy accepts requests coming
from anywhere. This allows attackers to gain some anonymity when browsing
some sensitive sites using your proxy, making the remote sites think that
the requests come from your network.

Solution: Reconfigure the remote proxy so that it only accepts requests coming
from inside your network.

Risk factor : Low/Medium
Nessus ID : 10195
Informational http (80/tcp) A web server is running on this port
Nessus ID : 10330
Informational http (80/tcp) An HTTP proxy is running on this port
Nessus ID : 10330
Warning loc-srv (135/tcp)
DCE services running on the remote can be enumerated
by connecting on port 135 and doing the appropriate
queries.

An attacker may use this fact to gain more knowledge
about the remote host.

Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncalrpc[LRPC0000027c.00000001]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncalrpc[LRPC0000027c.00000001]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncalrpc[ntsvcs]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_np:\\BENDER[\PIPE\ntsvcs]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_np:\\BENDER[\PIPE\scerpc]
Annotation: Messenger Service

Nessus ID : 10736
Vulnerability netbios-ssn (139/tcp)
. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html

. All the smb tests will be done as ''/'' in domain WORKGROUP
CVE : CVE-2000-0222
BID : 990
Nessus ID : 10394
Warning netbios-ssn (139/tcp) The domain SID can be obtained remotely. Its value is :

WORKGROUP : 0-0-0-0-0

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10398
Warning netbios-ssn (139/tcp) The host SID can be obtained remotely. Its value is :

BENDER : 5-21-1884898659-186063924-2090620667

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859
Warning netbios-ssn (139/tcp) The host SID could be used to enumerate the names of the local users
of this host.
(we only enumerated users name whose ID is between 1000 and 1020
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrateur (id 500)
- Guest account name : Invit (id 501)
- Renaud (id 1000)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10860
Warning netbios-ssn (139/tcp) Here is the browse list of the remote host :

BENDER -
XP -


This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for

Solution : filter incoming traffic to this port
Risk factor : Low

Nessus ID : 10397
Informational netbios-ssn (139/tcp) The remote native lan manager is : Windows 2000 LAN Manager
The remote Operating System is : Windows 5.0
The remote SMB Domain Name is : WORKGROUP

Nessus ID : 10785
Informational blackjack (1025/tcp) A DCE service is listening on this port
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:10.163.155.4[1025]

Nessus ID : 10736
Informational blackjack (1025/tcp) A DCE service is listening on this port
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:10.163.155.4[1025]

Nessus ID : 10736
Informational general/tcp QueSO has found out that the remote host OS is
* FreeBSD, NetBSD, OpenBSD


CVE : CAN-1999-0454
Nessus ID : 10337
Informational general/udp For your information, here is the traceroute to 10.163.155.4 :
?
10.163.156.1
10.163.155.4

Nessus ID : 10287
Warning netbios-ns (137/udp) . The following 5 NetBIOS names have been gathered :
BENDER = This is the computer name registered for workstation services by a WINS client.
WORKGROUP = Workgroup / Domain name
BENDER
BENDER = Computer name that is registered for the messenger service on a computer that is a WINS client.
WORKGROUP = Workgroup / Domain name (part of the Browser elections)
. The remote host has the following MAC address on its adapter :
0x00 0x02 0x2d 0x28 0xf3 0x16

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
Nessus ID : 10150
Informational unknown (1026/udp) A DCE service is listening on this port
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncadg_ip_udp:10.163.155.4[1026]
Annotation: Messenger Service

Nessus ID : 10736
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.163.155.3 ftp (21/tcp) Security hole found
10.163.155.3 http (80/tcp) Security warning(s) found
10.163.155.3 svrloc (427/tcp) Security notes found
10.163.155.3 afpovertcp (548/tcp) Security hole found
10.163.155.3 general/tcp Security notes found
10.163.155.3 general/udp Security notes found
10.163.155.3 x11 (6000/tcp) Security warning(s) found


Security Issues and Fixes: 10.163.155.3
Type Port Issue and Fix
Vulnerability ftp (21/tcp)
It was possible to make the remote FTP server
crash by issuing this command :

CEL aaaa[...]aaaa

This problem is known has the 'AIX FTPd' overflow and
may allow the remote user to easily gain access to the
root (super-user) account on the remote system.

Solution : If you are using AIX FTPd, then read
IBM's advisory number ERS-SVA-E01-1999:004.1,
or contact your vendor for a patch.

Risk factor : High
CVE : CVE-1999-0789
BID : 679
Nessus ID : 10009
Vulnerability ftp (21/tcp) The remote FTP server closes
the connection when one of the commands is given
a too long argument.

This probably due to a buffer overflow, which
allows anyone to execute arbitrary code
on the remote host.

This problem is threatening, because
the attackers don't need an account
to exploit this flaw.

Solution : Upgrade your FTP server or change it
Risk factor : High
CVE : CAN-2000-0133
BID : 961
Nessus ID : 10084
Informational ftp (21/tcp) An FTP server is running on this port.
Here is its banner :
220 10.163.155.3 FTP server (lukemftpd 1.1) ready.
Nessus ID : 10330
Informational ftp (21/tcp) Remote FTP server banner :
220 10.163.155.3 FTP server (lukemftpd 1.1) ready.
Nessus ID : 10092
Warning http (80/tcp)
Your webserver supports the TRACE and/or TRACK methods. It has been
shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
'Cross-Site-Tracing', when used in conjunction with
various weaknesses in browsers.

An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.

Solution: Disable these methods.


If you are using Apache, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE
requests or to permit only the methods needed to meet site requirements
and policy.



See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html

Risk factor : Medium
Nessus ID : 11213
Warning http (80/tcp) The misconfigured proxy accepts requests coming
from anywhere. This allows attackers to gain some anonymity when browsing
some sensitive sites using your proxy, making the remote sites think that
the requests come from your network.

Solution: Reconfigure the remote proxy so that it only accepts requests coming
from inside your network.

Risk factor : Low/Medium
Nessus ID : 10195
Informational http (80/tcp) A web server is running on this port
Nessus ID : 10330
Informational http (80/tcp) An HTTP proxy is running on this port
Nessus ID : 10330
Informational http (80/tcp) The remote web server type is :

squid/2.5.PRE13

Solution : We recommend that you configure (if possible) your web server to return
a bogus Server header in order to not leak information.

Nessus ID : 10107
Informational http (80/tcp) This port was detected as being open by a port scanner but is now closed.
This service might have been crashed by a port scanner or by some information gathering plugin

Nessus ID : 10919
Informational svrloc (427/tcp) An unknown server is running on this port.
If you know what it is, please send this banner to the Nessus team:
00: 02 02 ..


Nessus ID : 11154
Vulnerability afpovertcp (548/tcp) This AppleShare File Server allows the 'guest' user to connect.

Nessus ID : 10666
Informational afpovertcp (548/tcp) This host is running an AppleShare File Services over IP.
Machine type: Macintosh
Server name: betrayal
UAMs: DHCAST128/DHX2/Cleartxt Passwrd/No User Authent
AFP Versions: AFP3.1/AFPX03/AFP2.2/AFPVersion 2.1/AFPVersion 2.0/AFPVersion 1.1

Nessus ID : 10666
Informational general/tcp QueSO has found out that the remote host OS is
* FreeBSD, NetBSD, OpenBSD


CVE : CAN-1999-0454
Nessus ID : 10337
Informational general/udp For your information, here is the traceroute to 10.163.155.3 :
10.163.155.3

Nessus ID : 10287
Warning x11 (6000/tcp) This X server does *not* allow any client to connect to it
however it is recommended that you filter incoming connections
to this port as attacker may send garbage data and slow down
your X session or even kill the server.

Here is the server version : 11.0
Here is the message we received : No protocol specified


Solution : filter incoming connections to ports 6000-6009
Risk factor : Low
CVE : CVE-1999-0526
Nessus ID : 10407
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.163.155.2 ftp (21/tcp) Security notes found
10.163.155.2 http (80/tcp) Security warning(s) found
10.163.155.2 snmp (161/udp) Security hole found
10.163.155.2 general/tcp Security warning(s) found


Security Issues and Fixes: 10.163.155.2
Type Port Issue and Fix
Informational ftp (21/tcp) The service closed the connection after 0 seconds without sending any data
It might be protected by some TCP wrapper

Nessus ID : 10330
Warning http (80/tcp)
Your webserver supports the TRACE and/or TRACK methods. It has been
shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
'Cross-Site-Tracing', when used in conjunction with
various weaknesses in browsers.

An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.

Solution: Disable these methods.


If you are using Apache, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE
requests or to permit only the methods needed to meet site requirements
and policy.



See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html

Risk factor : Medium
Nessus ID : 11213
Warning http (80/tcp) The misconfigured proxy accepts requests coming
from anywhere. This allows attackers to gain some anonymity when browsing
some sensitive sites using your proxy, making the remote sites think that
the requests come from your network.

Solution: Reconfigure the remote proxy so that it only accepts requests coming
from inside your network.

Risk factor : Low/Medium
Nessus ID : 10195
Informational http (80/tcp) A web server is running on this port
Nessus ID : 10330
Informational http (80/tcp) An HTTP proxy is running on this port
Nessus ID : 10330
Informational http (80/tcp) The remote web server type is :

squid/2.5.PRE13

Solution : We recommend that you configure (if possible) your web server to return
a bogus Server header in order to not leak information.

Nessus ID : 10107
Vulnerability snmp (161/udp) The device answered to more than 4 community strings.
This may be a false positive or a community-less SNMP server
HP printers answer to all community strings.

SNMP Agent responded as expected with community name: public
SNMP Agent responded as expected with community name: private
SNMP Agent responded as expected with community name: ilmi
SNMP Agent responded as expected with community name: ILMI If the target is a Cisco Product, please read http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml
SNMP Agent responded as expected with community name: system
SNMP Agent responded as expected with community name: write
SNMP Agent responded as expected with community name: all
SNMP Agent responded as expected with community name: monitor
SNMP Agent responded as expected with community name: agent
SNMP Agent responded as expected with community name: manager
SNMP Agent responded as expected with community name: OrigEquipMfr
SNMP Agent responded as expected with community name: admin
SNMP Agent responded as expected with community name: default
SNMP Agent responded as expected with community name: password
SNMP Agent responded as expected with community name: tivoli
SNMP Agent responded as expected with community name: openview
SNMP Agent responded as expected with community name: community
SNMP Agent responded as expected with community name: snmp
SNMP Agent responded as expected with community name: snmpd
SNMP Agent responded as expected with community name: Secret C0de
SNMP Agent responded as expected with community name: security
SNMP Agent responded as expected with community name: all private
SNMP Agent responded as expected with community name: rmon
SNMP Agent responded as expected with community name: rmon_admin
SNMP Agent responded as expected with community name: hp_admin
SNMP Agent responded as expected with community name: NoGaH$@!
SNMP Agent responded as expected with community name: 0392a0
SNMP Agent responded as expected with community name: xyzzy
SNMP Agent responded as expected with community name: agent_steal
SNMP Agent responded as expected with community name: freekevin
SNMP Agent responded as expected with community name: fubar
SNMP Agent responded as expected with community name: secret
SNMP Agent responded as expected with community name: cisco
SNMP Agent responded as expected with community name: apc
SNMP Agent responded as expected with community name: ANYCOM
SNMP Agent responded as expected with community name: cable-docsis
SNMP Agent responded as expected with community name: c
SNMP Agent responded as expected with community name: cc
SNMP Agent responded as expected with community name: Cisco router
SNMP Agent responded as expected with community name: cascade
SNMP Agent responded as expected with community name: comcomcom
CVE : CAN-1999-0186
BID : 177
Nessus ID : 10264
Warning snmp (161/udp) A SNMP server is running on this host
Nessus ID : 10265
Informational snmp (161/udp) Using SNMP, we could determine that the remote operating system is :
Base Station V3.81 Compatible
Nessus ID : 10800
Warning general/tcp
The remote host is a Wireless Access Point.
You should ensure that the proper physical and logical controls exist
around the AP.

Risk factor : Medium/Low
Nessus ID : 11026
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.163.156.1 ssh (22/tcp) Security warning(s) found
10.163.156.1 ftp (21/tcp) Security notes found
10.163.156.1 http (80/tcp) Security hole found
10.163.156.1 general/tcp Security notes found
10.163.156.1 general/udp Security notes found


Security Issues and Fixes: 10.163.156.1
Type Port Issue and Fix
Warning ssh (22/tcp)
The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.

These protocols are not completely cryptographically
safe so they should not be used.

Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'

Risk factor : Low
Nessus ID : 10882
Informational ssh (22/tcp) An ssh server is running on this port
Nessus ID : 10330
Informational ssh (22/tcp) The remote SSH daemon supports the following versions of the
SSH protocol :

. 1.33
. 1.5
. 1.99
. 2.0

Nessus ID : 10881
Informational ssh (22/tcp) Remote SSH version : SSH-1.99-OpenSSH_3.5
Nessus ID : 10267
Informational ftp (21/tcp) The service closed the connection after 0 seconds without sending any data
It might be protected by some TCP wrapper

Nessus ID : 10330
Vulnerability http (80/tcp)
The remote proxy server seems to be ooops 1.4.6 or older.

This proxy is vulnerable to a buffer overflow that
allows an attacker to gain a shell on this host.

*** Note that this check made the remote proxy crash

Solution : Upgrade to the latest version of this software
Risk factor : High
CVE : CAN-2001-0029
BID : 2099
Nessus ID : 10578
Informational http (80/tcp) A web server is running on this port
Nessus ID : 10330
Informational http (80/tcp) An HTTP proxy is running on this port
Nessus ID : 10330
Informational general/tcp QueSO has found out that the remote host OS is
* FreeBSD, NetBSD, OpenBSD


CVE : CAN-1999-0454
Nessus ID : 10337
Informational general/udp For your information, here is the traceroute to 10.163.156.1 :
?
10.163.156.1

Nessus ID : 10287
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.163.155.6 ftp (21/tcp) Security notes found
10.163.155.6 http (80/tcp) Security hole found
10.163.155.6 loc-srv (135/tcp) Security warning(s) found
10.163.155.6 netbios-ssn (139/tcp) Security hole found
10.163.155.6 microsoft-ds (445/tcp) No Information
10.163.155.6 blackjack (1025/tcp) Security notes found
10.163.155.6 general/tcp Security notes found
10.163.155.6 general/udp Security notes found
10.163.155.6 netbios-ns (137/udp) Security warning(s) found
10.163.155.6 ms-term-serv (3389/tcp) Security notes found
10.163.155.6 unknown (1027/udp) Security notes found


Security Issues and Fixes: 10.163.155.6
Type Port Issue and Fix
Informational ftp (21/tcp) The service closed the connection after 0 seconds without sending any data
It might be protected by some TCP wrapper

Nessus ID : 10330
Vulnerability http (80/tcp) It was possible to kill the web server by
sending an invalid request with a too long HTTP 1.1 header
(Accept-Encoding, Accept-Language, Accept-Range, Connection,
Expect, If-Match, If-None-Match, If-Range, If-Unmodified-Since,
Max-Forwards, TE, Host)

A cracker may exploit this vulnerability to make your web server
crash continually or even execute arbirtray code on your system.

Solution : upgrade your software or protect it with a filtering reverse proxy
Risk factor : High
Nessus ID : 11129
Warning http (80/tcp)
Your webserver supports the TRACE and/or TRACK methods. It has been
shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
'Cross-Site-Tracing', when used in conjunction with
various weaknesses in browsers.

An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.

Solution: Disable these methods.


If you are using Apache, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE
requests or to permit only the methods needed to meet site requirements
and policy.



See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html

Risk factor : Medium
Nessus ID : 11213
Warning http (80/tcp) The misconfigured proxy accepts requests coming
from anywhere. This allows attackers to gain some anonymity when browsing
some sensitive sites using your proxy, making the remote sites think that
the requests come from your network.

Solution: Reconfigure the remote proxy so that it only accepts requests coming
from inside your network.

Risk factor : Low/Medium
Nessus ID : 10195
Informational http (80/tcp) A web server is running on this port
Nessus ID : 10330
Informational http (80/tcp) An HTTP proxy is running on this port
Nessus ID : 10330
Informational http (80/tcp) The remote web server type is :

squid/2.5.PRE13

Solution : We recommend that you configure (if possible) your web server to return
a bogus Server header in order to not leak information.

Nessus ID : 10107
Informational http (80/tcp) This port was detected as being open by a port scanner but is now closed.
This service might have been crashed by a port scanner or by some information gathering plugin

Nessus ID : 10919
Warning loc-srv (135/tcp)
DCE services running on the remote can be enumerated
by connecting on port 135 and doing the appropriate
queries.

An attacker may use this fact to gain more knowledge
about the remote host.

Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncalrpc[wzcsvc]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncalrpc[OLE3]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_np:\\XP[\PIPE\atsvc]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncalrpc[wzcsvc]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncalrpc[OLE3]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_np:\\XP[\PIPE\atsvc]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1
Endpoint: ncalrpc[wzcsvc]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1
Endpoint: ncalrpc[OLE3]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1
Endpoint: ncacn_np:\\XP[\PIPE\atsvc]

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncalrpc[wzcsvc]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncalrpc[OLE3]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_np:\\XP[\PIPE\atsvc]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_np:\\XP[\PIPE\AudioSrv]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_np:\\XP[\PIPE\wkssvc]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_np:\\XP[\PIPE\SECLOGON]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_np:\\XP[\pipe\trkwks]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncalrpc[trkwks]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_np:\\XP[\PIPE\W32TIME]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_np:\\XP[\pipe\keysvc]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncalrpc[keysvc]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncalrpc[senssvc]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_np:\\XP[\PIPE\srvsvc]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncalrpc[srrpc]
Annotation: Messenger Service

Nessus ID : 10736
Informational loc-srv (135/tcp) A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_np:\\XP[\PIPE\msgsvc]
Annotation: Messenger Service

Nessus ID : 10736
Vulnerability netbios-ssn (139/tcp)
. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html

. All the smb tests will be done as ''/'' in domain WORKGROUP
CVE : CVE-2000-0222
BID : 990
Nessus ID : 10394
Warning netbios-ssn (139/tcp) The domain SID can be obtained remotely. Its value is :

WORKGROUP : 0-0-0-0-0

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10398
Warning netbios-ssn (139/tcp) The host SID can be obtained remotely. Its value is :

XP : 5-21-583907252-2111687655-1957994488

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859
Warning netbios-ssn (139/tcp) Here is the browse list of the remote host :

BENDER -
XP -


This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for

Solution : filter incoming traffic to this port
Risk factor : Low

Nessus ID : 10397
Informational netbios-ssn (139/tcp) The remote native lan manager is : Windows 2000 LAN Manager
The remote Operating System is : Windows 5.1
The remote SMB Domain Name is : WORKGROUP

Nessus ID : 10785
Informational blackjack (1025/tcp) A DCE service is listening on this port
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:10.163.155.6[1025]

Nessus ID : 10736
Informational blackjack (1025/tcp) A DCE service is listening on this port
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:10.163.155.6[1025]

Nessus ID : 10736
Informational blackjack (1025/tcp) A DCE service is listening on this port
UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1
Endpoint: ncacn_ip_tcp:10.163.155.6[1025]

Nessus ID : 10736
Informational blackjack (1025/tcp) A DCE service is listening on this port
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_ip_tcp:10.163.155.6[1025]
Annotation: Messenger Service

Nessus ID : 10736
Informational general/tcp QueSO has found out that the remote host OS is
* FreeBSD, NetBSD, OpenBSD


CVE : CAN-1999-0454
Nessus ID : 10337
Informational general/udp For your information, here is the traceroute to 10.163.155.6 :
?
10.163.155.6

Nessus ID : 10287
Warning netbios-ns (137/udp) . The following 7 NetBIOS names have been gathered :
XP = This is the computer name registered for workstation services by a WINS client.
WORKGROUP = Workgroup / Domain name
XP = Computer name that is registered for the messenger service on a computer that is a WINS client.
XP
WORKGROUP = Workgroup / Domain name (part of the Browser elections)
WORKGROUP
__MSBROWSE__
. The remote host has the following MAC address on its adapter :
0x00 0x60 0x1d 0x21 0xa9 0x49

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
Nessus ID : 10150
Informational ms-term-serv (3389/tcp)
The Terminal Services are enabled on the remote host.

Terminal Services allow a Windows user to remotely obtain
a graphical login (and therefore act as a local user on the
remote host).

If an attacker gains a valid login and password, he may
be able to use this service to gain further access
on the remote host.


Solution : Disable the Terminal Services if you do not use them
Risk factor : Low
Nessus ID : 10940
Informational unknown (1027/udp) A DCE service is listening on this port
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncadg_ip_udp:10.163.155.6[1027]
Annotation: Messenger Service

Nessus ID : 10736
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.163.156.205 rtmp (1/tcp) Security notes found
10.163.156.205 telnet (23/tcp) Security hole found
10.163.156.205 ftp (21/tcp) Security notes found
10.163.156.205 chargen (19/tcp) Security warning(s) found
10.163.156.205 daytime (13/tcp) Security warning(s) found
10.163.156.205 discard (9/tcp) No Information
10.163.156.205 echo (7/tcp) Security warning(s) found
10.163.156.205 smtp (25/tcp) Security hole found
10.163.156.205 time (37/tcp) Security notes found
10.163.156.205 finger (79/tcp) Security warning(s) found
10.163.156.205 sunrpc (111/tcp) Security notes found
10.163.156.205 exec (512/tcp) Security warning(s) found
10.163.156.205 printer (515/tcp) Security notes found
10.163.156.205 shell (514/tcp) Security warning(s) found
10.163.156.205 login (513/tcp) Security warning(s) found
10.163.156.205 ldaps (636/tcp) Security notes found
10.163.156.205 blackjack (1025/tcp) Security notes found
10.163.156.205 LSA-or-nterm (1026/tcp) Security hole found
10.163.156.205 kdm (1024/tcp) Security warning(s) found
10.163.156.205 ms-lsa (1029/tcp) No Information
10.163.156.205 esl-lm (1455/tcp) Security notes found
10.163.156.205 general/tcp Security notes found
10.163.156.205 blackjack (1025/udp) Security warning(s) found
10.163.156.205 sunrpc (111/udp) Security notes found
10.163.156.205 general/udp Security notes found
10.163.156.205 xdmcp (177/udp) Security warning(s) found
10.163.156.205 echo (7/udp) Security warning(s) found
10.163.156.205 daytime (13/udp) Security warning(s) found


Security Issues and Fixes: 10.163.156.205
Type Port Issue and Fix
Informational rtmp (1/tcp) An unknown server is running on this port.
If you know what it is, please send this banner to the Nessus team:
00: 2d 53 65 72 76 69 63 65 20 6e 6f 74 20 61 76 61 -Service not ava
10: 69 6c 61 62 6c 65 0d 0a ilable..


Nessus ID : 11154
Vulnerability telnet (23/tcp)
The account 'guest' has the password guest
An attacker may use it to gain further privileges on this system

Risk factor : High
Solution : Set a password for this account or disable it
CVE : CAN-1999-0502
Nessus ID : 11256
Vulnerability telnet (23/tcp)
The account 'demos' has no password set.
An attacker may use it to gain further privileges on this system

Risk factor : High
Solution : Set a password for this account or disable it
CVE : CAN-1999-0502
Nessus ID : 11242
Vulnerability telnet (23/tcp)
The account 'EZsetup' has no password set.
An attacker may use it to gain further privileges on this system

Risk factor : High
Solution : Set a password for this account or disable it
CVE : CAN-1999-0502
Nessus ID : 11241
Vulnerability telnet (23/tcp)
The account 'root' has the password root
An attacker may use it to gain further privileges on this system

Risk factor : High
Solution : Set a password for this account or disable it
CVE : CAN-1999-0502
Nessus ID : 11255
Vulnerability telnet (23/tcp)
The account 'lp' has no password set.
An attacker may use it to gain further privileges on this system

Risk factor : High
Solution : Set a password for this account or disable it
CVE : CAN-1999-0502
Nessus ID : 11246
Warning telnet (23/tcp) The Telnet service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the telnet client
and the telnet server. This includes logins
and passwords.

You should disable this service and use OpenSSH instead.
(www.openssh.com)

Solution : Comment out the 'telnet' line in /etc/inetd.conf.

Risk factor : Low
CVE : CAN-1999-0619
Nessus ID : 10280
Informational telnet (23/tcp) A telnet server seems to be running on this port
Nessus ID : 10330
Informational telnet (23/tcp) Remote telnet banner :


IRIX (IRIS)

Nessus ID : 10281
Informational ftp (21/tcp) An FTP server is running on this port.
Here is its banner :
220 IRIS.fr.nessus.org FTP server ready.
Nessus ID : 10330
Informational ftp (21/tcp) Remote FTP server banner :
220 IRIS.fr.nessus.org FTP server ready.
Nessus ID : 10092
Warning chargen (19/tcp) The chargen service is running.
The 'chargen' service should only be enabled when testing the machine.

When contacted, chargen responds with some random characters (something
like all the characters in the alphabet in a row). When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.

An easy attack is 'pingpong' in which an attacker spoofs a packet between two
machines running chargen. This will cause them to spew characters at each
other, slowing the machines down and saturating the network.

Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10043
Informational chargen (19/tcp) Chargen is running on this port
Nessus ID : 10330
Warning daytime (13/tcp) The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.

In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.

Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052
Warning echo (7/tcp) The 'echo' port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.

Risk factor : Low

Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103
Nessus ID : 10061
Informational echo (7/tcp) An echo server is running on this port
Nessus ID : 10330
Vulnerability smtp (25/tcp)
The remote sendmail server, according to its version number,
may be vulnerable to the -bt overflow attack which
allows any local user to execute arbitrary commands as root.

Solution : upgrade to the latest version of Sendmail
Risk factor : High
Note : This vulnerability is _local_ only
Nessus ID : 10809
Vulnerability smtp (25/tcp)
The remote sendmail server, according to its version number,
may be vulnerable to a buffer overflow its DNS handling code.

The owner of a malicious name server could use this flaw
to execute arbitrary code on this host.


Solution : Upgrade to Sendmail 8.12.5
Risk factor : High
CVE : CAN-2002-0906
BID : 5122
Nessus ID : 11232
Warning smtp (25/tcp) The remote SMTP server
answers to the EXPN and/or VRFY commands.

The EXPN command can be used to find
the delivery address of mail aliases, or
even the full name of the recipients, and
the VRFY command may be used to check the
validity of an account.


Your mailer should not allow remote users to
use any of these commands, because it gives
them too much information.


Solution : if you are using Sendmail, add the
option
O PrivacyOptions=goaway
in /etc/sendmail.cf.

Risk factor : Low
CVE : CAN-1999-0531
Nessus ID : 10249
Warning smtp (25/tcp)
The remote sendmail server, according to its version number,
might be vulnerable to a queue destruction when a local user
runs
sendmail -q -h1000

If you system does not allow users to process the queue (which
is the default), you are not vulnerable.

Solution : upgrade to the latest version of Sendmail or
do not allow users to process the queue (RestrictQRun option)
Risk factor : Low
Note : This vulnerability is _local_ only
CVE : CAN-2001-0714
BID : 3378
Nessus ID : 11087
Warning smtp (25/tcp)
According to the version number of the remote mail server,
a local user may be able to obtain the complete mail configuration
and other interesting information about the mail queue even if
he is not allowed to access those information directly, by running
sendmail -q -d0-nnnn.xxx
where nnnn & xxx are debugging levels.

If users are not allowed to process the queue (which is the default)
then you are not vulnerable.

Solution : upgrade to the latest version of Sendmail or
do not allow users to process the queue (RestrictQRun option)
Risk factor : Very low / none
Note : This vulnerability is _local_ only
CVE : CAN-2001-0715
BID : 3898
Nessus ID : 11088
Informational smtp (25/tcp) An SMTP server is running on this port
Here is its banner :
220 IRIS.fr.nessus.org ESMTP Sendmail SGI-8.9.3/8.9.3; Fri, 21 Feb 2003 06:09:50 -0800 (PST)
Nessus ID : 10330
Informational smtp (25/tcp) Remote SMTP server banner :
220 IRIS.fr.nessus.org ESMTP Sendmail SGI-8.9.3/8.9.3; Fri, 21 Feb 2003 06:11:07 -0800 (PST)

Nessus ID : 10263
Informational smtp (25/tcp)
Nessus sent several emails containing the EICAR
test strings in them to the postmaster of
the remote SMTP server.

The EICAR test string is a fake virus which
triggers anti-viruses, in order to make sure
they run.

Nessus attempted to e-mail this string five times,
with different codings each time, in order to attempt
to fool the remote anti-virus (if any).


If there is an antivirus filter, these messages should
all be blocked.

*** To determine if the remote host is vulnerable, see
*** if any mail arrived to the postmaster of this host

Solution: Install an antivirus / upgrade it

Reference : http://online.securityfocus.com/archive/1/256619
Reference : http://online.securityfocus.com/archive/1/44301
Reference : http://online.securityfocus.com/links/188

Risk factor : Low
Nessus ID : 11034
Informational time (37/tcp) A time server seems to be running on this port
Nessus ID : 10330
Warning finger (79/tcp) The 'finger' service provides useful information
to attackers, since it allow them to gain usernames, check if a machine
is being used, and so on...

Risk factor : Low

Solution : comment out the 'finger' line in /etc/inetd.conf
CVE : CVE-1999-0612
Nessus ID : 10068
Informational finger (79/tcp) A finger server seems to be running on this port
Nessus ID : 10330
Informational sunrpc (111/tcp) RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
Warning exec (512/tcp)
The rexecd service is open.
Because rexecd does not provide any good
means of authentication, it can be
used by an attacker to scan a third party
host, giving you troubles or bypassing
your firewall.

Solution : comment out the 'exec' line
in /etc/inetd.conf.

Risk factor : Medium
CVE : CAN-1999-0618
Nessus ID : 10203
Informational printer (515/tcp) A LPD server seems to be running on this port
Nessus ID : 10330
Warning shell (514/tcp) The rsh service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rsh client
and the rsh server. This includes logins
and passwords.

You should disable this service and use ssh instead.

Solution : Comment out the 'rsh' line in /etc/inetd.conf.

Risk factor : Low
CVE : CAN-1999-0651
Nessus ID : 10245
Warning login (513/tcp) The rlogin service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rlogin client
and the rlogin server. This includes logins
and passwords.

You should disable this service and use openssh instead
(www.openssh.com)

Solution : Comment out the 'rlogin' line in /etc/inetd.conf.

Risk factor : Low
CVE : CAN-1999-0651
Nessus ID : 10205
Informational ldaps (636/tcp) RPC program #391017 version 1 is running on this port
Nessus ID : 11111
Informational blackjack (1025/tcp) RPC program #391029 version 1 is running on this port
Nessus ID : 11111
Vulnerability LSA-or-nterm (1026/tcp)
The tooltalk RPC service is running.
An possible implementation fault in the
ToolTalk object database server may allow an
attacker to execute arbitrary commands as
root.

*** This warning may be a false
*** positive since the presence
*** of this vulnerability is only accurately
*** identified with local access.

Solution : Disable this service.
See also : CERT Advisory CA-98.11

Risk factor : High
CVE : CVE-1999-0003, CVE-1999-0693
BID : 122
Nessus ID : 10239
Vulnerability LSA-or-nterm (1026/tcp)
The tooltalk RPC service is running.

There is a format string bug in many versions
of this service, which allow an attacker to gain
root remotely.

In addition to this, several versions of this service
allow remote attackers to overwrite abitrary memory
locations with a zero and possibly gain privileges
via a file descriptor argument in an AUTH_UNIX
procedure call which is used as a table index by the
_TT_ISCLOSE procedure.

*** This warning may be a false positive since the presence
*** of the bug was not verified locally.

Solution : Disable this service or patch it
See also : CERT Advisories CA-2001-27 and CA-2002-20

Risk factor : High
CVE : CAN-2002-0677, CVE-2001-0717, CVE-2002-0679
BID : 3382
Nessus ID : 10787
Informational LSA-or-nterm (1026/tcp) RPC program #100083 version 1 is running on this port
Nessus ID : 11111
Warning kdm (1024/tcp)
The fam RPC service is running.
Several versions of this service have
a well-known buffer overflow condition
that allows intruders to execute
arbitrary commands as root on this system.


Solution : disable this service in /etc/inetd.conf
More information : http://www.nai.com/nai_labs/asp_set/advisory/16_fam_adv.asp
Risk factor : High
CVE : CVE-1999-0059
BID : 353
Nessus ID : 10216
Informational kdm (1024/tcp) RPC program #391002 version 1 'sgi_fam' (fam) is running on this port
Nessus ID : 11111
Informational kdm (1024/tcp) RPC program #391002 version 2 'sgi_fam' (fam) is running on this port
Nessus ID : 11111
Informational esl-lm (1455/tcp) The service closed the connection after 0 seconds without sending any data
It might be protected by some TCP wrapper

Nessus ID : 10330
Informational general/tcp QueSO has found out that the remote host OS is
* IRIX 6.x?


CVE : CAN-1999-0454
Nessus ID : 10337
Warning blackjack (1025/udp)
The rstatd RPC service is running.
It provides an attacker interesting
information such as :

- the CPU usage
- the system uptime
- its network usage
- and more

Usually, it is not a good idea to let this
service open


Risk factor : Low
CVE : CAN-1999-0624
Nessus ID : 10227
Informational blackjack (1025/udp) RPC program #100001 version 1 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port
Nessus ID : 11111
Informational blackjack (1025/udp) RPC program #100001 version 2 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port
Nessus ID : 11111
Informational blackjack (1025/udp) RPC program #100001 version 3 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port
Nessus ID : 11111
Informational sunrpc (111/udp) RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
Informational general/udp For your information, here is the traceroute to 10.163.156.205 :
10.163.156.205

Nessus ID : 10287
Warning xdmcp (177/udp)
The remote host is running XDMCP.

This protocol is used to provide X display connections for
X terminals. XDMCP is completely insecure, since the traffic and
passwords are not encrypted.

An attacker may use this flaw to capture all the keystrokes of
the users using this host through their X terminal, including
passwords.

Risk factor : Medium
Solution : Disable XDMCP
Nessus ID : 10891
Warning echo (7/udp) The 'echo' port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.

Risk factor : Low

Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103
Nessus ID : 10061
Warning daytime (13/udp) The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.

In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.

Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.163.156.16 smtp (25/tcp) Security hole found
10.163.156.16 telnet (23/tcp) Security hole found
10.163.156.16 ftp (21/tcp) Security hole found
10.163.156.16 chargen (19/tcp) Security warning(s) found
10.163.156.16 daytime (13/tcp) Security warning(s) found
10.163.156.16 discard (9/tcp) No Information
10.163.156.16 echo (7/tcp) Security warning(s) found
10.163.156.16 time (37/tcp) Security notes found
10.163.156.16 finger (79/tcp) Security warning(s) found
10.163.156.16 sunrpc (111/tcp) Security notes found
10.163.156.16 login (513/tcp) Security warning(s) found
10.163.156.16 exec (512/tcp) Security warning(s) found
10.163.156.16 printer (515/tcp) Security notes found
10.163.156.16 shell (514/tcp) Security warning(s) found
10.163.156.16 uucp (540/tcp) Security notes found
10.163.156.16 xaudio (1103/tcp) No Information
10.163.156.16 general/tcp Security notes found
10.163.156.16 dtspc (6112/tcp) Security hole found
10.163.156.16 sunrpc (111/udp) Security notes found
10.163.156.16 sometimes-rpc8 (32772/udp) Security notes found
10.163.156.16 sometimes-rpc21 (32779/tcp) Security notes found
10.163.156.16 sometimes-rpc12 (32774/udp) Security notes found
10.163.156.16 sometimes-rpc14 (32775/udp) Security notes found
10.163.156.16 sometimes-rpc10 (32773/udp) Security notes found
10.163.156.16 unknown (32790/tcp) Security notes found
10.163.156.16 sometimes-rpc16 (32776/udp) Security notes found
10.163.156.16 unknown (32791/tcp) Security notes found
10.163.156.16 sometimes-rpc18 (32777/udp) Security notes found
10.163.156.16 sometimes-rpc20 (32778/udp) Security notes found
10.163.156.16 sometimes-rpc22 (32779/udp) Security notes found
10.163.156.16 lockd (4045/udp) Security notes found
10.163.156.16 unknown (32792/tcp) Security notes found
10.163.156.16 unknown (32793/tcp) Security notes found
10.163.156.16 sometimes-rpc24 (32780/udp) Security notes found
10.163.156.16 unknown (32794/tcp) Security notes found
10.163.156.16 lockd (4045/tcp) Security notes found
10.163.156.16 unknown (32812/udp) Security notes found
10.163.156.16 unknown (32795/tcp) Security notes found
10.163.156.16 unknown (32813/udp) Security notes found
10.163.156.16 unknown (32796/tcp) Security notes found
10.163.156.16 snmp (161/udp) Security hole found
10.163.156.16 xdmcp (177/udp) Security warning(s) found
10.163.156.16 general/udp Security notes found
10.163.156.16 font-service (7100/tcp) Security hole found
10.163.156.16 echo (7/udp) Security warning(s) found
10.163.156.16 daytime (13/udp) Security warning(s) found


Security Issues and Fixes: 10.163.156.16
Type Port Issue and Fix
Vulnerability smtp (25/tcp)

The remote SMTP server did not complain when issued the
command :
MAIL FROM: |testing

This probably means that it is possible to send mail
that will be bounced to a program, which is
a serious threat, since this allows anyone to execute
arbitrary commands on this host.

*** This security hole might be a false positive, since
*** some MTAs will not complain to this test, but instead
*** just drop the message silently

Solution : upgrade your MTA or change it.

Risk factor : High
CVE : CVE-1999-0203
BID : 2308
Nessus ID : 10258
Warning smtp (25/tcp) The remote SMTP server
answers to the EXPN and/or VRFY commands.

The EXPN command can be used to find
the delivery address of mail aliases, or
even the full name of the recipients, and
the VRFY command may be used to check the
validity of an account.


Your mailer should not allow remote users to
use any of these commands, because it gives
them too much information.


Solution : if you are using Sendmail, add the
option
O PrivacyOptions=goaway
in /etc/sendmail.cf.

Risk factor : Low
CVE : CAN-1999-0531
Nessus ID : 10249
Warning smtp (25/tcp)
The remote SMTP server is vulnerable to a redirection
attack. That is, if a mail is sent to :

user@hostname1@victim

Then the remote SMTP server (victim) will happily send the
mail to :
user@hostname1

Using this flaw, an attacker may route a message
through your firewall, in order to exploit other
SMTP servers that can not be reached from the
outside.

*** THIS WARNING MAY BE A FALSE POSITIVE, SINCE
SOME SMTP SERVERS LIKE POSTFIX WILL NOT
COMPLAIN BUT DROP THIS MESSAGE ***


Solution : if you are using sendmail, then at the top
of ruleset 98, in /etc/sendmail.cf, insert :
R$*@$*@$* $#error $@ 5.7.1 $: '551 Sorry, no redirections.'

Risk factor : Low
Nessus ID : 10250
Warning smtp (25/tcp) The remote SMTP server allows the relaying. This means that
it allows spammers to use your mail server to send their mails to
the world, thus wasting your network bandwidth.

Risk factor : Low/Medium

Solution : configure your SMTP server so that it can't be used as a relay
any more.
CVE : CAN-1999-0512
Nessus ID : 10262
Warning smtp (25/tcp)
The remote SMTP server allows anyone to
use it as a mail relay, provided that the source address
is set to '<>'.
This problem allows any spammer to use your mail server
to spam the world, thus blacklisting your mailserver, and
using your network resources.

Risk factor : Medium

Solution : reconfigure this server properly
CVE : CVE-1999-0819
Nessus ID : 10167
Warning smtp (25/tcp)
The remote SMTP server seems to allow remote users to
send mail anonymously by providing arguments that are
too long to the HELO command (more than 1024 chars).

This problem may allow malicious users to send hate
mail or threatening mail using your server,
and keep their anonymity.

Risk factor : Low

Solution : If you are using sendmail, upgrade to
version 8.9.x or newer. If you do not run sendmail, contact
your vendor.
CVE : CAN-1999-0098
Nessus ID : 10260
Informational smtp (25/tcp) An unknown service is running on this port.
It is usually reserved for SMTP
Nessus ID : 10330
Informational smtp (25/tcp) Remote SMTP server banner :
220 unknown. Sendmail SMI-8.6/SMI-SVR4 ready at Fri, 21 Feb 2003 15:10:24 GMT

Nessus ID : 10263
Informational smtp (25/tcp) An unknown server is running on this port.
If you know what it is, please send this banner to the Nessus team:
00: 32 32 30 20 75 6e 6b 6e 6f 77 6e 2e 20 53 65 6e 220 unknown. Sen
10: 64 6d 61 69 6c 20 53 4d 49 2d 38 2e 36 2f 53 4d dmail SMI-8.6/SM
20: 49 2d 53 56 52 34 20 72 65 61 64 79 20 61 74 20 I-SVR4 ready at
30: 46 72 69 2c 20 32 31 20 46 65 62 20 32 30 30 33 Fri, 21 Feb 2003
40: 20 31 35 3a 30 38 3a 33 38 20 47 4d 54 0d 0a 35 15:08:38 GMT..5
50: 30 30 20 43 6f 6d 6d 61 6e 64 20 75 6e 72 65 63 00 Command unrec
60: 6f 67 6e 69 7a 65 64 0d 0a 35 30 30 20 43 6f 6d ognized..500 Com
70: 6d 61 6e 64 20 75 6e 72 65 63 6f 67 6e 69 7a 65 mand unrecognize
80: 64 0d 0a d..


Nessus ID : 11154
Vulnerability telnet (23/tcp)
The remote /bin/login seems to crash when it receives too many
environment variables.

An attacker may use this flaw to gain a root shell on this system.

See also : http://www.cert.org/advisories/CA-2001-34.html
Solution : Contact your vendor for a patch (or read the CERT advisory)
Risk factor : High
CVE : CVE-2001-0797
BID : 3681
Nessus ID : 10827
Vulnerability telnet (23/tcp)
The Telnet server does not return an expected number of replies
when it receives a long sequence of 'Are You There' commands.
This probably means it overflows one of its internal buffers and
crashes. It is likely an attacker could abuse this bug to gain
control over the remote host's superuser.

For more information, see:
http://www.team-teso.net/advisories/teso-advisory-011.tar.gz

Solution: Comment out the 'telnet' line in /etc/inetd.conf.
Risk factor : High
CVE : CVE-2001-0554
BID : 3064
Nessus ID : 10709
Vulnerability telnet (23/tcp) There is a bug in the remote /bin/login which
allows an attacker to gain a shell on this host, without
even sending a shell code.

An attacker may use this flaw to log in as any user
(except root) on the remote host.

Here is the output of the command 'cat /etc/passwd' :
cat /etc/passwd
root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/:
renaud:x:100:1::/home/renaud:/bin/sh
$

Solution : See http://www.cert.org/advisories/CA-2001-34.html
Risk factor : High
CVE : CVE-2001-0797
BID : 3681
Nessus ID : 11136
Warning telnet (23/tcp) The Telnet service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the telnet client
and the telnet server. This includes logins
and passwords.

You should disable this service and use OpenSSH instead.
(www.openssh.com)

Solution : Comment out the 'telnet' line in /etc/inetd.conf.

Risk factor : Low
CVE : CAN-1999-0619
Nessus ID : 10280
Informational telnet (23/tcp) A telnet server seems to be running on this port
Nessus ID : 10330
Informational telnet (23/tcp) Remote telnet banner :


SunOS 5.6

Nessus ID : 10281
Vulnerability ftp (21/tcp) You seem to be running an FTP server which is vulnerable to the
'glob heap corruption' flaw.
An attacker may use this problem to execute arbitrary commands on this host.

*** Nessus relied solely on the banner of the server to issue this warning,
*** so this alert might be a false positive

Solution : Upgrade your ftp server software to the latest version.
Risk factor : High

CVE : CVE-2001-0550
BID : 3581
Nessus ID : 10821
Informational ftp (21/tcp) An FTP server is running on this port.
Here is its banner :
220 unknown FTP server (SunOS 5.6) ready.
Nessus ID : 10330
Informational ftp (21/tcp) Remote FTP server banner :
220 unknown FTP server (SunOS 5.6) ready.
Nessus ID : 10092
Warning chargen (19/tcp) The chargen service is running.
The 'chargen' service should only be enabled when testing the machine.

When contacted, chargen responds with some random characters (something
like all the characters in the alphabet in a row). When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.

An easy attack is 'pingpong' in which an attacker spoofs a packet between two
machines running chargen. This will cause them to spew characters at each
other, slowing the machines down and saturating the network.

Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10043
Informational chargen (19/tcp) Chargen is running on this port
Nessus ID : 10330
Warning daytime (13/tcp) The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.

In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.

Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052
Warning echo (7/tcp) The 'echo' port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.

Risk factor : Low

Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103
Nessus ID : 10061
Informational echo (7/tcp) An echo server is running on this port
Nessus ID : 10330
Informational time (37/tcp) A time server seems to be running on this port
Nessus ID : 10330
Warning finger (79/tcp) The 'finger' service provides useful information
to attackers, since it allow them to gain usernames, check if a machine
is being used, and so on...

Risk factor : Low

Solution : comment out the 'finger' line in /etc/inetd.conf
CVE : CVE-1999-0612
Nessus ID : 10068
Warning finger (79/tcp) The remote finger daemon accepts
to redirect requests. That is, users can perform
requests like :
finger user@host@victim

This allows an attacker to use your computer
as a relay to gather information on another
network, making the other network think you
are making the requests.

Solution: disable your finger daemon (comment out
the finger line in /etc/inetd.conf) or
install a more secure one.

Risk factor : Low
CVE : CAN-1999-0105
Nessus ID : 10073
Warning finger (79/tcp) There is a bug in the finger service
which will make it display the list of the accounts that
have never been used, when anyone issues the request :

finger 'a b c d e f g h'@target

This list will help an attacker to guess the operating
system type. It will also tell him which accounts have
never been used, which will often make him focus his
attacks on these accounts.

Solution : disable the finger service in /etc/inetd.conf, or
apply the patches from Sun.

Risk factor : Medium
BID : 3457
Nessus ID : 10788
Informational finger (79/tcp) A finger server seems to be running on this port
Nessus ID : 10330
Informational sunrpc (111/tcp) RPC program #100000 version 4 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
Informational sunrpc (111/tcp) RPC program #100000 version 3 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
Informational sunrpc (111/tcp) RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
Warning login (513/tcp) The rlogin service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rlogin client
and the rlogin server. This includes logins
and passwords.

You should disable this service and use openssh instead
(www.openssh.com)

Solution : Comment out the 'rlogin' line in /etc/inetd.conf.

Risk factor : Low
CVE : CAN-1999-0651
Nessus ID : 10205
Warning exec (512/tcp)
The rexecd service is open.
Because rexecd does not provide any good
means of authentication, it can be
used by an attacker to scan a third party
host, giving you troubles or bypassing
your firewall.

Solution : comment out the 'exec' line
in /etc/inetd.conf.

Risk factor : Medium
CVE : CAN-1999-0618
Nessus ID : 10203
Informational printer (515/tcp) A LPD server seems to be running on this port
Nessus ID : 10330
Warning shell (514/tcp) The rsh service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rsh client
and the rsh server. This includes logins
and passwords.

You should disable this service and use ssh instead.

Solution : Comment out the 'rsh' line in /etc/inetd.conf.

Risk factor : Low
CVE : CAN-1999-0651
Nessus ID : 10245
Informational uucp (540/tcp) The service closed the connection after 0 seconds without sending any data
It might be protected by some TCP wrapper

Nessus ID : 10330
Informational general/tcp QueSO has found out that the remote host OS is
* Solaris 2.x


CVE : CAN-1999-0454
Nessus ID : 10337
Vulnerability dtspc (6112/tcp)
The 'dtspcd' service is running.

Some versions of this daemon are vulnerable to
a buffer overflow attack which allows an attacker
to gain root privileges

*** This warning might be a false positive,
*** as no real overflow was performed

Solution : See http://www.cert.org/advisories/CA-2001-31.html
to determine if you are vulnerable or deactivate
this service (comment out the line 'dtspc' in /etc/inetd.conf)

Risk factor : High
CVE : CVE-2001-0803
BID : 3517
Nessus ID : 10833
Informational sunrpc (111/udp) RPC program #100000 version 4 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
Informational sunrpc (111/udp) RPC program #100000 version 3 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
Informational sunrpc (111/udp) RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
Informational sometimes-rpc8 (32772/udp) RPC program #100300 version 3 'nisd' (rpc.nisd) is running on this port
Nessus ID : 11111
Informational sometimes-rpc21 (32779/tcp) RPC program #100300 version 3 'nisd' (rpc.nisd) is running on this port
Nessus ID : 11111
Informational sometimes-rpc12 (32774/udp) RPC program #100232 version 10 'sadmind' is running on this port
Nessus ID : 11111
Informational sometimes-rpc14 (32775/udp) RPC program #100011 version 1 'rquotad' (rquotaprog quota rquota) is running on this port
Nessus ID : 11111
Informational sometimes-rpc10 (32773/udp) RPC program #100024 version 1 'status' is running on this port
Nessus ID : 11111
Informational unknown (32790/tcp) RPC program #100024 version 1 'status' is running on this port
Nessus ID : 11111
Informational sometimes-rpc16 (32776/udp) RPC program #100002 version 2 'rusersd' (rusers) is running on this port
Nessus ID : 11111
Informational sometimes-rpc16 (32776/udp) RPC program #100002 version 3 'rusersd' (rusers) is running on this port
Nessus ID : 11111
Informational unknown (32791/tcp) RPC program #100002 version 2 'rusersd' (rusers) is running on this port
Nessus ID : 11111
Informational unknown (32791/tcp) RPC program #100002 version 3 'rusersd' (rusers) is running on this port
Nessus ID : 11111
Informational sometimes-rpc18 (32777/udp) RPC program #100012 version 1 'sprayd' (spray) is running on this port
Nessus ID : 11111
Informational sometimes-rpc20 (32778/udp) RPC program #100008 version 1 'walld' (rwall shutdown) is running on this port
Nessus ID : 11111
Informational sometimes-rpc22 (32779/udp) RPC program #100001 version 2 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port
Nessus ID : 11111
Informational sometimes-rpc22 (32779/udp) RPC program #100001 version 3 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port
Nessus ID : 11111
Informational sometimes-rpc22 (32779/udp) RPC program #100001 version 4 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port
Nessus ID : 11111
Informational lockd (4045/udp) RPC program #100021 version 1 'nlockmgr' is running on this port
Nessus ID : 11111
Informational lockd (4045/udp) RPC program #100021 version 2 'nlockmgr' is running on this port
Nessus ID : 11111
Informational lockd (4045/udp) RPC program #100021 version 3 'nlockmgr' is running on this port
Nessus ID : 11111
Informational lockd (4045/udp) RPC program #100021 version 4 'nlockmgr' is running on this port
Nessus ID : 11111
Informational unknown (32792/tcp) RPC program #100221 version 1 is running on this port
Nessus ID : 11111
Informational unknown (32793/tcp) RPC program #100235 version 1 is running on this port
Nessus ID : 11111
Informational sometimes-rpc24 (32780/udp) RPC program #100068 version 2 is running on this port
Nessus ID : 11111
Informational sometimes-rpc24 (32780/udp) RPC program #100068 version 3 is running on this port
Nessus ID : 11111
Informational sometimes-rpc24 (32780/udp) RPC program #100068 version 4 is running on this port
Nessus ID : 11111
Informational sometimes-rpc24 (32780/udp) RPC program #100068 version 5 is running on this port
Nessus ID : 11111
Informational unknown (32794/tcp) RPC program #100083 version 1 is running on this port
Nessus ID : 11111
Informational lockd (4045/tcp) RPC program #100021 version 1 'nlockmgr' is running on this port
Nessus ID : 11111
Informational lockd (4045/tcp) RPC program #100021 version 2 'nlockmgr' is running on this port
Nessus ID : 11111
Informational lockd (4045/tcp) RPC program #100021 version 3 'nlockmgr' is running on this port
Nessus ID : 11111
Informational lockd (4045/tcp) RPC program #100021 version 4 'nlockmgr' is running on this port
Nessus ID : 11111
Informational unknown (32812/udp) RPC program #300598 version 1 is running on this port
Nessus ID : 11111
Informational unknown (32812/udp) RPC program #805306368 version 1 is running on this port
Nessus ID : 11111
Informational unknown (32795/tcp) RPC program #300598 version 1 is running on this port
Nessus ID : 11111
Informational unknown (32795/tcp) RPC program #805306368 version 1 is running on this port
Nessus ID : 11111
Informational unknown (32813/udp) RPC program #100249 version 1 is running on this port
Nessus ID : 11111
Informational unknown (32796/tcp) RPC program #100249 version 1 is running on this port
Nessus ID : 11111
Vulnerability snmp (161/udp)
SNMP Agent responded as expected with community name: public
SNMP Agent responded as expected with community name: private
SNMP Agent responded as expected with community name: all private
CVE : CAN-1999-0186
BID : 177
Nessus ID : 10264
Warning snmp (161/udp) It was possible to obtain the list of network interfaces of the
remote host via SNMP :

. /etc/snmp/conf/snmpdx.rsrc
. /etc/snmp/conf

An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
Nessus ID : 10551
Warning xdmcp (177/udp)
The remote host is running XDMCP.

This protocol is used to provide X display connections for
X terminals. XDMCP is completely insecure, since the traffic and
passwords are not encrypted.

An attacker may use this flaw to capture all the keystrokes of
the users using this host through their X terminal, including
passwords.

Risk factor : Medium
Solution : Disable XDMCP
Nessus ID : 10891
Informational general/udp For your information, here is the traceroute to 10.163.156.16 :
?
10.163.156.16

Nessus ID : 10287
Vulnerability font-service (7100/tcp)
The remote X Font Service (xfs) might be vulnerable to a buffer
overflow.

An attacker may use this flaw to gain root on this host
remotely.

*** Note that Nessus did not actually check for the flaw
*** as details about this vulnerability are still unknown

Solution : See CERT Advisory CA-2002-34
Risk factor : High
CVE : CAN-2002-1317
Nessus ID : 11188
Warning echo (7/udp) The 'echo' port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.

Risk factor : Low

Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103
Nessus ID : 10061
Warning daytime (13/udp) The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.

In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.

Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052

This file was generated by Nessus, the open-sourced security scanner.