Nessus Scan Report

Business Network Solutions Vulnerability Scan Report

This report gives details on hosts that were tested and issues that were found.
Please follow the recommended steps and procedures to eradicate these threats.

Scan Details
Hosts which where alive and responding during test	9
Number of security holes found	54
Number of security warnings found	113

Host List
Host(s)	Possible Issue
10.163.156.10	Security hole(s) found
10.163.156.9	Security hole(s) found
10.163.155.4	Security hole(s) found
10.163.155.3	Security hole(s) found
10.163.155.2	Security hole(s) found
10.163.156.1	Security hole(s) found
10.163.155.6	Security hole(s) found
10.163.156.205	Security hole(s) found
10.163.156.16	Security hole(s) found

[ return to top ]

Analysis of Host
Address of Host	Port/Service	Issue regarding Port
10.163.156.10	echo (7/tcp)	Security warning(s) found
10.163.156.10	telnet (23/tcp)	Security hole found
10.163.156.10	ssh (22/tcp)	Security hole found
10.163.156.10	ftp (21/tcp)	Security hole found
10.163.156.10	chargen (19/tcp)	Security warning(s) found
10.163.156.10	daytime (13/tcp)	Security warning(s) found
10.163.156.10	discard (9/tcp)	No Information
10.163.156.10	smtp (25/tcp)	Security hole found
10.163.156.10	time (37/tcp)	Security notes found
10.163.156.10	finger (79/tcp)	Security warning(s) found
10.163.156.10	sunrpc (111/tcp)	Security notes found
10.163.156.10	login (513/tcp)	Security warning(s) found
10.163.156.10	exec (512/tcp)	Security warning(s) found
10.163.156.10	printer (515/tcp)	Security notes found
10.163.156.10	shell (514/tcp)	Security warning(s) found
10.163.156.10	uucp (540/tcp)	Security notes found
10.163.156.10	sometimes-rpc16 (32776/udp)	Security warning(s) found
10.163.156.10	sometimes-rpc14 (32775/udp)	Security warning(s) found
10.163.156.10	sometimes-rpc10 (32773/udp)	Security hole found
10.163.156.10	lockd (4045/udp)	Security warning(s) found
10.163.156.10	snmp (161/udp)	Security hole found
10.163.156.10	sometimes-rpc22 (32779/udp)	Security hole found
10.163.156.10	general/tcp	Security notes found
10.163.156.10	sometimes-rpc18 (32777/udp)	Security hole found
10.163.156.10	sometimes-rpc20 (32778/udp)	Security warning(s) found
10.163.156.10	dtspc (6112/tcp)	Security hole found
10.163.156.10	sometimes-rpc13 (32775/tcp)	Security hole found
10.163.156.10	sometimes-rpc9 (32773/tcp)	Security hole found
10.163.156.10	sunrpc (111/udp)	Security notes found
10.163.156.10	sometimes-rpc8 (32772/udp)	Security notes found
10.163.156.10	sometimes-rpc5 (32771/tcp)	Security notes found
10.163.156.10	sometimes-rpc12 (32774/udp)	Security warning(s) found
10.163.156.10	sometimes-rpc7 (32772/tcp)	Security notes found
10.163.156.10	sometimes-rpc11 (32774/tcp)	Security notes found
10.163.156.10	lockd (4045/tcp)	Security notes found
10.163.156.10	sometimes-rpc24 (32780/udp)	Security warning(s) found
10.163.156.10	sometimes-rpc15 (32776/tcp)	Security notes found
10.163.156.10	unknown (32785/udp)	Security notes found
10.163.156.10	sometimes-rpc19 (32778/tcp)	Security hole found
10.163.156.10	unknown (32788/udp)	Security notes found
10.163.156.10	sometimes-rpc21 (32779/tcp)	Security notes found
10.163.156.10	xdmcp (177/udp)	Security warning(s) found
10.163.156.10	font-service (7100/tcp)	Security hole found
10.163.156.10	echo (7/udp)	Security warning(s) found
10.163.156.10	daytime (13/udp)	Security warning(s) found

Security Issues and Fixes: 10.163.156.10
Type	Port	Issue and Fix
Warning	echo (7/tcp)	The 'echo' port is open. This port is not of any use nowadays, and may be a source of problems, since it can be used along with other ports to perform a denial of service. You should really disable this service. Risk factor : Low Solution : comment out 'echo' in /etc/inetd.conf CVE : CVE-1999-0103 Nessus ID : 10061
Informational	echo (7/tcp)	An echo server is running on this port Nessus ID : 10330
Vulnerability	telnet (23/tcp)	The Telnet server does not return an expected number of replies when it receives a long sequence of 'Are You There' commands. This probably means it overflows one of its internal buffers and crashes. It is likely an attacker could abuse this bug to gain control over the remote host's superuser. For more information, see: http://www.team-teso.net/advisories/teso-advisory-011.tar.gz Solution: Comment out the 'telnet' line in /etc/inetd.conf. Risk factor : High CVE : CVE-2001-0554 BID : 3064 Nessus ID : 10709
Vulnerability	telnet (23/tcp)	It is possible to reboot the remote host by connecting to the telnet port and providing a bad username and password. This vulnerability is documented as Cisco Bug ID CSCdw81244. An attacker may use this flaw to prevent your access point from working properly. Solution : http://www.cisco.com/warp/public/707/Aironet-Telnet.shtml Risk factor : High CVE : CAN-2002-0545 BID : 4461 Nessus ID : 11014
Warning	telnet (23/tcp)	The Telnet service is running. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the telnet client and the telnet server. This includes logins and passwords. You should disable this service and use OpenSSH instead. (www.openssh.com) Solution : Comment out the 'telnet' line in /etc/inetd.conf. Risk factor : Low CVE : CAN-1999-0619 Nessus ID : 10280
Informational	telnet (23/tcp)	A telnet server seems to be running on this port Nessus ID : 10330
Informational	telnet (23/tcp)	Remote telnet banner : SunOS 5.8 Nessus ID : 10281
Vulnerability	ssh (22/tcp)	You are running a version of OpenSSH which is older than 3.4 There is a flaw in this version that can be exploited remotely to give an attacker a shell on this host. Note that several distribution patched this hole without changing the version number of OpenSSH. Since Nessus solely relied on the banner of the remote SSH server to perform this check, this might be a false positive. If you are running a RedHat host, make sure that the command : rpm -q openssh-server Returns : openssh-server-3.1p1-6 Solution : Upgrade to OpenSSH 3.4 or contact your vendor for a patch Risk factor : High CVE : CAN-2002-0639, CAN-2002-0640 BID : 5093 Nessus ID : 11031
Vulnerability	ssh (22/tcp)	You are running a version of OpenSSH which is older than 3.0.2. Versions prior than 3.0.2 are vulnerable to an environment variables export that can allow a local user to execute command with root privileges. This problem affect only versions prior than 3.0.2, and when the UseLogin feature is enabled (usually disabled by default) Solution : Upgrade to OpenSSH 3.0.2 or apply the patch for prior versions. (Available at: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH) Risk factor : High (If UseLogin is enabled, and locally) CVE : CVE-2001-0872 BID : 3614 Nessus ID : 10823
Vulnerability	ssh (22/tcp)	You are running a version of OpenSSH which is older than 3.0.1. Versions older than 3.0.1 are vulnerable to a flaw in which an attacker may authenticate, provided that Kerberos V support has been enabled (which is not the case by default). It is also vulnerable as an excessive memory clearing bug, believed to be unexploitable. * You may ignore this warning if this host is not using * Kerberos V Solution : Upgrade to OpenSSH 3.0.1 Risk factor : Low (if you are not using Kerberos) or High (if kerberos is enabled) CVE : CVE-2002-0083 BID : 3560, 4560, 4241 Nessus ID : 10802
Vulnerability	ssh (22/tcp)	You are running a version of OpenSSH older than OpenSSH 3.2.1 A buffer overflow exists in the daemon if AFS is enabled on your system, or if the options KerberosTgtPassing or AFSTokenPassing are enabled. Even in this scenario, the vulnerability may be avoided by enabling UsePrivilegeSeparation. Versions prior to 2.9.9 are vulnerable to a remote root exploit. Versions prior to 3.2.1 are vulnerable to a local root exploit. Solution : Upgrade to the latest version of OpenSSH Risk factor : High CVE : CAN-2002-0575 BID : 4560 Nessus ID : 10954
Warning	ssh (22/tcp)	The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol. These protocols are not completely cryptographically safe so they should not be used. Solution : If you use OpenSSH, set the option 'Protocol' to '2' If you use SSH.com's set the option 'Ssh1Compatibility' to 'no' Risk factor : Low Nessus ID : 10882
Informational	ssh (22/tcp)	An ssh server is running on this port Nessus ID : 10330
Informational	ssh (22/tcp)	The remote SSH daemon supports the following versions of the SSH protocol : . 1.33 . 1.5 . 1.99 . 2.0 Nessus ID : 10881
Informational	ssh (22/tcp)	Remote SSH version : SSH-1.99-OpenSSH_2.3.0p1 Nessus ID : 10267
Vulnerability	ftp (21/tcp)	The remote FTP server seems to be vulnerable to an exhaustion attack which may makes it consume all available memory on the remote host when it receives the command : NLST /..//..//..//..//..//..//..//..//../*/../ Solution : upgrade to ProFTPd 1.2.2 if the remote server is proftpd, or contact your vendor for a patch. Reference : http://online.securityfocus.com/archive/1/169069 Risk factor : High Nessus ID : 10634
Vulnerability	ftp (21/tcp)	You seem to be running an FTP server which is vulnerable to the 'glob heap corruption' flaw, which is known to be exploitable remotely against this server. An attacker may use this flaw to execute arbitrary commands on this host. Solution: Upgrade your ftp server software to the latest version. Risk factor : High CVE : CVE-2001-0550 BID : 3581 Nessus ID : 10821
Warning	ftp (21/tcp)	This FTP service allows anonymous logins. If you do not want to share data with anyone you do not know, then you should deactivate the anonymous account, since it can only cause troubles. Under most Unix system, doing : echo ftp >> /etc/ftpusers will correct this. Risk factor : Low CVE : CAN-1999-0497 Nessus ID : 10079
Warning	ftp (21/tcp)	It is possible to gather the real path of the public area of the ftp server (like /home/ftp) by issuing the following command : CWD This problem may help an attacker to find where to put a .rhost file using other security flaws. Risk factor : Low CVE : CVE-1999-0201 Nessus ID : 10087
Warning	ftp (21/tcp)	The remote FTP server allows users to make any amount of PASV commands, thus blocking the free ports for legitimate services and consuming file descriptors. Solution: upgrade your FTP server to a version which solves this problem. Risk factor : Medium CVE : CVE-1999-0079 BID : 271 Nessus ID : 10085
Informational	ftp (21/tcp)	An FTP server is running on this port. Here is its banner : 220 unknown FTP server (SunOS 5.8) ready. Nessus ID : 10330
Informational	ftp (21/tcp)	Remote FTP server banner : 220 unknown FTP server (SunOS 5.8) ready. Nessus ID : 10092
Warning	chargen (19/tcp)	The chargen service is running. The 'chargen' service should only be enabled when testing the machine. When contacted, chargen responds with some random characters (something like all the characters in the alphabet in a row). When contacted via UDP, it will respond with a single UDP packet. When contacted via TCP, it will continue spewing characters until the client closes the connection. An easy attack is 'pingpong' in which an attacker spoofs a packet between two machines running chargen. This will cause them to spew characters at each other, slowing the machines down and saturating the network. Solution : disable this service in /etc/inetd.conf. Risk factor : Low CVE : CVE-1999-0103 Nessus ID : 10043
Informational	chargen (19/tcp)	Chargen is running on this port Nessus ID : 10330
Warning	daytime (13/tcp)	The daytime service is running. The date format issued by this service may sometimes help an attacker to guess the operating system type. In addition to that, when the UDP version of daytime is running, an attacker may link it to the echo port using spoofing, thus creating a possible denial of service. Solution : disable this service in /etc/inetd.conf. Risk factor : Low CVE : CVE-1999-0103 Nessus ID : 10052
Vulnerability	smtp (25/tcp)	The remote sendmail server, according to its version number, may be vulnerable to the -bt overflow attack which allows any local user to execute arbitrary commands as root. Solution : upgrade to the latest version of Sendmail Risk factor : High Note : This vulnerability is _local_ only Nessus ID : 10809
Vulnerability	smtp (25/tcp)	The remote sendmail server, according to its version number, may be vulnerable to a buffer overflow its DNS handling code. The owner of a malicious name server could use this flaw to execute arbitrary code on this host. Solution : Upgrade to Sendmail 8.12.5 Risk factor : High CVE : CAN-2002-0906 BID : 5122 Nessus ID : 11232
Warning	smtp (25/tcp)	The remote SMTP server answers to the EXPN and/or VRFY commands. The EXPN command can be used to find the delivery address of mail aliases, or even the full name of the recipients, and the VRFY command may be used to check the validity of an account. Your mailer should not allow remote users to use any of these commands, because it gives them too much information. Solution : if you are using Sendmail, add the option O PrivacyOptions=goaway in /etc/sendmail.cf. Risk factor : Low CVE : CAN-1999-0531 Nessus ID : 10249
Warning	smtp (25/tcp)	The remote SMTP server is vulnerable to a redirection attack. That is, if a mail is sent to : user@hostname1@victim Then the remote SMTP server (victim) will happily send the mail to : user@hostname1 Using this flaw, an attacker may route a message through your firewall, in order to exploit other SMTP servers that can not be reached from the outside. * THIS WARNING MAY BE A FALSE POSITIVE, SINCE SOME SMTP SERVERS LIKE POSTFIX WILL NOT COMPLAIN BUT DROP THIS MESSAGE * Solution : if you are using sendmail, then at the top of ruleset 98, in /etc/sendmail.cf, insert : R$@$@$* $#error $@ 5.7.1 $: '551 Sorry, no redirections.' Risk factor : Low Nessus ID : 10250
Warning	smtp (25/tcp)	The remote SMTP server allows the relaying. This means that it allows spammers to use your mail server to send their mails to the world, thus wasting your network bandwidth. Risk factor : Low/Medium Solution : configure your SMTP server so that it can't be used as a relay any more. CVE : CAN-1999-0512 Nessus ID : 10262
Warning	smtp (25/tcp)	The remote SMTP server allows anyone to use it as a mail relay, provided that the source address is set to '<>'. This problem allows any spammer to use your mail server to spam the world, thus blacklisting your mailserver, and using your network resources. Risk factor : Medium Solution : reconfigure this server properly CVE : CVE-1999-0819 Nessus ID : 10167
Warning	smtp (25/tcp)	The remote sendmail server, according to its version number, might be vulnerable to a queue destruction when a local user runs sendmail -q -h1000 If you system does not allow users to process the queue (which is the default), you are not vulnerable. Solution : upgrade to the latest version of Sendmail or do not allow users to process the queue (RestrictQRun option) Risk factor : Low Note : This vulnerability is _local_ only CVE : CAN-2001-0714 BID : 3378 Nessus ID : 11087
Warning	smtp (25/tcp)	According to the version number of the remote mail server, a local user may be able to obtain the complete mail configuration and other interesting information about the mail queue even if he is not allowed to access those information directly, by running sendmail -q -d0-nnnn.xxx where nnnn & xxx are debugging levels. If users are not allowed to process the queue (which is the default) then you are not vulnerable. Solution : upgrade to the latest version of Sendmail or do not allow users to process the queue (RestrictQRun option) Risk factor : Very low / none Note : This vulnerability is _local_ only CVE : CAN-2001-0715 BID : 3898 Nessus ID : 11088
Informational	smtp (25/tcp)	An SMTP server is running on this port Here is its banner : 220 sparky.fr.nessus.org ESMTP Sendmail 8.9.3+Sun/8.9.3; Fri, 21 Feb 2003 15:53:28 GMT Nessus ID : 10330
Informational	smtp (25/tcp)	Remote SMTP server banner : 220 sparky.fr.nessus.org ESMTP Sendmail 8.9.3+Sun/8.9.3; Fri, 21 Feb 2003 15:54:20 GMT Nessus ID : 10263
Informational	time (37/tcp)	A time server seems to be running on this port Nessus ID : 10330
Warning	finger (79/tcp)	The 'finger' service provides useful information to attackers, since it allow them to gain usernames, check if a machine is being used, and so on... Risk factor : Low Solution : comment out the 'finger' line in /etc/inetd.conf CVE : CVE-1999-0612 Nessus ID : 10068
Warning	finger (79/tcp)	The remote finger daemon accepts to redirect requests. That is, users can perform requests like : finger user@host@victim This allows an attacker to use your computer as a relay to gather information on another network, making the other network think you are making the requests. Solution: disable your finger daemon (comment out the finger line in /etc/inetd.conf) or install a more secure one. Risk factor : Low CVE : CAN-1999-0105 Nessus ID : 10073
Warning	finger (79/tcp)	There is a bug in the finger service which will make it display the list of the accounts that have never been used, when anyone issues the request : finger 'a b c d e f g h'@target This list will help an attacker to guess the operating system type. It will also tell him which accounts have never been used, which will often make him focus his attacks on these accounts. Solution : disable the finger service in /etc/inetd.conf, or apply the patches from Sun. Risk factor : Medium BID : 3457 Nessus ID : 10788
Informational	finger (79/tcp)	A finger server seems to be running on this port Nessus ID : 10330
Informational	sunrpc (111/tcp)	RPC program #100000 version 4 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111
Informational	sunrpc (111/tcp)	RPC program #100000 version 3 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111
Informational	sunrpc (111/tcp)	RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111
Warning	login (513/tcp)	The rlogin service is running. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the rlogin client and the rlogin server. This includes logins and passwords. You should disable this service and use openssh instead (www.openssh.com) Solution : Comment out the 'rlogin' line in /etc/inetd.conf. Risk factor : Low CVE : CAN-1999-0651 Nessus ID : 10205
Warning	exec (512/tcp)	The rexecd service is open. Because rexecd does not provide any good means of authentication, it can be used by an attacker to scan a third party host, giving you troubles or bypassing your firewall. Solution : comment out the 'exec' line in /etc/inetd.conf. Risk factor : Medium CVE : CAN-1999-0618 Nessus ID : 10203
Informational	printer (515/tcp)	A LPD server seems to be running on this port Nessus ID : 10330
Warning	shell (514/tcp)	The rsh service is running. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the rsh client and the rsh server. This includes logins and passwords. You should disable this service and use ssh instead. Solution : Comment out the 'rsh' line in /etc/inetd.conf. Risk factor : Low CVE : CAN-1999-0651 Nessus ID : 10245
Informational	uucp (540/tcp)	An UUCP server seems to be running on this port Nessus ID : 10330
Warning	sometimes-rpc16 (32776/udp)	The sprayd RPC service is running. If you do not use this service, then disable it as it may become a security threat in the future, if a vulnerability is discovered. Risk factor : Low CVE : CAN-1999-0613 Nessus ID : 10234
Informational	sometimes-rpc16 (32776/udp)	RPC program #100012 version 1 'sprayd' (spray) is running on this port Nessus ID : 11111
Warning	sometimes-rpc14 (32775/udp)	The rusersd RPC service is running. It provides an attacker interesting information such as how often the system is being used, the names of the users, and so on. It usually not a good idea to leave this service open. Risk factor : Low CVE : CVE-1999-0626 Nessus ID : 10228
Informational	sometimes-rpc14 (32775/udp)	RPC program #100002 version 2 'rusersd' (rusers) is running on this port Nessus ID : 11111
Informational	sometimes-rpc14 (32775/udp)	RPC program #100002 version 3 'rusersd' (rusers) is running on this port Nessus ID : 11111
Vulnerability	sometimes-rpc10 (32773/udp)	The sadmin RPC service is running. There is a bug in Solaris versions of this service that allow an intruder to execute arbitrary commands on your system. Solution : disable this service Risk factor : High CVE : CVE-1999-0977 BID : 866 Nessus ID : 10229
Informational	sometimes-rpc10 (32773/udp)	RPC program #100232 version 10 'sadmind' is running on this port Nessus ID : 11111
Warning	lockd (4045/udp)	The nlockmgr RPC service is running. If you do not use this service, then disable it as it may become a security threat in the future, if a vulnerability is discovered. Risk factor : Low CVE : CVE-2000-0508 BID : 1372 Nessus ID : 10220
Informational	lockd (4045/udp)	RPC program #100021 version 1 'nlockmgr' is running on this port Nessus ID : 11111
Informational	lockd (4045/udp)	RPC program #100021 version 2 'nlockmgr' is running on this port Nessus ID : 11111
Informational	lockd (4045/udp)	RPC program #100021 version 3 'nlockmgr' is running on this port Nessus ID : 11111
Informational	lockd (4045/udp)	RPC program #100021 version 4 'nlockmgr' is running on this port Nessus ID : 11111
Vulnerability	snmp (161/udp)	The device answered to more than 4 community strings. This may be a false positive or a community-less SNMP server HP printers answer to all community strings. SNMP Agent responded as expected with community name: public SNMP Agent responded as expected with community name: private SNMP Agent responded as expected with community name: write SNMP Agent responded as expected with community name: all SNMP Agent responded as expected with community name: monitor SNMP Agent responded as expected with community name: agent SNMP Agent responded as expected with community name: manager SNMP Agent responded as expected with community name: OrigEquipMfr SNMP Agent responded as expected with community name: admin SNMP Agent responded as expected with community name: default SNMP Agent responded as expected with community name: password SNMP Agent responded as expected with community name: tivoli SNMP Agent responded as expected with community name: openview SNMP Agent responded as expected with community name: community SNMP Agent responded as expected with community name: snmp SNMP Agent responded as expected with community name: snmpd SNMP Agent responded as expected with community name: Secret C0de SNMP Agent responded as expected with community name: security SNMP Agent responded as expected with community name: all private SNMP Agent responded as expected with community name: rmon SNMP Agent responded as expected with community name: rmon_admin SNMP Agent responded as expected with community name: hp_admin SNMP Agent responded as expected with community name: NoGaH$@! SNMP Agent responded as expected with community name: 0392a0 SNMP Agent responded as expected with community name: xyzzy SNMP Agent responded as expected with community name: agent_steal SNMP Agent responded as expected with community name: freekevin SNMP Agent responded as expected with community name: fubar SNMP Agent responded as expected with community name: secret SNMP Agent responded as expected with community name: cisco SNMP Agent responded as expected with community name: apc SNMP Agent responded as expected with community name: ANYCOM SNMP Agent responded as expected with community name: cable-docsis SNMP Agent responded as expected with community name: c SNMP Agent responded as expected with community name: cc SNMP Agent responded as expected with community name: Cisco router SNMP Agent responded as expected with community name: cascade SNMP Agent responded as expected with community name: comcomcom CVE : CAN-1999-0186 BID : 177 Nessus ID : 10264
Vulnerability	snmp (161/udp)	It was possible to disable the remote SNMP daemon by sending a malformed packet advertising bogus length fields. An attacker may use this flaw to prevent you from using SNMP to administer your network (or use other flaws to execute arbitrary code with the privileges of the SNMP daemon) Solution : see www.cert.org/advisories/CA-2002-03.html Risk factor : High CVE : CAN-2002-0013 Nessus ID : 10857
Warning	snmp (161/udp)	A SNMP server is running on this host Nessus ID : 10265
Informational	snmp (161/udp)	Using SNMP, we could determine that the remote operating system is : Sun SNMP Agent, Ultra-1 Nessus ID : 10800
Vulnerability	sometimes-rpc22 (32779/udp)	The cmsd RPC service is running. This service has a long history of security holes, so you should really know what you are doing if you decide to let it run. * NO SECURITY HOLE REGARDING THIS PROGRAM HAS BEEN TESTED, SO THIS MIGHT BE A FALSE POSITIVE * We suggest that you disable this service. Risk factor : High CVE : CVE-1999-0320, CVE-1999-0696 BID : 428 Nessus ID : 10213
Informational	sometimes-rpc22 (32779/udp)	RPC program #100068 version 2 is running on this port Nessus ID : 11111
Informational	sometimes-rpc22 (32779/udp)	RPC program #100068 version 3 is running on this port Nessus ID : 11111
Informational	sometimes-rpc22 (32779/udp)	RPC program #100068 version 4 is running on this port Nessus ID : 11111
Informational	sometimes-rpc22 (32779/udp)	RPC program #100068 version 5 is running on this port Nessus ID : 11111
Informational	general/tcp	QueSO has found out that the remote host OS is * Standard: Solaris 2.x, Linux 2.1.???, Linux 2.2, MacOS CVE : CAN-1999-0454 Nessus ID : 10337
Vulnerability	sometimes-rpc18 (32777/udp)	The rpc.walld RPC service is running. Some versions of this server allow an attacker to gain root access remotely, by consuming the resources of the remote host then sending a specially formed packet with format strings to this host. Solaris 2.5.1, 2.6, 7 and 8 are vulnerable to this issue. Other operating systems might be affected as well. * Nessus did not check for this vulnerability, * so this might be a false positive Solution : Deactivate this service. Risk factor : High CVE : CAN-2002-0573 BID : 4639 Nessus ID : 10950
Warning	sometimes-rpc18 (32777/udp)	The walld RPC service is running. It is usually used by the administrator to tell something to the users of a network by making a message appear on their screen. Since this service lacks any kind of authentication, an attacker may use it to trick users into doing something (change their password, leave the console, or worse), by sending a message which would appear to be written by the administrator. It can also be used as a denial of service attack, by continually sending garbage to the users screens, preventing them from working properly. Solution : Deactivate this service. Risk factor : Medium CVE : CVE-1999-0181 Nessus ID : 10240
Informational	sometimes-rpc18 (32777/udp)	RPC program #100008 version 1 'walld' (rwall shutdown) is running on this port Nessus ID : 11111
Warning	sometimes-rpc20 (32778/udp)	The rstatd RPC service is running. It provides an attacker interesting information such as : - the CPU usage - the system uptime - its network usage - and more Usually, it is not a good idea to let this service open Risk factor : Low CVE : CAN-1999-0624 Nessus ID : 10227
Informational	sometimes-rpc20 (32778/udp)	RPC program #100001 version 2 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port Nessus ID : 11111
Informational	sometimes-rpc20 (32778/udp)	RPC program #100001 version 3 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port Nessus ID : 11111
Informational	sometimes-rpc20 (32778/udp)	RPC program #100001 version 4 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port Nessus ID : 11111
Vulnerability	dtspc (6112/tcp)	The 'dtspcd' service is running. Some versions of this daemon are vulnerable to a buffer overflow attack which allows an attacker to gain root privileges * This warning might be a false positive, * as no real overflow was performed Solution : See http://www.cert.org/advisories/CA-2001-31.html to determine if you are vulnerable or deactivate this service (comment out the line 'dtspc' in /etc/inetd.conf) Risk factor : High CVE : CVE-2001-0803 BID : 3517 Nessus ID : 10833
Vulnerability	sometimes-rpc13 (32775/tcp)	The cachefsd RPC service is running. Some versions of this server allow an attacker to gain root access remotely, by consuming the resources of the remote host then sending a specially formed packet with format strings to this host. Solaris 2.5.1, 2.6, 7 and 8 are vulnerable to this issue. Other operating systems might be affected as well. * Nessus did not check for this vulnerability, * so this might be a false positive Solution : Deactivate this service - there is no patch at this time /etc/init.d/cachefs.daemon stop Risk factor : High CVE : CAN-2002-0084, CAN-2002-0033 BID : 4631 Nessus ID : 10951
Informational	sometimes-rpc13 (32775/tcp)	RPC program #100235 version 1 is running on this port Nessus ID : 11111
Vulnerability	sometimes-rpc9 (32773/tcp)	The tooltalk RPC service is running. There is a format string bug in many versions of this service, which allow an attacker to gain root remotely. In addition to this, several versions of this service allow remote attackers to overwrite abitrary memory locations with a zero and possibly gain privileges via a file descriptor argument in an AUTH_UNIX procedure call which is used as a table index by the _TT_ISCLOSE procedure. * This warning may be a false positive since the presence * of the bug was not verified locally. Solution : Disable this service or patch it See also : CERT Advisories CA-2001-27 and CA-2002-20 Risk factor : High CVE : CAN-2002-0677, CVE-2001-0717, CVE-2002-0679 BID : 3382 Nessus ID : 10787
Informational	sometimes-rpc9 (32773/tcp)	RPC program #100083 version 1 is running on this port Nessus ID : 11111
Informational	sunrpc (111/udp)	RPC program #100000 version 4 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111
Informational	sunrpc (111/udp)	RPC program #100000 version 3 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111
Informational	sunrpc (111/udp)	RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111
Informational	sometimes-rpc8 (32772/udp)	RPC program #100300 version 3 'nisd' (rpc.nisd) is running on this port Nessus ID : 11111
Informational	sometimes-rpc5 (32771/tcp)	RPC program #100300 version 3 'nisd' (rpc.nisd) is running on this port Nessus ID : 11111
Warning	sometimes-rpc12 (32774/udp)	The rquotad RPC service is running. If you do not use this service, then disable it as it may become a security threat in the future, if a vulnerability is discovered. Risk factor : Low CVE : CAN-1999-0625 Nessus ID : 10226
Informational	sometimes-rpc12 (32774/udp)	RPC program #100011 version 1 'rquotad' (rquotaprog quota rquota) is running on this port Nessus ID : 11111
Informational	sometimes-rpc7 (32772/tcp)	RPC program #100002 version 2 'rusersd' (rusers) is running on this port Nessus ID : 11111
Informational	sometimes-rpc7 (32772/tcp)	RPC program #100002 version 3 'rusersd' (rusers) is running on this port Nessus ID : 11111
Informational	sometimes-rpc11 (32774/tcp)	RPC program #100221 version 1 is running on this port Nessus ID : 11111
Informational	lockd (4045/tcp)	RPC program #100021 version 1 'nlockmgr' is running on this port Nessus ID : 11111
Informational	lockd (4045/tcp)	RPC program #100021 version 2 'nlockmgr' is running on this port Nessus ID : 11111
Informational	lockd (4045/tcp)	RPC program #100021 version 3 'nlockmgr' is running on this port Nessus ID : 11111
Informational	lockd (4045/tcp)	RPC program #100021 version 4 'nlockmgr' is running on this port Nessus ID : 11111
Warning	sometimes-rpc24 (32780/udp)	The statd RPC service is running. This service has a long history of security holes, so you should really know what you are doing if you decide to let it run. * NO SECURITY HOLES REGARDING THIS PROGRAM HAVE BEEN TESTED, SO THIS MIGHT BE A FALSE POSITIVE * We suggest that you disable this service. Risk factor : High CVE : CVE-1999-0493 BID : 450 Nessus ID : 10235
Informational	sometimes-rpc24 (32780/udp)	RPC program #100024 version 1 'status' is running on this port Nessus ID : 11111
Informational	sometimes-rpc24 (32780/udp)	RPC program #100133 version 1 is running on this port Nessus ID : 11111
Informational	sometimes-rpc15 (32776/tcp)	RPC program #100024 version 1 'status' is running on this port Nessus ID : 11111
Informational	sometimes-rpc15 (32776/tcp)	RPC program #100133 version 1 is running on this port Nessus ID : 11111
Informational	unknown (32785/udp)	RPC program #100249 version 1 is running on this port Nessus ID : 11111
Vulnerability	sometimes-rpc19 (32778/tcp)	The remote RPC service 100249 (snmpXdmid) is vulnerable to a heap overflow which allows any user to obtain a root shell on this host. Solution : disable this service (/etc/init.d/init.dmi stop) if you don't use it, or contact Sun for a patch Risk factor : High CVE : CVE-2001-0236 BID : 2417 Nessus ID : 10659
Informational	sometimes-rpc19 (32778/tcp)	RPC program #100249 version 1 is running on this port Nessus ID : 11111
Informational	unknown (32788/udp)	RPC program #300598 version 1 is running on this port Nessus ID : 11111
Informational	unknown (32788/udp)	RPC program #805306368 version 1 is running on this port Nessus ID : 11111
Informational	sometimes-rpc21 (32779/tcp)	RPC program #300598 version 1 is running on this port Nessus ID : 11111
Informational	sometimes-rpc21 (32779/tcp)	RPC program #805306368 version 1 is running on this port Nessus ID : 11111
Warning	xdmcp (177/udp)	The remote host is running XDMCP. This protocol is used to provide X display connections for X terminals. XDMCP is completely insecure, since the traffic and passwords are not encrypted. An attacker may use this flaw to capture all the keystrokes of the users using this host through their X terminal, including passwords. Risk factor : Medium Solution : Disable XDMCP Nessus ID : 10891
Vulnerability	font-service (7100/tcp)	The remote X Font Service (xfs) might be vulnerable to a buffer overflow. An attacker may use this flaw to gain root on this host remotely. * Note that Nessus did not actually check for the flaw * as details about this vulnerability are still unknown Solution : See CERT Advisory CA-2002-34 Risk factor : High CVE : CAN-2002-1317 Nessus ID : 11188
Warning	echo (7/udp)	The 'echo' port is open. This port is not of any use nowadays, and may be a source of problems, since it can be used along with other ports to perform a denial of service. You should really disable this service. Risk factor : Low Solution : comment out 'echo' in /etc/inetd.conf CVE : CVE-1999-0103 Nessus ID : 10061
Warning	daytime (13/udp)	The daytime service is running. The date format issued by this service may sometimes help an attacker to guess the operating system type. In addition to that, when the UDP version of daytime is running, an attacker may link it to the echo port using spoofing, thus creating a possible denial of service. Solution : disable this service in /etc/inetd.conf. Risk factor : Low CVE : CVE-1999-0103 Nessus ID : 10052

[ return to top ]

Analysis of Host
Address of Host	Port/Service	Issue regarding Port
10.163.156.9	smtp (25/tcp)	Security hole found
10.163.156.9	ftp (21/tcp)	Security hole found
10.163.156.9	chargen (19/tcp)	Security warning(s) found
10.163.156.9	qotd (17/tcp)	Security warning(s) found
10.163.156.9	daytime (13/tcp)	Security warning(s) found
10.163.156.9	discard (9/tcp)	No Information
10.163.156.9	echo (7/tcp)	Security warning(s) found
10.163.156.9	nameserver (42/tcp)	No Information
10.163.156.9	http (80/tcp)	Security hole found
10.163.156.9	nntp (119/tcp)	Security notes found
10.163.156.9	loc-srv (135/tcp)	Security warning(s) found
10.163.156.9	netbios-ssn (139/tcp)	Security hole found
10.163.156.9	microsoft-ds (445/tcp)	No Information
10.163.156.9	https (443/tcp)	Security notes found
10.163.156.9	printer (515/tcp)	Security notes found
10.163.156.9	afpovertcp (548/tcp)	Security notes found
10.163.156.9	nntps (563/tcp)	Security notes found
10.163.156.9	blackjack (1025/tcp)	Security notes found
10.163.156.9	unknown (1028/tcp)	Security notes found
10.163.156.9	unknown (1035/tcp)	Security notes found
10.163.156.9	netinfo (1033/tcp)	Security notes found
10.163.156.9	iad2 (1031/tcp)	Security notes found
10.163.156.9	ms-sql-s (1433/tcp)	Security notes found
10.163.156.9	ms-sql-m (1434/udp)	Security warning(s) found
10.163.156.9	general/tcp	Security warning(s) found
10.163.156.9	general/udp	Security notes found
10.163.156.9	snmp (161/udp)	Security hole found
10.163.156.9	netbios-ns (137/udp)	Security warning(s) found
10.163.156.9	echo (7/udp)	Security warning(s) found
10.163.156.9	ms-term-serv (3389/tcp)	Security notes found
10.163.156.9	daytime (13/udp)	Security warning(s) found
10.163.156.9	qotd (17/udp)	Security warning(s) found
10.163.156.9	iad1 (1030/udp)	Security notes found
10.163.156.9	chargen (19/udp)	Security warning(s) found
10.163.156.9	iad3 (1032/udp)	Security notes found

Security Issues and Fixes: 10.163.156.9
Type	Port	Issue and Fix
Vulnerability	smtp (25/tcp)	The remote SMTP server did not complain when issued the command : MAIL FROM: root@this_host RCPT TO: /tmp/nessus_test This probably means that it is possible to send mail directly to files, which is a serious threat, since this allows anyone to overwrite any file on the remote server. * This security hole might be a false positive, since * some MTAs will not complain to this test, but instead * just drop the message silently. * Check for the presence of file 'nessus_test' in /tmp ! Solution : upgrade your MTA or change it. Risk factor : High Nessus ID : 10259
Vulnerability	smtp (25/tcp)	The remote SMTP server did not complain when issued the command : MAIL FROM: \|testing This probably means that it is possible to send mail that will be bounced to a program, which is a serious threat, since this allows anyone to execute arbitrary commands on this host. * This security hole might be a false positive, since * some MTAs will not complain to this test, but instead *** just drop the message silently Solution : upgrade your MTA or change it. Risk factor : High CVE : CVE-1999-0203 BID : 2308 Nessus ID : 10258
Vulnerability	smtp (25/tcp)	The remote SMTP server did not complain when issued the command : MAIL FROM: root@this_host RCPT TO: \|testing This probably means that it is possible to send mail directly to programs, which is a serious threat, since this allows anyone to execute arbitrary commands on this host. * This security hole might be a false positive, since * some MTAs will not complain to this test, but instead *** just drop the message silently. Solution : upgrade your MTA or change it. Risk factor : High CVE : CAN-1999-0163 Nessus ID : 10261
Informational	smtp (25/tcp)	An SMTP server is running on this port Here is its banner : 220 gabbo Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Fri, 21 Feb 2003 15:45:19 -0800 Nessus ID : 10330
Informational	smtp (25/tcp)	Remote SMTP server banner : 220 gabbo Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Fri, 21 Feb 2003 15:48:26 -0800 Nessus ID : 10263
Informational	smtp (25/tcp)	For some reason, we could not send the EICAR test string to this MTA Nessus ID : 11034
Vulnerability	ftp (21/tcp)	The remote FTP server closes the connection when one of the commands is given a too long argument. This probably due to a buffer overflow, which allows anyone to execute arbitrary code on the remote host. This problem is threatening, because the attackers don't need an account to exploit this flaw. Solution : Upgrade your FTP server or change it Risk factor : High CVE : CAN-2000-0133 BID : 961 Nessus ID : 10084
Warning	ftp (21/tcp)	This FTP service allows anonymous logins. If you do not want to share data with anyone you do not know, then you should deactivate the anonymous account, since it can only cause troubles. Under most Unix system, doing : echo ftp >> /etc/ftpusers will correct this. Risk factor : Low CVE : CAN-1999-0497 Nessus ID : 10079
Informational	ftp (21/tcp)	An FTP server is running on this port. Here is its banner : 220 gabbo Microsoft FTP Service (Version 5.0). Nessus ID : 10330
Informational	ftp (21/tcp)	Remote FTP server banner : 220 gabbo Microsoft FTP Service (Version 5.0). Nessus ID : 10092
Warning	chargen (19/tcp)	The chargen service is running. The 'chargen' service should only be enabled when testing the machine. When contacted, chargen responds with some random characters (something like all the characters in the alphabet in a row). When contacted via UDP, it will respond with a single UDP packet. When contacted via TCP, it will continue spewing characters until the client closes the connection. An easy attack is 'pingpong' in which an attacker spoofs a packet between two machines running chargen. This will cause them to spew characters at each other, slowing the machines down and saturating the network. Solution : disable this service in /etc/inetd.conf. Risk factor : Low CVE : CVE-1999-0103 Nessus ID : 10043
Informational	chargen (19/tcp)	Chargen is running on this port Nessus ID : 10330
Warning	qotd (17/tcp)	The quote service (qotd) is running. A server listens for TCP connections on TCP port 17. Once a connection is established a short message is sent out the connection (and any data received is thrown away). The service closes the connection after sending the quote. Another quote of the day service is defined as a datagram based application on UDP. A server listens for UDP datagrams on UDP port 17. When a datagram is received, an answering datagram is sent containing a quote (the data in the received datagram is ignored). An easy attack is 'pingpong' which IP spoofs a packet between two machines running qotd. This will cause them to spew characters at each other, slowing the machines down and saturating the network. Solution : disable this service in /etc/inetd.conf. Risk factor : Low CVE : CVE-1999-0103 Nessus ID : 10198
Informational	qotd (17/tcp)	qotd seems to be running on this port Nessus ID : 11153
Warning	daytime (13/tcp)	The daytime service is running. The date format issued by this service may sometimes help an attacker to guess the operating system type. In addition to that, when the UDP version of daytime is running, an attacker may link it to the echo port using spoofing, thus creating a possible denial of service. Solution : disable this service in /etc/inetd.conf. Risk factor : Low CVE : CVE-1999-0103 Nessus ID : 10052
Warning	echo (7/tcp)	The 'echo' port is open. This port is not of any use nowadays, and may be a source of problems, since it can be used along with other ports to perform a denial of service. You should really disable this service. Risk factor : Low Solution : comment out 'echo' in /etc/inetd.conf CVE : CVE-1999-0103 Nessus ID : 10061
Informational	echo (7/tcp)	An echo server is running on this port Nessus ID : 10330
Vulnerability	http (80/tcp)	The IIS server appears to have the .HTR ISAPI filter mapped. At least one remote vulnerability has been discovered for the .HTR filter. This is detailed in Microsoft Advisory MS02-018, and gives remote SYSTEM level access to the web server. It is recommended that even if you have patched this vulnerability that you unmap the .HTR extension, and any other unused ISAPI extensions if they are not required for the operation of your site. Solution: To unmap the .HTR extension: 1.Open Internet Services Manager. 2.Right-click the Web server choose Properties from the context menu. 3.Master Properties 4.Select WWW Service -> Edit -> HomeDirectory -> Configuration and remove the reference to .htr from the list. Risk factor : High CVE : CAN-2002-0071 BID : 4474 Nessus ID : 10932
Vulnerability	http (80/tcp)	The web server is probably susceptible to a common IIS vulnerability discovered by 'Rain Forest Puppy'. This vulnerability enables an attacker to execute arbitrary commands on the server with Administrator Privileges. * Nessus solely relied on the presence of the file /msadc/msadcs.dll * so this might be a false positive See Microsoft security bulletin (MS99-025) for patch information. Also, BUGTRAQ ID 529 on www.securityfocus.com ( http://www.securityfocus.com/bid/529 ) Risk factor : High CVE : CVE-1999-1011 BID : 529 Nessus ID : 10357
Warning	http (80/tcp)	The IIS server appears to have the .IDA ISAPI filter mapped. At least one remote vulnerability has been discovered for the .IDA (indexing service) filter. This is detailed in Microsoft Advisory MS01-033, and gives remote SYSTEM level access to the web server. It is recommended that even if you have patched this vulnerability that you unmap the .IDA extension, and any other unused ISAPI extensions if they are not required for the operation of your site. Solution: To unmap the .IDA extension: 1.Open Internet Services Manager. 2.Right-click the Web server choose Properties from the context menu. 3.Master Properties 4.Select WWW Service -> Edit -> HomeDirectory -> Configuration and remove the reference to .ida from the list. Risk factor : Medium CVE : CAN-2002-0071 BID : 4474 Nessus ID : 10695
Warning	http (80/tcp)	IIS 5 has support for the Internet Printing Protocol(IPP), which is enabled in a default install. The protocol is implemented in IIS5 as an ISAPI extension. At least one security problem (a buffer overflow) has been found with that extension in the past, so we recommend you disable it if you do not use this functionality. Solution: To unmap the .printer extension: 1.Open Internet Services Manager. 2.Right-click the Web server choose Properties from the context menu. 3.Master Properties 4.Select WWW Service -> Edit -> HomeDirectory -> Configuration and remove the reference to .printer from the list. Reference : http://online.securityfocus.com/archive/1/181109 Risk factor : Low Nessus ID : 10661
Warning	http (80/tcp)	Your webserver supports the TRACE and/or TRACK methods. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for 'Cross-Site-Tracing', when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. Solution: Disable these methods. If you are using Apache, add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE\|TRACK) RewriteRule .* - [F] If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy. See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html Risk factor : Medium Nessus ID : 11213
Warning	http (80/tcp)	It is possible to retrieve the listing of the remote directories accessible via HTTP, rather than their index.html, using the Index Server service which provides WebDav capabilities to this server. This problem allows an attacker to gain more knowledge about the remote host, and may make him aware of hidden HTML files. Solution : disable the Index Server service, or see http://www.microsoft.com/technet/support/kb.asp?ID=272079 Risk factor : Low CVE : CVE-2000-0951 BID : 1756 Nessus ID : 10526
Warning	http (80/tcp)	The remote web server appears to be running with Frontpage extensions. You should double check the configuration since a lot of security problems have been found with FrontPage when the configuration file is not well set up. Risk factor : High if your configuration file is not well set up CVE : CAN-2000-0114 Nessus ID : 10077
Informational	http (80/tcp)	A web server is running on this port Nessus ID : 10330
Informational	http (80/tcp)	The remote web server type is : Microsoft-IIS/5.0 Solution : You can use urlscan to change reported server for IIS. Nessus ID : 10107
Informational	http (80/tcp)	The following directories were discovered: /_vti_bin, /images The following directories require authentication: /printers Nessus ID : 11032
Informational	nntp (119/tcp)	An NNTP server is running on this port Nessus ID : 10330
Informational	nntp (119/tcp)	Remote NNTP server version : 200 NNTP Service 5.00.0984 Version: 5.0.2195.5329 Posting Allowed Nessus ID : 10159
Informational	nntp (119/tcp)	This NNTP server allows unauthenticated connections For your information, we counted 4 newsgroups on this NNTP server: 0 in the alt hierarchy, 0 in rec, 0 in biz, 0 in sci, 0 in soc, 0 in misc, 0 in news, 0 in comp, 0 in talk, 0 in humanities. Although this server says it allows posting, we were unable to send a message (posted in alt.test) Nessus ID : 11033
Warning	loc-srv (135/tcp)	DCE services running on the remote can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Solution : filter incoming traffic to this port. Risk factor : Low Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45, version 1 Endpoint: ncacn_np:\\GABBO[\pipe\WinsPipe] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncalrpc[LRPC00000238.00000001] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncalrpc[LRPC00000238.00000001] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncalrpc[LRPC00000238.00000001] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncalrpc[LRPC00000238.00000001] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint: ncalrpc[LRPC000004a0.00000001] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 Endpoint: ncalrpc[LRPC000004a0.00000001] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncalrpc[ntsvcs] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_np:\\GABBO[\PIPE\ntsvcs] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_np:\\GABBO[\PIPE\scerpc] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncalrpc[DNSResolver] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2 Endpoint: ncalrpc[OLEc] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2 Endpoint: ncalrpc[INETINFO_LPC] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2 Endpoint: ncacn_np:\\GABBO[\PIPE\INETINFO] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3 Endpoint: ncalrpc[OLEc] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3 Endpoint: ncalrpc[INETINFO_LPC] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3 Endpoint: ncacn_np:\\GABBO[\PIPE\INETINFO] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3 Endpoint: ncalrpc[SMTPSVC_LPC] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3 Endpoint: ncacn_np:\\GABBO[\PIPE\SMTPSVC] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1 Endpoint: ncalrpc[OLEc] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1 Endpoint: ncalrpc[INETINFO_LPC] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1 Endpoint: ncacn_np:\\GABBO[\PIPE\INETINFO] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1 Endpoint: ncalrpc[SMTPSVC_LPC] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1 Endpoint: ncacn_np:\\GABBO[\PIPE\SMTPSVC] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1 Endpoint: ncacn_at_dspGABBO[DynEpt 590.1] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4 Endpoint: ncalrpc[OLEc] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4 Endpoint: ncalrpc[INETINFO_LPC] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4 Endpoint: ncacn_np:\\GABBO[\PIPE\INETINFO] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4 Endpoint: ncalrpc[SMTPSVC_LPC] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4 Endpoint: ncacn_np:\\GABBO[\PIPE\SMTPSVC] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4 Endpoint: ncacn_at_dspGABBO[DynEpt 590.1] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4 Endpoint: ncalrpc[NNTPSVC_LPC] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4 Endpoint: ncacn_np:\\GABBO[\PIPE\NNTPSVC] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 3d267954-eeb7-11d1-b94e-00c04fa3080d, version 1 Endpoint: ncalrpc[LRPC00000504.00000001] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 3d267954-eeb7-11d1-b94e-00c04fa3080d, version 1 Endpoint: ncacn_np:\\GABBO[\pipe\HydraLsPipe] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 12d4b7c8-77d5-11d1-8c24-00c04fa3080d, version 1 Endpoint: ncalrpc[LRPC00000504.00000001] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 12d4b7c8-77d5-11d1-8c24-00c04fa3080d, version 1 Endpoint: ncacn_np:\\GABBO[\pipe\HydraLsPipe] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 493c451c-155c-11d3-a314-00c04fb16103, version 1 Endpoint: ncalrpc[LRPC00000504.00000001] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 493c451c-155c-11d3-a314-00c04fb16103, version 1 Endpoint: ncacn_np:\\GABBO[\pipe\HydraLsPipe] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1 Endpoint: ncalrpc[LRPC0000053c.00000001] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1 Endpoint: ncacn_np:\\GABBO[\pipe\WinsPipe] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45, version 1 Endpoint: ncalrpc[LRPC0000053c.00000001] Nessus ID : 10736
Vulnerability	netbios-ssn (139/tcp)	. It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the 'guest' access To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and Q246261 (Windows 2000). Note that this won't completely disable null sessions, but will prevent them from connecting to IPC$ Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html . All the smb tests will be done as ''/'' CVE : CVE-2000-0222 BID : 990 Nessus ID : 10394
Warning	netbios-ssn (139/tcp)	The domain SID can be obtained remotely. Its value is : COOLDOMAIN : 0-0-0-0-0 An attacker can use it to obtain the list of the local users of this host Solution : filter the ports 137 to 139 and 445 Risk factor : Low CVE : CVE-2000-1200 BID : 959 Nessus ID : 10398
Warning	netbios-ssn (139/tcp)	The host SID can be obtained remotely. Its value is : GABBO : 5-21-842925246-1563985344-2146861395 An attacker can use it to obtain the list of the local users of this host Solution : filter the ports 137 to 139 and 445 Risk factor : Low CVE : CVE-2000-1200 BID : 959 Nessus ID : 10859
Warning	netbios-ssn (139/tcp)	The host SID could be used to enumerate the names of the local users of this host. (we only enumerated users name whose ID is between 1000 and 1020 for performance reasons) This gives extra knowledge to an attacker, which is not a good thing : - Administrator account name : Administrator (id 500) - Guest account name : Guest (id 501) - TsInternetUser (id 1000) - NetShowServices (id 1001) - NetShow Administrators (id 1002) - IUSR_GABBO (id 1003) - IWAM_GABBO (id 1004) - DHCP Users (id 1005) - DHCP Administrators (id 1006) - WINS Users (id 1007) Risk factor : Medium Solution : filter incoming connections this port CVE : CVE-2000-1200 BID : 959 Nessus ID : 10860
Warning	netbios-ssn (139/tcp)	Here is the browse list of the remote host : GABBO - This is potentially dangerous as this may help the attack of a potential hacker by giving him extra targets to check for Solution : filter incoming traffic to this port Risk factor : Low Nessus ID : 10397
Informational	netbios-ssn (139/tcp)	The remote native lan manager is : Windows 2000 LAN Manager The remote Operating System is : Windows 5.0 The remote SMB Domain Name is : COOLDOMAIN Nessus ID : 10785
Informational	https (443/tcp)	An unknown service is running on this port. It is usually reserved for HTTPS Nessus ID : 10330
Informational	printer (515/tcp)	An unknown server is running on this port. If you know what it is, please send this banner to the Nessus team: 00: 01 . Nessus ID : 11154
Informational	afpovertcp (548/tcp)	This host is running an AppleShare File Services over IP. Machine type: Windows NT Server name: GABBO UAMs: ClearTxt Passwrd/Microsoft V1.0/MS2.0 AFP Versions: AFPVersion 2.0/AFPVersion 2.1/AFP2.2 Nessus ID : 10666
Informational	nntps (563/tcp)	An unknown service is running on this port. It is usually reserved for NNTPS Nessus ID : 10330
Informational	blackjack (1025/tcp)	A DCE service is listening on this port UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncacn_ip_tcp:10.163.156.9[1025] Nessus ID : 10736
Informational	blackjack (1025/tcp)	A DCE service is listening on this port UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncacn_ip_tcp:10.163.156.9[1025] Nessus ID : 10736
Informational	blackjack (1025/tcp)	A DCE service is listening on this port UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncacn_ip_tcp:10.163.156.9[1025] Nessus ID : 10736
Informational	blackjack (1025/tcp)	A DCE service is listening on this port UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncacn_ip_tcp:10.163.156.9[1025] Nessus ID : 10736
Informational	unknown (1028/tcp)	A DCE service is listening on this port UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint: ncacn_ip_tcp:10.163.156.9[1028] Nessus ID : 10736
Informational	unknown (1028/tcp)	A DCE service is listening on this port UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 Endpoint: ncacn_ip_tcp:10.163.156.9[1028] Nessus ID : 10736
Informational	unknown (1035/tcp)	A DCE service is listening on this port UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1 Endpoint: ncacn_ip_tcp:10.163.156.9[1035] Nessus ID : 10736
Informational	unknown (1035/tcp)	A DCE service is listening on this port UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45, version 1 Endpoint: ncacn_ip_tcp:10.163.156.9[1035] Nessus ID : 10736
Informational	netinfo (1033/tcp)	A DCE service is listening on this port UUID: 3d267954-eeb7-11d1-b94e-00c04fa3080d, version 1 Endpoint: ncacn_ip_tcp:10.163.156.9[1033] Nessus ID : 10736
Informational	netinfo (1033/tcp)	A DCE service is listening on this port UUID: 12d4b7c8-77d5-11d1-8c24-00c04fa3080d, version 1 Endpoint: ncacn_ip_tcp:10.163.156.9[1033] Nessus ID : 10736
Informational	netinfo (1033/tcp)	A DCE service is listening on this port UUID: 493c451c-155c-11d3-a314-00c04fb16103, version 1 Endpoint: ncacn_ip_tcp:10.163.156.9[1033] Nessus ID : 10736
Informational	iad2 (1031/tcp)	A DCE service is listening on this port UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2 Endpoint: ncacn_ip_tcp:10.163.156.9[1031] Nessus ID : 10736
Informational	iad2 (1031/tcp)	A DCE service is listening on this port UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3 Endpoint: ncacn_ip_tcp:10.163.156.9[1031] Nessus ID : 10736
Informational	iad2 (1031/tcp)	A DCE service is listening on this port UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1 Endpoint: ncacn_ip_tcp:10.163.156.9[1031] Nessus ID : 10736
Informational	iad2 (1031/tcp)	A DCE service is listening on this port UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4 Endpoint: ncacn_ip_tcp:10.163.156.9[1031] Nessus ID : 10736
Informational	ms-sql-s (1433/tcp)	It is possible that Microsoft's SQL Server is installed on the remote computer. CVE : CAN-1999-0652 Nessus ID : 10144
Warning	ms-sql-m (1434/udp)	Here is the reply to a MS SQL 'ping' request : ServerName;GABBO;InstanceName;MSSQLSERVER;IsClustered;No;Version;8.00.194;tcp;1433;np;\\GABBO\pipe\\sql\query;; * Note that the version number might be inaccurate, as Microsoft * decided to not increase it with new releases of its software It is suggested you filter incoming traffic to this port Nessus ID : 10674
Warning	general/tcp	The remote host uses non-random IP IDs, that is, it is possible to predict the next value of the ip_id field of the ip packets sent by this host. An attacker may use this feature to determine if the remote host sent a packet in reply to another request. This may be used for portscanning and other things. Solution : Contact your vendor for a patch Risk factor : Low Nessus ID : 10201
Informational	general/tcp	QueSO has found out that the remote host OS is * WindowsNT, Cisco 11.2(10a), HP/3000 DTC, BayStack Switch CVE : CAN-1999-0454 Nessus ID : 10337
Informational	general/udp	For your information, here is the traceroute to 10.163.156.9 : ? 10.163.156.9 Nessus ID : 10287
Vulnerability	snmp (161/udp)	SNMP Agent responded as expected with community name: public CVE : CAN-1999-0186 BID : 177 Nessus ID : 10264
Warning	snmp (161/udp)	It was possible to obtain the list of SMB users of the remote host via SNMP : . Guest . IUSR_GABBO . IWAM_GABBO . Administrator . TsInternetUser . NetShowServices An attacker may use this information to set up brute force attacks or find an unused account. Solution : disable the SNMP service on the remote host if you do not use it, or filter incoming UDP packets going to this port Risk factor : Medium Nessus ID : 10546
Warning	snmp (161/udp)	It was possible to obtain the list of Lanman services of the remote host via SNMP : . Server . Alerter . Event Log . Messenger . Telephony . DNS Client . DHCP Client . MSSQLSERVER . Workstation . SNMP Service . Plug and Play . Print Spooler . RunAs Service . Task Scheduler . Computer Browser . Indexing Service . Automatic Updates . COM+ Event System . IIS Admin Service . Protected Storage . Removable Storage . Terminal Services . IPSEC Policy Agent . Remote Storage File . TCP/IP Print Server . Logical Disk Manager . Remote Storage Media . Remote Storage Engine . FTP Publishing Service . Simple TCP/IP Services . Distributed File System . License Logging Service . Remote Registry Service . File Server for Macintosh . Security Accounts Manager . System Event Notification . Print Server for Macintosh . Remote Procedure Call (RPC) . Terminal Services Licensing . TCP/IP NetBIOS Helper Service . Windows Media Monitor Service . Windows Media Program Service . Windows Media Station Service . Windows Media Unicast Service . Internet Authentication Service . NT LM Security Support Provider . Distributed Link Tracking Client . World Wide Web Publishing Service . Windows Management Instrumentation . Distributed Transaction Coordinator . Windows Internet Name Service (WINS) . Simple Mail Transport Protocol (SMTP) . Network News Transport Protocol (NNTP) . Windows Management Instrumentation Driver Extensions An attacker may use this information to gain more knowledge about the target host. Solution : disable the SNMP service on the remote host if you do not use it, or filter incoming UDP packets going to this port Risk factor : Low Nessus ID : 10547
Warning	snmp (161/udp)	It was possible to obtain the list of network interfaces of the remote host via SNMP : . MS TCP Loopback interface . Realtek RTL8029(AS) Ethernet Adapt An attacker may use this information to gain more knowledge about the target host. Solution : disable the SNMP service on the remote host if you do not use it, or filter incoming UDP packets going to this port Risk factor : Low Nessus ID : 10551
Informational	snmp (161/udp)	Using SNMP, we could determine that the remote operating system is : Hardware: x86 Family 6 Model 6 Stepping 0 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free) Nessus ID : 10800
Warning	netbios-ns (137/udp)	. The following 9 NetBIOS names have been gathered : GABBO GABBO COOLDOMAIN COOLDOMAIN GABBO COOLDOMAIN __MSBROWSE__ INet~Services IS~GABBO . The remote host has the following MAC address on its adapter : 0x00 0x40 0x05 0x65 0x01 0xa2 If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port. Risk factor : Medium Nessus ID : 10150
Warning	echo (7/udp)	The 'echo' port is open. This port is not of any use nowadays, and may be a source of problems, since it can be used along with other ports to perform a denial of service. You should really disable this service. Risk factor : Low Solution : comment out 'echo' in /etc/inetd.conf CVE : CVE-1999-0103 Nessus ID : 10061
Informational	ms-term-serv (3389/tcp)	The Terminal Services are enabled on the remote host. Terminal Services allow a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and password, he may be able to use this service to gain further access on the remote host. Solution : Disable the Terminal Services if you do not use them Risk factor : Low Nessus ID : 10940
Warning	daytime (13/udp)	The daytime service is running. The date format issued by this service may sometimes help an attacker to guess the operating system type. In addition to that, when the UDP version of daytime is running, an attacker may link it to the echo port using spoofing, thus creating a possible denial of service. Solution : disable this service in /etc/inetd.conf. Risk factor : Low CVE : CVE-1999-0103 Nessus ID : 10052
Warning	qotd (17/udp)	The quote service (qotd) is running. A server listens for TCP connections on TCP port 17. Once a connection is established a short message is sent out the connection (and any data received is thrown away). The service closes the connection after sending the quote. Another quote of the day service is defined as a datagram based application on UDP. A server listens for UDP datagrams on UDP port 17. When a datagram is received, an answering datagram is sent containing a quote (the data in the received datagram is ignored). An easy attack is 'pingpong' which IP spoofs a packet between two machines running qotd. This will cause them to spew characters at each other, slowing the machines down and saturating the network. Solution : disable this service in /etc/inetd.conf. Risk factor : Low CVE : CVE-1999-0103 Nessus ID : 10198
Informational	iad1 (1030/udp)	A DCE service is listening on this port UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncadg_ip_udp:10.163.156.9[1030] Annotation: Messenger Service Nessus ID : 10736
Warning	chargen (19/udp)	The chargen service is running. The 'chargen' service should only be enabled when testing the machine. When contacted, chargen responds with some random characters (something like all the characters in the alphabet in a row). When contacted via UDP, it will respond with a single UDP packet. When contacted via TCP, it will continue spewing characters until the client closes the connection. An easy attack is 'pingpong' in which an attacker spoofs a packet between two machines running chargen. This will cause them to spew characters at each other, slowing the machines down and saturating the network. Solution : disable this service in /etc/inetd.conf. Risk factor : Low CVE : CVE-1999-0103 Nessus ID : 10043
Informational	iad3 (1032/udp)	A DCE service is listening on this port UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1 Endpoint: ncadg_ip_udp:10.163.156.9[1032] Nessus ID : 10736
Informational	iad3 (1032/udp)	A DCE service is listening on this port UUID: 4f82f460-0e21-11cf-909e-00805f48a135, version 4 Endpoint: ncadg_ip_udp:10.163.156.9[1032] Nessus ID : 10736

[ return to top ]

Analysis of Host
Address of Host	Port/Service	Issue regarding Port
10.163.155.4	ftp (21/tcp)	Security notes found
10.163.155.4	http (80/tcp)	Security hole found
10.163.155.4	loc-srv (135/tcp)	Security warning(s) found
10.163.155.4	netbios-ssn (139/tcp)	Security hole found
10.163.155.4	microsoft-ds (445/tcp)	No Information
10.163.155.4	blackjack (1025/tcp)	Security notes found
10.163.155.4	general/tcp	Security notes found
10.163.155.4	general/udp	Security notes found
10.163.155.4	netbios-ns (137/udp)	Security warning(s) found
10.163.155.4	unknown (1026/udp)	Security notes found

Security Issues and Fixes: 10.163.155.4
Type	Port	Issue and Fix
Informational	ftp (21/tcp)	The service closed the connection after 0 seconds without sending any data It might be protected by some TCP wrapper Nessus ID : 10330
Vulnerability	http (80/tcp)	The remote proxy server seems to be ooops 1.4.6 or older. This proxy is vulnerable to a buffer overflow that allows an attacker to gain a shell on this host. *** Note that this check made the remote proxy crash Solution : Upgrade to the latest version of this software Risk factor : High CVE : CAN-2001-0029 BID : 2099 Nessus ID : 10578
Warning	http (80/tcp)	The misconfigured proxy accepts requests coming from anywhere. This allows attackers to gain some anonymity when browsing some sensitive sites using your proxy, making the remote sites think that the requests come from your network. Solution: Reconfigure the remote proxy so that it only accepts requests coming from inside your network. Risk factor : Low/Medium Nessus ID : 10195
Informational	http (80/tcp)	A web server is running on this port Nessus ID : 10330
Informational	http (80/tcp)	An HTTP proxy is running on this port Nessus ID : 10330
Warning	loc-srv (135/tcp)	DCE services running on the remote can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Solution : filter incoming traffic to this port. Risk factor : Low Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint: ncalrpc[LRPC0000027c.00000001] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 Endpoint: ncalrpc[LRPC0000027c.00000001] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncalrpc[ntsvcs] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_np:\\BENDER[\PIPE\ntsvcs] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_np:\\BENDER[\PIPE\scerpc] Annotation: Messenger Service Nessus ID : 10736
Vulnerability	netbios-ssn (139/tcp)	. It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the 'guest' access To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and Q246261 (Windows 2000). Note that this won't completely disable null sessions, but will prevent them from connecting to IPC$ Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html . All the smb tests will be done as ''/'' in domain WORKGROUP CVE : CVE-2000-0222 BID : 990 Nessus ID : 10394
Warning	netbios-ssn (139/tcp)	The domain SID can be obtained remotely. Its value is : WORKGROUP : 0-0-0-0-0 An attacker can use it to obtain the list of the local users of this host Solution : filter the ports 137 to 139 and 445 Risk factor : Low CVE : CVE-2000-1200 BID : 959 Nessus ID : 10398
Warning	netbios-ssn (139/tcp)	The host SID can be obtained remotely. Its value is : BENDER : 5-21-1884898659-186063924-2090620667 An attacker can use it to obtain the list of the local users of this host Solution : filter the ports 137 to 139 and 445 Risk factor : Low CVE : CVE-2000-1200 BID : 959 Nessus ID : 10859
Warning	netbios-ssn (139/tcp)	The host SID could be used to enumerate the names of the local users of this host. (we only enumerated users name whose ID is between 1000 and 1020 for performance reasons) This gives extra knowledge to an attacker, which is not a good thing : - Administrator account name : Administrateur (id 500) - Guest account name : Invit (id 501) - Renaud (id 1000) Risk factor : Medium Solution : filter incoming connections this port CVE : CVE-2000-1200 BID : 959 Nessus ID : 10860
Warning	netbios-ssn (139/tcp)	Here is the browse list of the remote host : BENDER - XP - This is potentially dangerous as this may help the attack of a potential hacker by giving him extra targets to check for Solution : filter incoming traffic to this port Risk factor : Low Nessus ID : 10397
Informational	netbios-ssn (139/tcp)	The remote native lan manager is : Windows 2000 LAN Manager The remote Operating System is : Windows 5.0 The remote SMB Domain Name is : WORKGROUP Nessus ID : 10785
Informational	blackjack (1025/tcp)	A DCE service is listening on this port UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint: ncacn_ip_tcp:10.163.155.4[1025] Nessus ID : 10736
Informational	blackjack (1025/tcp)	A DCE service is listening on this port UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 Endpoint: ncacn_ip_tcp:10.163.155.4[1025] Nessus ID : 10736
Informational	general/tcp	QueSO has found out that the remote host OS is * FreeBSD, NetBSD, OpenBSD CVE : CAN-1999-0454 Nessus ID : 10337
Informational	general/udp	For your information, here is the traceroute to 10.163.155.4 : ? 10.163.156.1 10.163.155.4 Nessus ID : 10287
Warning	netbios-ns (137/udp)	. The following 5 NetBIOS names have been gathered : BENDER = This is the computer name registered for workstation services by a WINS client. WORKGROUP = Workgroup / Domain name BENDER BENDER = Computer name that is registered for the messenger service on a computer that is a WINS client. WORKGROUP = Workgroup / Domain name (part of the Browser elections) . The remote host has the following MAC address on its adapter : 0x00 0x02 0x2d 0x28 0xf3 0x16 If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port. Risk factor : Medium Nessus ID : 10150
Informational	unknown (1026/udp)	A DCE service is listening on this port UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncadg_ip_udp:10.163.155.4[1026] Annotation: Messenger Service Nessus ID : 10736

[ return to top ]

Analysis of Host
Address of Host	Port/Service	Issue regarding Port
10.163.155.3	ftp (21/tcp)	Security hole found
10.163.155.3	http (80/tcp)	Security warning(s) found
10.163.155.3	svrloc (427/tcp)	Security notes found
10.163.155.3	afpovertcp (548/tcp)	Security hole found
10.163.155.3	general/tcp	Security notes found
10.163.155.3	general/udp	Security notes found
10.163.155.3	x11 (6000/tcp)	Security warning(s) found

Security Issues and Fixes: 10.163.155.3
Type	Port	Issue and Fix
Vulnerability	ftp (21/tcp)	It was possible to make the remote FTP server crash by issuing this command : CEL aaaa[...]aaaa This problem is known has the 'AIX FTPd' overflow and may allow the remote user to easily gain access to the root (super-user) account on the remote system. Solution : If you are using AIX FTPd, then read IBM's advisory number ERS-SVA-E01-1999:004.1, or contact your vendor for a patch. Risk factor : High CVE : CVE-1999-0789 BID : 679 Nessus ID : 10009
Vulnerability	ftp (21/tcp)	The remote FTP server closes the connection when one of the commands is given a too long argument. This probably due to a buffer overflow, which allows anyone to execute arbitrary code on the remote host. This problem is threatening, because the attackers don't need an account to exploit this flaw. Solution : Upgrade your FTP server or change it Risk factor : High CVE : CAN-2000-0133 BID : 961 Nessus ID : 10084
Informational	ftp (21/tcp)	An FTP server is running on this port. Here is its banner : 220 10.163.155.3 FTP server (lukemftpd 1.1) ready. Nessus ID : 10330
Informational	ftp (21/tcp)	Remote FTP server banner : 220 10.163.155.3 FTP server (lukemftpd 1.1) ready. Nessus ID : 10092
Warning	http (80/tcp)	Your webserver supports the TRACE and/or TRACK methods. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for 'Cross-Site-Tracing', when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. Solution: Disable these methods. If you are using Apache, add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE\|TRACK) RewriteRule .* - [F] If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy. See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html Risk factor : Medium Nessus ID : 11213
Warning	http (80/tcp)	The misconfigured proxy accepts requests coming from anywhere. This allows attackers to gain some anonymity when browsing some sensitive sites using your proxy, making the remote sites think that the requests come from your network. Solution: Reconfigure the remote proxy so that it only accepts requests coming from inside your network. Risk factor : Low/Medium Nessus ID : 10195
Informational	http (80/tcp)	A web server is running on this port Nessus ID : 10330
Informational	http (80/tcp)	An HTTP proxy is running on this port Nessus ID : 10330
Informational	http (80/tcp)	The remote web server type is : squid/2.5.PRE13 Solution : We recommend that you configure (if possible) your web server to return a bogus Server header in order to not leak information. Nessus ID : 10107
Informational	http (80/tcp)	This port was detected as being open by a port scanner but is now closed. This service might have been crashed by a port scanner or by some information gathering plugin Nessus ID : 10919
Informational	svrloc (427/tcp)	An unknown server is running on this port. If you know what it is, please send this banner to the Nessus team: 00: 02 02 .. Nessus ID : 11154
Vulnerability	afpovertcp (548/tcp)	This AppleShare File Server allows the 'guest' user to connect. Nessus ID : 10666
Informational	afpovertcp (548/tcp)	This host is running an AppleShare File Services over IP. Machine type: Macintosh Server name: betrayal UAMs: DHCAST128/DHX2/Cleartxt Passwrd/No User Authent AFP Versions: AFP3.1/AFPX03/AFP2.2/AFPVersion 2.1/AFPVersion 2.0/AFPVersion 1.1 Nessus ID : 10666
Informational	general/tcp	QueSO has found out that the remote host OS is * FreeBSD, NetBSD, OpenBSD CVE : CAN-1999-0454 Nessus ID : 10337
Informational	general/udp	For your information, here is the traceroute to 10.163.155.3 : 10.163.155.3 Nessus ID : 10287
Warning	x11 (6000/tcp)	This X server does not allow any client to connect to it however it is recommended that you filter incoming connections to this port as attacker may send garbage data and slow down your X session or even kill the server. Here is the server version : 11.0 Here is the message we received : No protocol specified Solution : filter incoming connections to ports 6000-6009 Risk factor : Low CVE : CVE-1999-0526 Nessus ID : 10407

[ return to top ]

Analysis of Host
Address of Host	Port/Service	Issue regarding Port
10.163.155.2	ftp (21/tcp)	Security notes found
10.163.155.2	http (80/tcp)	Security warning(s) found
10.163.155.2	snmp (161/udp)	Security hole found
10.163.155.2	general/tcp	Security warning(s) found

Security Issues and Fixes: 10.163.155.2
Type	Port	Issue and Fix
Informational	ftp (21/tcp)	The service closed the connection after 0 seconds without sending any data It might be protected by some TCP wrapper Nessus ID : 10330
Warning	http (80/tcp)	Your webserver supports the TRACE and/or TRACK methods. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for 'Cross-Site-Tracing', when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. Solution: Disable these methods. If you are using Apache, add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE\|TRACK) RewriteRule .* - [F] If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy. See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html Risk factor : Medium Nessus ID : 11213
Warning	http (80/tcp)	The misconfigured proxy accepts requests coming from anywhere. This allows attackers to gain some anonymity when browsing some sensitive sites using your proxy, making the remote sites think that the requests come from your network. Solution: Reconfigure the remote proxy so that it only accepts requests coming from inside your network. Risk factor : Low/Medium Nessus ID : 10195
Informational	http (80/tcp)	A web server is running on this port Nessus ID : 10330
Informational	http (80/tcp)	An HTTP proxy is running on this port Nessus ID : 10330
Informational	http (80/tcp)	The remote web server type is : squid/2.5.PRE13 Solution : We recommend that you configure (if possible) your web server to return a bogus Server header in order to not leak information. Nessus ID : 10107
Vulnerability	snmp (161/udp)	The device answered to more than 4 community strings. This may be a false positive or a community-less SNMP server HP printers answer to all community strings. SNMP Agent responded as expected with community name: public SNMP Agent responded as expected with community name: private SNMP Agent responded as expected with community name: ilmi SNMP Agent responded as expected with community name: ILMI If the target is a Cisco Product, please read http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml SNMP Agent responded as expected with community name: system SNMP Agent responded as expected with community name: write SNMP Agent responded as expected with community name: all SNMP Agent responded as expected with community name: monitor SNMP Agent responded as expected with community name: agent SNMP Agent responded as expected with community name: manager SNMP Agent responded as expected with community name: OrigEquipMfr SNMP Agent responded as expected with community name: admin SNMP Agent responded as expected with community name: default SNMP Agent responded as expected with community name: password SNMP Agent responded as expected with community name: tivoli SNMP Agent responded as expected with community name: openview SNMP Agent responded as expected with community name: community SNMP Agent responded as expected with community name: snmp SNMP Agent responded as expected with community name: snmpd SNMP Agent responded as expected with community name: Secret C0de SNMP Agent responded as expected with community name: security SNMP Agent responded as expected with community name: all private SNMP Agent responded as expected with community name: rmon SNMP Agent responded as expected with community name: rmon_admin SNMP Agent responded as expected with community name: hp_admin SNMP Agent responded as expected with community name: NoGaH$@! SNMP Agent responded as expected with community name: 0392a0 SNMP Agent responded as expected with community name: xyzzy SNMP Agent responded as expected with community name: agent_steal SNMP Agent responded as expected with community name: freekevin SNMP Agent responded as expected with community name: fubar SNMP Agent responded as expected with community name: secret SNMP Agent responded as expected with community name: cisco SNMP Agent responded as expected with community name: apc SNMP Agent responded as expected with community name: ANYCOM SNMP Agent responded as expected with community name: cable-docsis SNMP Agent responded as expected with community name: c SNMP Agent responded as expected with community name: cc SNMP Agent responded as expected with community name: Cisco router SNMP Agent responded as expected with community name: cascade SNMP Agent responded as expected with community name: comcomcom CVE : CAN-1999-0186 BID : 177 Nessus ID : 10264
Warning	snmp (161/udp)	A SNMP server is running on this host Nessus ID : 10265
Informational	snmp (161/udp)	Using SNMP, we could determine that the remote operating system is : Base Station V3.81 Compatible Nessus ID : 10800
Warning	general/tcp	The remote host is a Wireless Access Point. You should ensure that the proper physical and logical controls exist around the AP. Risk factor : Medium/Low Nessus ID : 11026

[ return to top ]

Analysis of Host
Address of Host	Port/Service	Issue regarding Port
10.163.156.1	ssh (22/tcp)	Security warning(s) found
10.163.156.1	ftp (21/tcp)	Security notes found
10.163.156.1	http (80/tcp)	Security hole found
10.163.156.1	general/tcp	Security notes found
10.163.156.1	general/udp	Security notes found

Security Issues and Fixes: 10.163.156.1
Type	Port	Issue and Fix
Warning	ssh (22/tcp)	The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol. These protocols are not completely cryptographically safe so they should not be used. Solution : If you use OpenSSH, set the option 'Protocol' to '2' If you use SSH.com's set the option 'Ssh1Compatibility' to 'no' Risk factor : Low Nessus ID : 10882
Informational	ssh (22/tcp)	An ssh server is running on this port Nessus ID : 10330
Informational	ssh (22/tcp)	The remote SSH daemon supports the following versions of the SSH protocol : . 1.33 . 1.5 . 1.99 . 2.0 Nessus ID : 10881
Informational	ssh (22/tcp)	Remote SSH version : SSH-1.99-OpenSSH_3.5 Nessus ID : 10267
Informational	ftp (21/tcp)	The service closed the connection after 0 seconds without sending any data It might be protected by some TCP wrapper Nessus ID : 10330
Vulnerability	http (80/tcp)	The remote proxy server seems to be ooops 1.4.6 or older. This proxy is vulnerable to a buffer overflow that allows an attacker to gain a shell on this host. *** Note that this check made the remote proxy crash Solution : Upgrade to the latest version of this software Risk factor : High CVE : CAN-2001-0029 BID : 2099 Nessus ID : 10578
Informational	http (80/tcp)	A web server is running on this port Nessus ID : 10330
Informational	http (80/tcp)	An HTTP proxy is running on this port Nessus ID : 10330
Informational	general/tcp	QueSO has found out that the remote host OS is * FreeBSD, NetBSD, OpenBSD CVE : CAN-1999-0454 Nessus ID : 10337
Informational	general/udp	For your information, here is the traceroute to 10.163.156.1 : ? 10.163.156.1 Nessus ID : 10287

[ return to top ]

Analysis of Host
Address of Host	Port/Service	Issue regarding Port
10.163.155.6	ftp (21/tcp)	Security notes found
10.163.155.6	http (80/tcp)	Security hole found
10.163.155.6	loc-srv (135/tcp)	Security warning(s) found
10.163.155.6	netbios-ssn (139/tcp)	Security hole found
10.163.155.6	microsoft-ds (445/tcp)	No Information
10.163.155.6	blackjack (1025/tcp)	Security notes found
10.163.155.6	general/tcp	Security notes found
10.163.155.6	general/udp	Security notes found
10.163.155.6	netbios-ns (137/udp)	Security warning(s) found
10.163.155.6	ms-term-serv (3389/tcp)	Security notes found
10.163.155.6	unknown (1027/udp)	Security notes found

Security Issues and Fixes: 10.163.155.6
Type	Port	Issue and Fix
Informational	ftp (21/tcp)	The service closed the connection after 0 seconds without sending any data It might be protected by some TCP wrapper Nessus ID : 10330
Vulnerability	http (80/tcp)	It was possible to kill the web server by sending an invalid request with a too long HTTP 1.1 header (Accept-Encoding, Accept-Language, Accept-Range, Connection, Expect, If-Match, If-None-Match, If-Range, If-Unmodified-Since, Max-Forwards, TE, Host) A cracker may exploit this vulnerability to make your web server crash continually or even execute arbirtray code on your system. Solution : upgrade your software or protect it with a filtering reverse proxy Risk factor : High Nessus ID : 11129
Warning	http (80/tcp)	Your webserver supports the TRACE and/or TRACK methods. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for 'Cross-Site-Tracing', when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. Solution: Disable these methods. If you are using Apache, add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE\|TRACK) RewriteRule .* - [F] If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy. See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html Risk factor : Medium Nessus ID : 11213
Warning	http (80/tcp)	The misconfigured proxy accepts requests coming from anywhere. This allows attackers to gain some anonymity when browsing some sensitive sites using your proxy, making the remote sites think that the requests come from your network. Solution: Reconfigure the remote proxy so that it only accepts requests coming from inside your network. Risk factor : Low/Medium Nessus ID : 10195
Informational	http (80/tcp)	A web server is running on this port Nessus ID : 10330
Informational	http (80/tcp)	An HTTP proxy is running on this port Nessus ID : 10330
Informational	http (80/tcp)	The remote web server type is : squid/2.5.PRE13 Solution : We recommend that you configure (if possible) your web server to return a bogus Server header in order to not leak information. Nessus ID : 10107
Informational	http (80/tcp)	This port was detected as being open by a port scanner but is now closed. This service might have been crashed by a port scanner or by some information gathering plugin Nessus ID : 10919
Warning	loc-srv (135/tcp)	DCE services running on the remote can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Solution : filter incoming traffic to this port. Risk factor : Low Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint: ncalrpc[wzcsvc] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint: ncalrpc[OLE3] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint: ncacn_np:\\XP[\PIPE\atsvc] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 Endpoint: ncalrpc[wzcsvc] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 Endpoint: ncalrpc[OLE3] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 Endpoint: ncacn_np:\\XP[\PIPE\atsvc] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1 Endpoint: ncalrpc[wzcsvc] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1 Endpoint: ncalrpc[OLE3] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1 Endpoint: ncacn_np:\\XP[\PIPE\atsvc] Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncalrpc[wzcsvc] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncalrpc[OLE3] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_np:\\XP[\PIPE\atsvc] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_np:\\XP[\PIPE\AudioSrv] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_np:\\XP[\PIPE\wkssvc] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_np:\\XP[\PIPE\SECLOGON] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_np:\\XP[\pipe\trkwks] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncalrpc[trkwks] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_np:\\XP[\PIPE\W32TIME] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_np:\\XP[\pipe\keysvc] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncalrpc[keysvc] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncalrpc[senssvc] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_np:\\XP[\PIPE\srvsvc] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncalrpc[srrpc] Annotation: Messenger Service Nessus ID : 10736
Informational	loc-srv (135/tcp)	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_np:\\XP[\PIPE\msgsvc] Annotation: Messenger Service Nessus ID : 10736
Vulnerability	netbios-ssn (139/tcp)	. It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the 'guest' access To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and Q246261 (Windows 2000). Note that this won't completely disable null sessions, but will prevent them from connecting to IPC$ Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html . All the smb tests will be done as ''/'' in domain WORKGROUP CVE : CVE-2000-0222 BID : 990 Nessus ID : 10394
Warning	netbios-ssn (139/tcp)	The domain SID can be obtained remotely. Its value is : WORKGROUP : 0-0-0-0-0 An attacker can use it to obtain the list of the local users of this host Solution : filter the ports 137 to 139 and 445 Risk factor : Low CVE : CVE-2000-1200 BID : 959 Nessus ID : 10398
Warning	netbios-ssn (139/tcp)	The host SID can be obtained remotely. Its value is : XP : 5-21-583907252-2111687655-1957994488 An attacker can use it to obtain the list of the local users of this host Solution : filter the ports 137 to 139 and 445 Risk factor : Low CVE : CVE-2000-1200 BID : 959 Nessus ID : 10859
Warning	netbios-ssn (139/tcp)	Here is the browse list of the remote host : BENDER - XP - This is potentially dangerous as this may help the attack of a potential hacker by giving him extra targets to check for Solution : filter incoming traffic to this port Risk factor : Low Nessus ID : 10397
Informational	netbios-ssn (139/tcp)	The remote native lan manager is : Windows 2000 LAN Manager The remote Operating System is : Windows 5.1 The remote SMB Domain Name is : WORKGROUP Nessus ID : 10785
Informational	blackjack (1025/tcp)	A DCE service is listening on this port UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint: ncacn_ip_tcp:10.163.155.6[1025] Nessus ID : 10736
Informational	blackjack (1025/tcp)	A DCE service is listening on this port UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 Endpoint: ncacn_ip_tcp:10.163.155.6[1025] Nessus ID : 10736
Informational	blackjack (1025/tcp)	A DCE service is listening on this port UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1 Endpoint: ncacn_ip_tcp:10.163.155.6[1025] Nessus ID : 10736
Informational	blackjack (1025/tcp)	A DCE service is listening on this port UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_ip_tcp:10.163.155.6[1025] Annotation: Messenger Service Nessus ID : 10736
Informational	general/tcp	QueSO has found out that the remote host OS is * FreeBSD, NetBSD, OpenBSD CVE : CAN-1999-0454 Nessus ID : 10337
Informational	general/udp	For your information, here is the traceroute to 10.163.155.6 : ? 10.163.155.6 Nessus ID : 10287
Warning	netbios-ns (137/udp)	. The following 7 NetBIOS names have been gathered : XP = This is the computer name registered for workstation services by a WINS client. WORKGROUP = Workgroup / Domain name XP = Computer name that is registered for the messenger service on a computer that is a WINS client. XP WORKGROUP = Workgroup / Domain name (part of the Browser elections) WORKGROUP __MSBROWSE__ . The remote host has the following MAC address on its adapter : 0x00 0x60 0x1d 0x21 0xa9 0x49 If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port. Risk factor : Medium Nessus ID : 10150
Informational	ms-term-serv (3389/tcp)	The Terminal Services are enabled on the remote host. Terminal Services allow a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and password, he may be able to use this service to gain further access on the remote host. Solution : Disable the Terminal Services if you do not use them Risk factor : Low Nessus ID : 10940
Informational	unknown (1027/udp)	A DCE service is listening on this port UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncadg_ip_udp:10.163.155.6[1027] Annotation: Messenger Service Nessus ID : 10736

[ return to top ]

Analysis of Host
Address of Host	Port/Service	Issue regarding Port
10.163.156.205	rtmp (1/tcp)	Security notes found
10.163.156.205	telnet (23/tcp)	Security hole found
10.163.156.205	ftp (21/tcp)	Security notes found
10.163.156.205	chargen (19/tcp)	Security warning(s) found
10.163.156.205	daytime (13/tcp)	Security warning(s) found
10.163.156.205	discard (9/tcp)	No Information
10.163.156.205	echo (7/tcp)	Security warning(s) found
10.163.156.205	smtp (25/tcp)	Security hole found
10.163.156.205	time (37/tcp)	Security notes found
10.163.156.205	finger (79/tcp)	Security warning(s) found
10.163.156.205	sunrpc (111/tcp)	Security notes found
10.163.156.205	exec (512/tcp)	Security warning(s) found
10.163.156.205	printer (515/tcp)	Security notes found
10.163.156.205	shell (514/tcp)	Security warning(s) found
10.163.156.205	login (513/tcp)	Security warning(s) found
10.163.156.205	ldaps (636/tcp)	Security notes found
10.163.156.205	blackjack (1025/tcp)	Security notes found
10.163.156.205	LSA-or-nterm (1026/tcp)	Security hole found
10.163.156.205	kdm (1024/tcp)	Security warning(s) found
10.163.156.205	ms-lsa (1029/tcp)	No Information
10.163.156.205	esl-lm (1455/tcp)	Security notes found
10.163.156.205	general/tcp	Security notes found
10.163.156.205	blackjack (1025/udp)	Security warning(s) found
10.163.156.205	sunrpc (111/udp)	Security notes found
10.163.156.205	general/udp	Security notes found
10.163.156.205	xdmcp (177/udp)	Security warning(s) found
10.163.156.205	echo (7/udp)	Security warning(s) found
10.163.156.205	daytime (13/udp)	Security warning(s) found

Security Issues and Fixes: 10.163.156.205
Type	Port	Issue and Fix
Informational	rtmp (1/tcp)	An unknown server is running on this port. If you know what it is, please send this banner to the Nessus team: 00: 2d 53 65 72 76 69 63 65 20 6e 6f 74 20 61 76 61 -Service not ava 10: 69 6c 61 62 6c 65 0d 0a ilable.. Nessus ID : 11154
Vulnerability	telnet (23/tcp)	The account 'guest' has the password guest An attacker may use it to gain further privileges on this system Risk factor : High Solution : Set a password for this account or disable it CVE : CAN-1999-0502 Nessus ID : 11256
Vulnerability	telnet (23/tcp)	The account 'demos' has no password set. An attacker may use it to gain further privileges on this system Risk factor : High Solution : Set a password for this account or disable it CVE : CAN-1999-0502 Nessus ID : 11242
Vulnerability	telnet (23/tcp)	The account 'EZsetup' has no password set. An attacker may use it to gain further privileges on this system Risk factor : High Solution : Set a password for this account or disable it CVE : CAN-1999-0502 Nessus ID : 11241
Vulnerability	telnet (23/tcp)	The account 'root' has the password root An attacker may use it to gain further privileges on this system Risk factor : High Solution : Set a password for this account or disable it CVE : CAN-1999-0502 Nessus ID : 11255
Vulnerability	telnet (23/tcp)	The account 'lp' has no password set. An attacker may use it to gain further privileges on this system Risk factor : High Solution : Set a password for this account or disable it CVE : CAN-1999-0502 Nessus ID : 11246
Warning	telnet (23/tcp)	The Telnet service is running. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the telnet client and the telnet server. This includes logins and passwords. You should disable this service and use OpenSSH instead. (www.openssh.com) Solution : Comment out the 'telnet' line in /etc/inetd.conf. Risk factor : Low CVE : CAN-1999-0619 Nessus ID : 10280
Informational	telnet (23/tcp)	A telnet server seems to be running on this port Nessus ID : 10330
Informational	telnet (23/tcp)	Remote telnet banner : IRIX (IRIS) Nessus ID : 10281
Informational	ftp (21/tcp)	An FTP server is running on this port. Here is its banner : 220 IRIS.fr.nessus.org FTP server ready. Nessus ID : 10330
Informational	ftp (21/tcp)	Remote FTP server banner : 220 IRIS.fr.nessus.org FTP server ready. Nessus ID : 10092
Warning	chargen (19/tcp)	The chargen service is running. The 'chargen' service should only be enabled when testing the machine. When contacted, chargen responds with some random characters (something like all the characters in the alphabet in a row). When contacted via UDP, it will respond with a single UDP packet. When contacted via TCP, it will continue spewing characters until the client closes the connection. An easy attack is 'pingpong' in which an attacker spoofs a packet between two machines running chargen. This will cause them to spew characters at each other, slowing the machines down and saturating the network. Solution : disable this service in /etc/inetd.conf. Risk factor : Low CVE : CVE-1999-0103 Nessus ID : 10043
Informational	chargen (19/tcp)	Chargen is running on this port Nessus ID : 10330
Warning	daytime (13/tcp)	The daytime service is running. The date format issued by this service may sometimes help an attacker to guess the operating system type. In addition to that, when the UDP version of daytime is running, an attacker may link it to the echo port using spoofing, thus creating a possible denial of service. Solution : disable this service in /etc/inetd.conf. Risk factor : Low CVE : CVE-1999-0103 Nessus ID : 10052
Warning	echo (7/tcp)	The 'echo' port is open. This port is not of any use nowadays, and may be a source of problems, since it can be used along with other ports to perform a denial of service. You should really disable this service. Risk factor : Low Solution : comment out 'echo' in /etc/inetd.conf CVE : CVE-1999-0103 Nessus ID : 10061
Informational	echo (7/tcp)	An echo server is running on this port Nessus ID : 10330
Vulnerability	smtp (25/tcp)	The remote sendmail server, according to its version number, may be vulnerable to the -bt overflow attack which allows any local user to execute arbitrary commands as root. Solution : upgrade to the latest version of Sendmail Risk factor : High Note : This vulnerability is _local_ only Nessus ID : 10809
Vulnerability	smtp (25/tcp)	The remote sendmail server, according to its version number, may be vulnerable to a buffer overflow its DNS handling code. The owner of a malicious name server could use this flaw to execute arbitrary code on this host. Solution : Upgrade to Sendmail 8.12.5 Risk factor : High CVE : CAN-2002-0906 BID : 5122 Nessus ID : 11232
Warning	smtp (25/tcp)	The remote SMTP server answers to the EXPN and/or VRFY commands. The EXPN command can be used to find the delivery address of mail aliases, or even the full name of the recipients, and the VRFY command may be used to check the validity of an account. Your mailer should not allow remote users to use any of these commands, because it gives them too much information. Solution : if you are using Sendmail, add the option O PrivacyOptions=goaway in /etc/sendmail.cf. Risk factor : Low CVE : CAN-1999-0531 Nessus ID : 10249
Warning	smtp (25/tcp)	The remote sendmail server, according to its version number, might be vulnerable to a queue destruction when a local user runs sendmail -q -h1000 If you system does not allow users to process the queue (which is the default), you are not vulnerable. Solution : upgrade to the latest version of Sendmail or do not allow users to process the queue (RestrictQRun option) Risk factor : Low Note : This vulnerability is _local_ only CVE : CAN-2001-0714 BID : 3378 Nessus ID : 11087
Warning	smtp (25/tcp)	According to the version number of the remote mail server, a local user may be able to obtain the complete mail configuration and other interesting information about the mail queue even if he is not allowed to access those information directly, by running sendmail -q -d0-nnnn.xxx where nnnn & xxx are debugging levels. If users are not allowed to process the queue (which is the default) then you are not vulnerable. Solution : upgrade to the latest version of Sendmail or do not allow users to process the queue (RestrictQRun option) Risk factor : Very low / none Note : This vulnerability is _local_ only CVE : CAN-2001-0715 BID : 3898 Nessus ID : 11088
Informational	smtp (25/tcp)	An SMTP server is running on this port Here is its banner : 220 IRIS.fr.nessus.org ESMTP Sendmail SGI-8.9.3/8.9.3; Fri, 21 Feb 2003 06:09:50 -0800 (PST) Nessus ID : 10330
Informational	smtp (25/tcp)	Remote SMTP server banner : 220 IRIS.fr.nessus.org ESMTP Sendmail SGI-8.9.3/8.9.3; Fri, 21 Feb 2003 06:11:07 -0800 (PST) Nessus ID : 10263
Informational	smtp (25/tcp)	Nessus sent several emails containing the EICAR test strings in them to the postmaster of the remote SMTP server. The EICAR test string is a fake virus which triggers anti-viruses, in order to make sure they run. Nessus attempted to e-mail this string five times, with different codings each time, in order to attempt to fool the remote anti-virus (if any). If there is an antivirus filter, these messages should all be blocked. * To determine if the remote host is vulnerable, see * if any mail arrived to the postmaster of this host Solution: Install an antivirus / upgrade it Reference : http://online.securityfocus.com/archive/1/256619 Reference : http://online.securityfocus.com/archive/1/44301 Reference : http://online.securityfocus.com/links/188 Risk factor : Low Nessus ID : 11034
Informational	time (37/tcp)	A time server seems to be running on this port Nessus ID : 10330
Warning	finger (79/tcp)	The 'finger' service provides useful information to attackers, since it allow them to gain usernames, check if a machine is being used, and so on... Risk factor : Low Solution : comment out the 'finger' line in /etc/inetd.conf CVE : CVE-1999-0612 Nessus ID : 10068
Informational	finger (79/tcp)	A finger server seems to be running on this port Nessus ID : 10330
Informational	sunrpc (111/tcp)	RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111
Warning	exec (512/tcp)	The rexecd service is open. Because rexecd does not provide any good means of authentication, it can be used by an attacker to scan a third party host, giving you troubles or bypassing your firewall. Solution : comment out the 'exec' line in /etc/inetd.conf. Risk factor : Medium CVE : CAN-1999-0618 Nessus ID : 10203
Informational	printer (515/tcp)	A LPD server seems to be running on this port Nessus ID : 10330
Warning	shell (514/tcp)	The rsh service is running. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the rsh client and the rsh server. This includes logins and passwords. You should disable this service and use ssh instead. Solution : Comment out the 'rsh' line in /etc/inetd.conf. Risk factor : Low CVE : CAN-1999-0651 Nessus ID : 10245
Warning	login (513/tcp)	The rlogin service is running. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the rlogin client and the rlogin server. This includes logins and passwords. You should disable this service and use openssh instead (www.openssh.com) Solution : Comment out the 'rlogin' line in /etc/inetd.conf. Risk factor : Low CVE : CAN-1999-0651 Nessus ID : 10205
Informational	ldaps (636/tcp)	RPC program #391017 version 1 is running on this port Nessus ID : 11111
Informational	blackjack (1025/tcp)	RPC program #391029 version 1 is running on this port Nessus ID : 11111
Vulnerability	LSA-or-nterm (1026/tcp)	The tooltalk RPC service is running. An possible implementation fault in the ToolTalk object database server may allow an attacker to execute arbitrary commands as root. * This warning may be a false * positive since the presence * of this vulnerability is only accurately * identified with local access. Solution : Disable this service. See also : CERT Advisory CA-98.11 Risk factor : High CVE : CVE-1999-0003, CVE-1999-0693 BID : 122 Nessus ID : 10239
Vulnerability	LSA-or-nterm (1026/tcp)	The tooltalk RPC service is running. There is a format string bug in many versions of this service, which allow an attacker to gain root remotely. In addition to this, several versions of this service allow remote attackers to overwrite abitrary memory locations with a zero and possibly gain privileges via a file descriptor argument in an AUTH_UNIX procedure call which is used as a table index by the _TT_ISCLOSE procedure. * This warning may be a false positive since the presence * of the bug was not verified locally. Solution : Disable this service or patch it See also : CERT Advisories CA-2001-27 and CA-2002-20 Risk factor : High CVE : CAN-2002-0677, CVE-2001-0717, CVE-2002-0679 BID : 3382 Nessus ID : 10787
Informational	LSA-or-nterm (1026/tcp)	RPC program #100083 version 1 is running on this port Nessus ID : 11111
Warning	kdm (1024/tcp)	The fam RPC service is running. Several versions of this service have a well-known buffer overflow condition that allows intruders to execute arbitrary commands as root on this system. Solution : disable this service in /etc/inetd.conf More information : http://www.nai.com/nai_labs/asp_set/advisory/16_fam_adv.asp Risk factor : High CVE : CVE-1999-0059 BID : 353 Nessus ID : 10216
Informational	kdm (1024/tcp)	RPC program #391002 version 1 'sgi_fam' (fam) is running on this port Nessus ID : 11111
Informational	kdm (1024/tcp)	RPC program #391002 version 2 'sgi_fam' (fam) is running on this port Nessus ID : 11111
Informational	esl-lm (1455/tcp)	The service closed the connection after 0 seconds without sending any data It might be protected by some TCP wrapper Nessus ID : 10330
Informational	general/tcp	QueSO has found out that the remote host OS is * IRIX 6.x? CVE : CAN-1999-0454 Nessus ID : 10337
Warning	blackjack (1025/udp)	The rstatd RPC service is running. It provides an attacker interesting information such as : - the CPU usage - the system uptime - its network usage - and more Usually, it is not a good idea to let this service open Risk factor : Low CVE : CAN-1999-0624 Nessus ID : 10227
Informational	blackjack (1025/udp)	RPC program #100001 version 1 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port Nessus ID : 11111
Informational	blackjack (1025/udp)	RPC program #100001 version 2 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port Nessus ID : 11111
Informational	blackjack (1025/udp)	RPC program #100001 version 3 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port Nessus ID : 11111
Informational	sunrpc (111/udp)	RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111
Informational	general/udp	For your information, here is the traceroute to 10.163.156.205 : 10.163.156.205 Nessus ID : 10287
Warning	xdmcp (177/udp)	The remote host is running XDMCP. This protocol is used to provide X display connections for X terminals. XDMCP is completely insecure, since the traffic and passwords are not encrypted. An attacker may use this flaw to capture all the keystrokes of the users using this host through their X terminal, including passwords. Risk factor : Medium Solution : Disable XDMCP Nessus ID : 10891
Warning	echo (7/udp)	The 'echo' port is open. This port is not of any use nowadays, and may be a source of problems, since it can be used along with other ports to perform a denial of service. You should really disable this service. Risk factor : Low Solution : comment out 'echo' in /etc/inetd.conf CVE : CVE-1999-0103 Nessus ID : 10061
Warning	daytime (13/udp)	The daytime service is running. The date format issued by this service may sometimes help an attacker to guess the operating system type. In addition to that, when the UDP version of daytime is running, an attacker may link it to the echo port using spoofing, thus creating a possible denial of service. Solution : disable this service in /etc/inetd.conf. Risk factor : Low CVE : CVE-1999-0103 Nessus ID : 10052

[ return to top ]

Analysis of Host
Address of Host	Port/Service	Issue regarding Port
10.163.156.16	smtp (25/tcp)	Security hole found
10.163.156.16	telnet (23/tcp)	Security hole found
10.163.156.16	ftp (21/tcp)	Security hole found
10.163.156.16	chargen (19/tcp)	Security warning(s) found
10.163.156.16	daytime (13/tcp)	Security warning(s) found
10.163.156.16	discard (9/tcp)	No Information
10.163.156.16	echo (7/tcp)	Security warning(s) found
10.163.156.16	time (37/tcp)	Security notes found
10.163.156.16	finger (79/tcp)	Security warning(s) found
10.163.156.16	sunrpc (111/tcp)	Security notes found
10.163.156.16	login (513/tcp)	Security warning(s) found
10.163.156.16	exec (512/tcp)	Security warning(s) found
10.163.156.16	printer (515/tcp)	Security notes found
10.163.156.16	shell (514/tcp)	Security warning(s) found
10.163.156.16	uucp (540/tcp)	Security notes found
10.163.156.16	xaudio (1103/tcp)	No Information
10.163.156.16	general/tcp	Security notes found
10.163.156.16	dtspc (6112/tcp)	Security hole found
10.163.156.16	sunrpc (111/udp)	Security notes found
10.163.156.16	sometimes-rpc8 (32772/udp)	Security notes found
10.163.156.16	sometimes-rpc21 (32779/tcp)	Security notes found
10.163.156.16	sometimes-rpc12 (32774/udp)	Security notes found
10.163.156.16	sometimes-rpc14 (32775/udp)	Security notes found
10.163.156.16	sometimes-rpc10 (32773/udp)	Security notes found
10.163.156.16	unknown (32790/tcp)	Security notes found
10.163.156.16	sometimes-rpc16 (32776/udp)	Security notes found
10.163.156.16	unknown (32791/tcp)	Security notes found
10.163.156.16	sometimes-rpc18 (32777/udp)	Security notes found
10.163.156.16	sometimes-rpc20 (32778/udp)	Security notes found
10.163.156.16	sometimes-rpc22 (32779/udp)	Security notes found
10.163.156.16	lockd (4045/udp)	Security notes found
10.163.156.16	unknown (32792/tcp)	Security notes found
10.163.156.16	unknown (32793/tcp)	Security notes found
10.163.156.16	sometimes-rpc24 (32780/udp)	Security notes found
10.163.156.16	unknown (32794/tcp)	Security notes found
10.163.156.16	lockd (4045/tcp)	Security notes found
10.163.156.16	unknown (32812/udp)	Security notes found
10.163.156.16	unknown (32795/tcp)	Security notes found
10.163.156.16	unknown (32813/udp)	Security notes found
10.163.156.16	unknown (32796/tcp)	Security notes found
10.163.156.16	snmp (161/udp)	Security hole found
10.163.156.16	xdmcp (177/udp)	Security warning(s) found
10.163.156.16	general/udp	Security notes found
10.163.156.16	font-service (7100/tcp)	Security hole found
10.163.156.16	echo (7/udp)	Security warning(s) found
10.163.156.16	daytime (13/udp)	Security warning(s) found

Security Issues and Fixes: 10.163.156.16
Type	Port	Issue and Fix
Vulnerability	smtp (25/tcp)	The remote SMTP server did not complain when issued the command : MAIL FROM: \|testing This probably means that it is possible to send mail that will be bounced to a program, which is a serious threat, since this allows anyone to execute arbitrary commands on this host. * This security hole might be a false positive, since * some MTAs will not complain to this test, but instead *** just drop the message silently Solution : upgrade your MTA or change it. Risk factor : High CVE : CVE-1999-0203 BID : 2308 Nessus ID : 10258
Warning	smtp (25/tcp)	The remote SMTP server answers to the EXPN and/or VRFY commands. The EXPN command can be used to find the delivery address of mail aliases, or even the full name of the recipients, and the VRFY command may be used to check the validity of an account. Your mailer should not allow remote users to use any of these commands, because it gives them too much information. Solution : if you are using Sendmail, add the option O PrivacyOptions=goaway in /etc/sendmail.cf. Risk factor : Low CVE : CAN-1999-0531 Nessus ID : 10249
Warning	smtp (25/tcp)	The remote SMTP server is vulnerable to a redirection attack. That is, if a mail is sent to : user@hostname1@victim Then the remote SMTP server (victim) will happily send the mail to : user@hostname1 Using this flaw, an attacker may route a message through your firewall, in order to exploit other SMTP servers that can not be reached from the outside. * THIS WARNING MAY BE A FALSE POSITIVE, SINCE SOME SMTP SERVERS LIKE POSTFIX WILL NOT COMPLAIN BUT DROP THIS MESSAGE * Solution : if you are using sendmail, then at the top of ruleset 98, in /etc/sendmail.cf, insert : R$@$@$* $#error $@ 5.7.1 $: '551 Sorry, no redirections.' Risk factor : Low Nessus ID : 10250
Warning	smtp (25/tcp)	The remote SMTP server allows the relaying. This means that it allows spammers to use your mail server to send their mails to the world, thus wasting your network bandwidth. Risk factor : Low/Medium Solution : configure your SMTP server so that it can't be used as a relay any more. CVE : CAN-1999-0512 Nessus ID : 10262
Warning	smtp (25/tcp)	The remote SMTP server allows anyone to use it as a mail relay, provided that the source address is set to '<>'. This problem allows any spammer to use your mail server to spam the world, thus blacklisting your mailserver, and using your network resources. Risk factor : Medium Solution : reconfigure this server properly CVE : CVE-1999-0819 Nessus ID : 10167
Warning	smtp (25/tcp)	The remote SMTP server seems to allow remote users to send mail anonymously by providing arguments that are too long to the HELO command (more than 1024 chars). This problem may allow malicious users to send hate mail or threatening mail using your server, and keep their anonymity. Risk factor : Low Solution : If you are using sendmail, upgrade to version 8.9.x or newer. If you do not run sendmail, contact your vendor. CVE : CAN-1999-0098 Nessus ID : 10260
Informational	smtp (25/tcp)	An unknown service is running on this port. It is usually reserved for SMTP Nessus ID : 10330
Informational	smtp (25/tcp)	Remote SMTP server banner : 220 unknown. Sendmail SMI-8.6/SMI-SVR4 ready at Fri, 21 Feb 2003 15:10:24 GMT Nessus ID : 10263
Informational	smtp (25/tcp)	An unknown server is running on this port. If you know what it is, please send this banner to the Nessus team: 00: 32 32 30 20 75 6e 6b 6e 6f 77 6e 2e 20 53 65 6e 220 unknown. Sen 10: 64 6d 61 69 6c 20 53 4d 49 2d 38 2e 36 2f 53 4d dmail SMI-8.6/SM 20: 49 2d 53 56 52 34 20 72 65 61 64 79 20 61 74 20 I-SVR4 ready at 30: 46 72 69 2c 20 32 31 20 46 65 62 20 32 30 30 33 Fri, 21 Feb 2003 40: 20 31 35 3a 30 38 3a 33 38 20 47 4d 54 0d 0a 35 15:08:38 GMT..5 50: 30 30 20 43 6f 6d 6d 61 6e 64 20 75 6e 72 65 63 00 Command unrec 60: 6f 67 6e 69 7a 65 64 0d 0a 35 30 30 20 43 6f 6d ognized..500 Com 70: 6d 61 6e 64 20 75 6e 72 65 63 6f 67 6e 69 7a 65 mand unrecognize 80: 64 0d 0a d.. Nessus ID : 11154
Vulnerability	telnet (23/tcp)	The remote /bin/login seems to crash when it receives too many environment variables. An attacker may use this flaw to gain a root shell on this system. See also : http://www.cert.org/advisories/CA-2001-34.html Solution : Contact your vendor for a patch (or read the CERT advisory) Risk factor : High CVE : CVE-2001-0797 BID : 3681 Nessus ID : 10827
Vulnerability	telnet (23/tcp)	The Telnet server does not return an expected number of replies when it receives a long sequence of 'Are You There' commands. This probably means it overflows one of its internal buffers and crashes. It is likely an attacker could abuse this bug to gain control over the remote host's superuser. For more information, see: http://www.team-teso.net/advisories/teso-advisory-011.tar.gz Solution: Comment out the 'telnet' line in /etc/inetd.conf. Risk factor : High CVE : CVE-2001-0554 BID : 3064 Nessus ID : 10709
Vulnerability	telnet (23/tcp)	There is a bug in the remote /bin/login which allows an attacker to gain a shell on this host, without even sending a shell code. An attacker may use this flaw to log in as any user (except root) on the remote host. Here is the output of the command 'cat /etc/passwd' : cat /etc/passwd root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: smtp:x:0:0:Mail Daemon User:/: uucp:x:5:5:uucp Admin:/usr/lib/uucp: nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico listen:x:37:4:Network Admin:/usr/net/nls: nobody:x:60001:60001:Nobody:/: noaccess:x:60002:60002:No Access User:/: nobody4:x:65534:65534:SunOS 4.x Nobody:/: renaud:x:100:1::/home/renaud:/bin/sh $ Solution : See http://www.cert.org/advisories/CA-2001-34.html Risk factor : High CVE : CVE-2001-0797 BID : 3681 Nessus ID : 11136
Warning	telnet (23/tcp)	The Telnet service is running. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the telnet client and the telnet server. This includes logins and passwords. You should disable this service and use OpenSSH instead. (www.openssh.com) Solution : Comment out the 'telnet' line in /etc/inetd.conf. Risk factor : Low CVE : CAN-1999-0619 Nessus ID : 10280
Informational	telnet (23/tcp)	A telnet server seems to be running on this port Nessus ID : 10330
Informational	telnet (23/tcp)	Remote telnet banner : SunOS 5.6 Nessus ID : 10281
Vulnerability	ftp (21/tcp)	You seem to be running an FTP server which is vulnerable to the 'glob heap corruption' flaw. An attacker may use this problem to execute arbitrary commands on this host. * Nessus relied solely on the banner of the server to issue this warning, * so this alert might be a false positive Solution : Upgrade your ftp server software to the latest version. Risk factor : High CVE : CVE-2001-0550 BID : 3581 Nessus ID : 10821
Informational	ftp (21/tcp)	An FTP server is running on this port. Here is its banner : 220 unknown FTP server (SunOS 5.6) ready. Nessus ID : 10330
Informational	ftp (21/tcp)	Remote FTP server banner : 220 unknown FTP server (SunOS 5.6) ready. Nessus ID : 10092
Warning	chargen (19/tcp)	The chargen service is running. The 'chargen' service should only be enabled when testing the machine. When contacted, chargen responds with some random characters (something like all the characters in the alphabet in a row). When contacted via UDP, it will respond with a single UDP packet. When contacted via TCP, it will continue spewing characters until the client closes the connection. An easy attack is 'pingpong' in which an attacker spoofs a packet between two machines running chargen. This will cause them to spew characters at each other, slowing the machines down and saturating the network. Solution : disable this service in /etc/inetd.conf. Risk factor : Low CVE : CVE-1999-0103 Nessus ID : 10043
Informational	chargen (19/tcp)	Chargen is running on this port Nessus ID : 10330
Warning	daytime (13/tcp)	The daytime service is running. The date format issued by this service may sometimes help an attacker to guess the operating system type. In addition to that, when the UDP version of daytime is running, an attacker may link it to the echo port using spoofing, thus creating a possible denial of service. Solution : disable this service in /etc/inetd.conf. Risk factor : Low CVE : CVE-1999-0103 Nessus ID : 10052
Warning	echo (7/tcp)	The 'echo' port is open. This port is not of any use nowadays, and may be a source of problems, since it can be used along with other ports to perform a denial of service. You should really disable this service. Risk factor : Low Solution : comment out 'echo' in /etc/inetd.conf CVE : CVE-1999-0103 Nessus ID : 10061
Informational	echo (7/tcp)	An echo server is running on this port Nessus ID : 10330
Informational	time (37/tcp)	A time server seems to be running on this port Nessus ID : 10330
Warning	finger (79/tcp)	The 'finger' service provides useful information to attackers, since it allow them to gain usernames, check if a machine is being used, and so on... Risk factor : Low Solution : comment out the 'finger' line in /etc/inetd.conf CVE : CVE-1999-0612 Nessus ID : 10068
Warning	finger (79/tcp)	The remote finger daemon accepts to redirect requests. That is, users can perform requests like : finger user@host@victim This allows an attacker to use your computer as a relay to gather information on another network, making the other network think you are making the requests. Solution: disable your finger daemon (comment out the finger line in /etc/inetd.conf) or install a more secure one. Risk factor : Low CVE : CAN-1999-0105 Nessus ID : 10073
Warning	finger (79/tcp)	There is a bug in the finger service which will make it display the list of the accounts that have never been used, when anyone issues the request : finger 'a b c d e f g h'@target This list will help an attacker to guess the operating system type. It will also tell him which accounts have never been used, which will often make him focus his attacks on these accounts. Solution : disable the finger service in /etc/inetd.conf, or apply the patches from Sun. Risk factor : Medium BID : 3457 Nessus ID : 10788
Informational	finger (79/tcp)	A finger server seems to be running on this port Nessus ID : 10330
Informational	sunrpc (111/tcp)	RPC program #100000 version 4 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111
Informational	sunrpc (111/tcp)	RPC program #100000 version 3 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111
Informational	sunrpc (111/tcp)	RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111
Warning	login (513/tcp)	The rlogin service is running. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the rlogin client and the rlogin server. This includes logins and passwords. You should disable this service and use openssh instead (www.openssh.com) Solution : Comment out the 'rlogin' line in /etc/inetd.conf. Risk factor : Low CVE : CAN-1999-0651 Nessus ID : 10205
Warning	exec (512/tcp)	The rexecd service is open. Because rexecd does not provide any good means of authentication, it can be used by an attacker to scan a third party host, giving you troubles or bypassing your firewall. Solution : comment out the 'exec' line in /etc/inetd.conf. Risk factor : Medium CVE : CAN-1999-0618 Nessus ID : 10203
Informational	printer (515/tcp)	A LPD server seems to be running on this port Nessus ID : 10330
Warning	shell (514/tcp)	The rsh service is running. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the rsh client and the rsh server. This includes logins and passwords. You should disable this service and use ssh instead. Solution : Comment out the 'rsh' line in /etc/inetd.conf. Risk factor : Low CVE : CAN-1999-0651 Nessus ID : 10245
Informational	uucp (540/tcp)	The service closed the connection after 0 seconds without sending any data It might be protected by some TCP wrapper Nessus ID : 10330
Informational	general/tcp	QueSO has found out that the remote host OS is * Solaris 2.x CVE : CAN-1999-0454 Nessus ID : 10337
Vulnerability	dtspc (6112/tcp)	The 'dtspcd' service is running. Some versions of this daemon are vulnerable to a buffer overflow attack which allows an attacker to gain root privileges * This warning might be a false positive, * as no real overflow was performed Solution : See http://www.cert.org/advisories/CA-2001-31.html to determine if you are vulnerable or deactivate this service (comment out the line 'dtspc' in /etc/inetd.conf) Risk factor : High CVE : CVE-2001-0803 BID : 3517 Nessus ID : 10833
Informational	sunrpc (111/udp)	RPC program #100000 version 4 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111
Informational	sunrpc (111/udp)	RPC program #100000 version 3 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111
Informational	sunrpc (111/udp)	RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111
Informational	sometimes-rpc8 (32772/udp)	RPC program #100300 version 3 'nisd' (rpc.nisd) is running on this port Nessus ID : 11111
Informational	sometimes-rpc21 (32779/tcp)	RPC program #100300 version 3 'nisd' (rpc.nisd) is running on this port Nessus ID : 11111
Informational	sometimes-rpc12 (32774/udp)	RPC program #100232 version 10 'sadmind' is running on this port Nessus ID : 11111
Informational	sometimes-rpc14 (32775/udp)	RPC program #100011 version 1 'rquotad' (rquotaprog quota rquota) is running on this port Nessus ID : 11111
Informational	sometimes-rpc10 (32773/udp)	RPC program #100024 version 1 'status' is running on this port Nessus ID : 11111
Informational	unknown (32790/tcp)	RPC program #100024 version 1 'status' is running on this port Nessus ID : 11111
Informational	sometimes-rpc16 (32776/udp)	RPC program #100002 version 2 'rusersd' (rusers) is running on this port Nessus ID : 11111
Informational	sometimes-rpc16 (32776/udp)	RPC program #100002 version 3 'rusersd' (rusers) is running on this port Nessus ID : 11111
Informational	unknown (32791/tcp)	RPC program #100002 version 2 'rusersd' (rusers) is running on this port Nessus ID : 11111
Informational	unknown (32791/tcp)	RPC program #100002 version 3 'rusersd' (rusers) is running on this port Nessus ID : 11111
Informational	sometimes-rpc18 (32777/udp)	RPC program #100012 version 1 'sprayd' (spray) is running on this port Nessus ID : 11111
Informational	sometimes-rpc20 (32778/udp)	RPC program #100008 version 1 'walld' (rwall shutdown) is running on this port Nessus ID : 11111
Informational	sometimes-rpc22 (32779/udp)	RPC program #100001 version 2 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port Nessus ID : 11111
Informational	sometimes-rpc22 (32779/udp)	RPC program #100001 version 3 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port Nessus ID : 11111
Informational	sometimes-rpc22 (32779/udp)	RPC program #100001 version 4 'rstatd' (rstat rup perfmeter rstat_svc) is running on this port Nessus ID : 11111
Informational	lockd (4045/udp)	RPC program #100021 version 1 'nlockmgr' is running on this port Nessus ID : 11111
Informational	lockd (4045/udp)	RPC program #100021 version 2 'nlockmgr' is running on this port Nessus ID : 11111
Informational	lockd (4045/udp)	RPC program #100021 version 3 'nlockmgr' is running on this port Nessus ID : 11111
Informational	lockd (4045/udp)	RPC program #100021 version 4 'nlockmgr' is running on this port Nessus ID : 11111
Informational	unknown (32792/tcp)	RPC program #100221 version 1 is running on this port Nessus ID : 11111
Informational	unknown (32793/tcp)	RPC program #100235 version 1 is running on this port Nessus ID : 11111
Informational	sometimes-rpc24 (32780/udp)	RPC program #100068 version 2 is running on this port Nessus ID : 11111
Informational	sometimes-rpc24 (32780/udp)	RPC program #100068 version 3 is running on this port Nessus ID : 11111
Informational	sometimes-rpc24 (32780/udp)	RPC program #100068 version 4 is running on this port Nessus ID : 11111
Informational	sometimes-rpc24 (32780/udp)	RPC program #100068 version 5 is running on this port Nessus ID : 11111
Informational	unknown (32794/tcp)	RPC program #100083 version 1 is running on this port Nessus ID : 11111
Informational	lockd (4045/tcp)	RPC program #100021 version 1 'nlockmgr' is running on this port Nessus ID : 11111
Informational	lockd (4045/tcp)	RPC program #100021 version 2 'nlockmgr' is running on this port Nessus ID : 11111
Informational	lockd (4045/tcp)	RPC program #100021 version 3 'nlockmgr' is running on this port Nessus ID : 11111
Informational	lockd (4045/tcp)	RPC program #100021 version 4 'nlockmgr' is running on this port Nessus ID : 11111
Informational	unknown (32812/udp)	RPC program #300598 version 1 is running on this port Nessus ID : 11111
Informational	unknown (32812/udp)	RPC program #805306368 version 1 is running on this port Nessus ID : 11111
Informational	unknown (32795/tcp)	RPC program #300598 version 1 is running on this port Nessus ID : 11111
Informational	unknown (32795/tcp)	RPC program #805306368 version 1 is running on this port Nessus ID : 11111
Informational	unknown (32813/udp)	RPC program #100249 version 1 is running on this port Nessus ID : 11111
Informational	unknown (32796/tcp)	RPC program #100249 version 1 is running on this port Nessus ID : 11111
Vulnerability	snmp (161/udp)	SNMP Agent responded as expected with community name: public SNMP Agent responded as expected with community name: private SNMP Agent responded as expected with community name: all private CVE : CAN-1999-0186 BID : 177 Nessus ID : 10264
Warning	snmp (161/udp)	It was possible to obtain the list of network interfaces of the remote host via SNMP : . /etc/snmp/conf/snmpdx.rsrc . /etc/snmp/conf An attacker may use this information to gain more knowledge about the target host. Solution : disable the SNMP service on the remote host if you do not use it, or filter incoming UDP packets going to this port Risk factor : Low Nessus ID : 10551
Warning	xdmcp (177/udp)	The remote host is running XDMCP. This protocol is used to provide X display connections for X terminals. XDMCP is completely insecure, since the traffic and passwords are not encrypted. An attacker may use this flaw to capture all the keystrokes of the users using this host through their X terminal, including passwords. Risk factor : Medium Solution : Disable XDMCP Nessus ID : 10891
Informational	general/udp	For your information, here is the traceroute to 10.163.156.16 : ? 10.163.156.16 Nessus ID : 10287
Vulnerability	font-service (7100/tcp)	The remote X Font Service (xfs) might be vulnerable to a buffer overflow. An attacker may use this flaw to gain root on this host remotely. * Note that Nessus did not actually check for the flaw * as details about this vulnerability are still unknown Solution : See CERT Advisory CA-2002-34 Risk factor : High CVE : CAN-2002-1317 Nessus ID : 11188
Warning	echo (7/udp)	The 'echo' port is open. This port is not of any use nowadays, and may be a source of problems, since it can be used along with other ports to perform a denial of service. You should really disable this service. Risk factor : Low Solution : comment out 'echo' in /etc/inetd.conf CVE : CVE-1999-0103 Nessus ID : 10061
Warning	daytime (13/udp)	The daytime service is running. The date format issued by this service may sometimes help an attacker to guess the operating system type. In addition to that, when the UDP version of daytime is running, an attacker may link it to the echo port using spoofing, thus creating a possible denial of service. Solution : disable this service in /etc/inetd.conf. Risk factor : Low CVE : CVE-1999-0103 Nessus ID : 10052

This file was generated by Nessus, the open-sourced security scanner.