Nessus Scan Report
Number of hosts which were alive during the test : 5
Number of security holes found : 17
Number of security warnings found : 93
Number of security notes found : 0
List of the tested hosts :
bonsai.fr.nessus.org :
List of open ports :
Warning found on port ftp (21/tcp)
Warning found on port ftp (21/tcp)
The FTP service allows anonymous logins. If you do not
want to share data with anyone you do not know, then you should deactivate
the anonymous account, since it can only cause troubles.
Under most Unix system, doing :
echo ftp >> /etc/ftpusers
will correct this.
Risk factor : Low
CVE : CAN-1999-0497
Warning found on port smtp (25/tcp)
bonsai.fr.nessus.org ESMTP CommuniGate Pro 3.1.
214-Commands Supported:214-HELO EHLO AUTH HELP QUIT MAIL NOOP RSET RCPT DATA ETRN VRFY STARTTLS
214-Copyright (c) 1995-1998, Stalker Software, Inc.
214-To report problems, send mail to <support@stalker.com>
214-
214 End Of Help
Warning found on port smtp (25/tcp)
The remote STMP server seems to allow remote users to
send mail anonymously by providing a too long argument
to the HELO command (more than 1024 chars).
This problem may allow bad guys to send hate
mail, or threatening mail using your server
and keep their anonymity.
Risk factor : Low.
Solution : If you are using sendmail, upgrade to
version 8.9.x. If you do not run sendmail, contact
your vendor.
CVE : CAN-1999-0098
Warning found on port smtp (25/tcp)
The remote SMTP server allows the relaying. This means that
it allows spammers to use your mail server to send their mails to
the world, thus wasting your network bandwidth.
Risk factor : Low/Medium
Solution : configure your SMTP server so that it can't be used as a relay
any more.
CVE : CAN-1999-0512
Vulnerability found on port www (80/tcp)
The CGI /scripts/tools/newdsn.exe is present.
This CGI allows any cracker to create files
anywhere on your system if your NTFS permissions
are not tight enough, and can be used to overwrite
DSNs on existing dabases.
Solution : remove it
Risk factor : High
CVE : CVE-1999-0191
Vulnerability found on port www (80/tcp)
The webserver is likely vulnerable to a common IIS exploit from a hacker
called 'Rain Forest Puppy'. This exploit enables an attacker to execute _ANY_
command on the server with Administrator Privileges. The exploit is made possible
via a buffer overflow in /msadc/msadcs.dll
See BUGTRAQ ID 529 on www.securityfocus.com (http://www.securityfocus.com/bid/529)
for more information.
Risk factor : High
Vulnerability found on port www (80/tcp)
It is possible to get the source code of the remote
ASP scripts by doing the request :
GET /null.htw?CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHiliteType=Full
ASP source codes usually contain sensitive informations such
as logins and passwords.
Solution : if you need the functionnality provided by WebHits, then
install the patch available at :
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
If you do not need this functionality, then unmap the .htw extensions
from webhits.dll using Internet Service Manager MMC snap-in.
Risk factor : Serious
CVE : CVE-2000-0097
Vulnerability found on port www (80/tcp)
The CGI /scripts/tools/mkilog.exe is present.
This CGI allows any cracker to view SQL databases
informations as to modify it.
Solution : remove it
Risk factor : Serious
Vulnerability found on port www (80/tcp)
Some of the following sample files are present :
/iissamples/issamples/fastq.idq
/iissamples/issamples/query.idq
/iissamples/exair/search/search.idq
/iissamples/exair/search/query.idq
/iissamples/issamples/oop/qsumrhit.htw?CiWebHitsFile=/iissamples/issamples/oop/qsumrhit.htw&CiRestriction=none&CiHiliteType=Full
/iissamples/issamples/oop/qfullhit.htw?CiWebHitsFile=/iissamples/issamples/oop/qfullhit.htw&CiRestriction=none&CiHiliteType=Full
/scripts/samples/search/author.idq
/scripts/samples/search/filesize.idq
/scripts/samples/search/filetime.idq
/scripts/samples/search/queryhit.idq
/scripts/samples/search/simple.idq
/iissamples/exair/howitworks/codebrws.asp
/iissamples/issamples/query.asp
They all contain various security flaws that allows a
cracker to execute arbitrary commands, read arbitrary files
or gain more knowledge about the remote system.
Solution : delete the whole /iissamples directory
Risk factor : High
Vulnerability found on port www (80/tcp)
The file /scripts/repost.asp is present.
This file allows users to upload files to the
/users directory if it has not been configured
properly
Solution : create /users and make sure that the
internet anonymous internet account is
only given read access to it
Risk factor : Serious
Vulnerability found on port www (80/tcp)
The file /iisadmpwd/aexp2.htr is present.
A cracker may use it in a brute force attack
to gain valid username/password.
Solution : delete it
Risk factor : Serious
Vulnerability found on port www (80/tcp)
The dll '/_vti_bin/_vti_aut/dvwssr.dll' seems to be present.
This dll contains a bug which allows anyone with
authoring web permissions on this system to alter
the files of other users.
In addition to this, this file is subject to a buffer overflow
which allows anyone to execute arbitrary commands on the
server and/or disable it
Solution : delete /_vti_bin/_vti_aut/dvwssr.dll
Risk factor : High
See also : http://www.wiretrip.net/rfp/p/doc.asp?id=45&iface=1
Vulnerability found on port www (80/tcp)
It is possible to get the source code of the remote
ASP scripts by appending ::$DATA at the end
of the request (like GET /default.asp::$DATA)
ASP source codes usually contain sensitive informations such
as logins and passwords.
Solution : install all the latest Microsoft Security Patches
Risk factor : Serious
CVE : CVE-1999-0278
Warning found on port www (80/tcp)
Warning found on port www (80/tcp)
The remote web server appears to be running with
Frontpage extensions.
You should double check the configuration since
a lot of security problems have been found with
FrontPage when the configuration file is
not well set up.
Risk factor : High if your configuration file is
not well set up
CVE : CVE-1999-0386
Warning found on port pop-3 (110/tcp)
Vulnerability found on port netbios-ssn (139/tcp)
. It was possible to log into the remote host using the following
login/password combinations :
'guest'/''
. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
. The remote host defaults to guest when a user logs in using an invalid
login. For instance, we could log in using the account 'nessus/nessus'
. All the smb tests will be done as 'guest'/''
Vulnerability found on port netbios-ssn (139/tcp)
The following shares can be accessed as guest :
- NETLOGON
- A
- C
- IAS1$
- src$
Solution : To restrict their access under WindowsNT, open the explorer, do a right click on each,
go to the 'sharing' tab, and click on 'permissions'
Risk factor : High
CVE : CAN-1999-0519
Vulnerability found on port netbios-ssn (139/tcp)
. User 'guest' has NO password !
. The password of 'thibault' is 'thibault' !
. User 'MTS Trusted Impersonators' has NO password !
. User 'Cert Requesters' has NO password !
. User 'Cert Server Admins' has NO password !
Warning found on port netbios-ssn (139/tcp)
The remote registry can be accessed remotely
using the login / password combination used
for the SMB tests.
Having the registry accessible to the world is
not a good thing as it gives extra knowledge to
a hacker.
Solution : filter incoming traffic to this port or set
tight login restrictions.
Risk factor : Low
Warning found on port netbios-ssn (139/tcp)
The domain SID can be obtained remotely. Its value is :
INTRANET : 5-21-20333150-368275040-1648912389
An attacker can use it to obtain the list of the users of the domain
Solution : filter the ports 137 to 139
Risk factor : Low
Warning found on port netbios-ssn (139/tcp)
The domain SID could be used to enumerate the names of the users
in the domain.
(we only enumerated users name whose ID is between 1000 and 1050
for performance reasons)
This gives extra knowledge to a cracker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : guest (id 501)
- BONSAI$ (id 1000)
- IUSR_BONSAI (id 1001)
- Renaud (id 1002)
- thibault (id 1003)
- MTS Trusted Impersonators (id 1005)
- IWAM_BONSAI (id 1006)
- Cert Requesters (id 1007)
- Cert Server Admins (id 1008)
- PROFWINDOWS$ (id 1009)
Risk factor : Medium
Solution : filter incoming connections to port 139
Warning found on port netbios-ssn (139/tcp)
Here is the browse list of the remote host :
BONSAI -
PROF23567 - Samba Server
This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low
Warning found on port netbios-ssn (139/tcp)
Here is the list of the SMB shares of this host :
NETLOGON - Logon server share
A - disquette
C -
IPC$ - Remote IPC
IAS1$ -
src$ -
This is potentially dangerous as this may help the attack
of a potential hacker.
Solution : filter incoming traffic to this port
Risk factor : Medium
Warning found on port unknown (554/tcp)
Warning found on port unknown (5228/tcp)
Warning found on port unknown (7070/tcp)
Warning found on port unknown (8010/tcp)
Warning found on port unknown (8010/tcp)
Warning found on port webcache (8080/tcp)
Warning found on port unknown (8100/tcp)
Warning found on port unknown (8100/tcp)
Warning found on port unknown (8570/tcp)
Warning found on port unknown (8570/tcp)
Warning found on port general/tcp
Warning found on port general/tcp
If numbers are close together, or rise by the same number all the time,
it means that the amount of traffic can be predicted by monitoring
changes in the idetification numbers (since these aren't randomized
enough).
This may help attackers with several other attacks, such as Session
Hijacking or with Session Spoofing, where in those cases the attacker
needs to predict certain charactistics of the attacked computer (such
as traffic size).
The IP Identification numbers retrieved and their relative size were:
ID: 50191
ID: 50447 relative size: 256
ID: 50703 relative size: 256
ID: 50959 relative size: 256
ID: 51215 relative size: 256
ID: 51471 relative size: 256
ID: 51727 relative size: 256
ID: 51983 relative size: 256
ID: 52239 relative size: 256
ID: 52495 relative size: 256
Warning found on port general/udp
For your information, here is the traceroute to 192.168.1.8 :
192.168.1.8
Warning found on port netbios-ns (137/udp)
. The following 11 NetBIOS names have been gathered :
BONSAI = This is the computer name registered for workstation services by a WINS client.
BONSAI
INTRANET = Workgroup / Domain name
INTRANET
INTRANET
BONSAI = Computer name that is registered for the messenger service on a computer that is a WINS client.
INTRANET
INTRANET
��__MSBROWSE__�
INet~Services
IS~BONSAI = This is the computer name registered for workstation services by a WINS client.
. The remote host has the following MAC address on its adapter :
0x00 0x80 0xad 0x90 0x23 0x14
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
Risk factor : Medium
prof.fr.nessus.org :
List of open ports :
Warning found on port echo (7/tcp)
The 'echo' port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.
Risk factor : Low.
Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103
Warning found on port daytime (13/tcp)
The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.
In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
Warning found on port chargen (19/tcp)
The chargen service is running.
The 'chargen' service should only be enabled when testing the machine.
When contacted, chargen responds with some random (something like all
the characters in the alphabet in row). When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.
An easy attack is 'pingpong' which IP spoofs a packet between two machines
running chargen. They will commence spewing characters at each other, slowing
the machines down and saturating the network.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
Vulnerability found on port ftp (21/tcp)
The following directories are world-writeable. You should
correct this problem quickly
/incoming
Risk factor : Medium
CVE : CAN-1999-0527
Warning found on port ftp (21/tcp)
Warning found on port ftp (21/tcp)
The FTP service allows anonymous logins. If you do not
want to share data with anyone you do not know, then you should deactivate
the anonymous account, since it can only cause troubles.
Under most Unix system, doing :
echo ftp >> /etc/ftpusers
will correct this.
Risk factor : Low
CVE : CAN-1999-0497
Warning found on port ftp (21/tcp)
It is possible to determine the existence of a
user on the remote system by issuing the command
CWD ~<username>, like :
CWD ~root
A cracker may use this to determine the existence of
known to be vulnerable accounts (like guest) or to
determine which system you are running.
Solution : inform your vendor, and ask for a patch, or
change your FTP server
Risk factor : Low
Warning found on port ssh (22/tcp)
Warning found on port telnet (23/tcp)
Warning found on port telnet (23/tcp)
The Telnet service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the telnet client
and the telnet server. This includes logins
and passwords.
You should disable this service and use OpenSSH instead.
(www.openssh.com)
Solution : Comment out the 'telnet' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0619
Warning found on port smtp (25/tcp)
prof.fr.nessus.org ESMTP Sendmail 8.9.3/8.9.1
Sat, 13 May 2000 18:12:42 +0200
502 Sendmail 8.9.3 -- HELP not implemented
Warning found on port smtp (25/tcp)
The remote SMTP server
answers to the EXPN and/or VRFY commands.
The EXPN command can be used to find
the delivery adress of mail aliases, or
even the full name of the recipients, and
the VRFY command may be used to check the
validity of an account.
Your mailer should not allow remote users to
use any of these commands, because it gives
them too much informations.
Solution : if you are using sendmail, add the
option
O PrivacyOptions=goaway
in /etc/sendmail.cf.
Risk factor : Low
CVE : CAN-1999-0531
Warning found on port smtp (25/tcp)
The remote SMTP server is vulnerable to a redirection
attack. That is, if a mail is sent to :
user@hostname1@victim
Then the remote SMTP server (victim) will happily send the
mail to :
user@hostname1
Using this flaw, an attacker may route a message
through your firewall, in order to exploit other
SMTP servers that can not be reached from the
outside.
*** THIS WARNING MAY BE A FALSE POSITIVE, SINCE
SOME SMTP SERVERS LIKE POSTFIX WILL NOT
COMPLAIN BUT DROP THIS MESSAGE ***
Solution : if you are using sendmail, then at the top
of ruleset 98, in /etc/sendmail.cf, insert :
R$*@$*@$* $#error $@ 5.7.1 $: '551 Sorry, no redirections.'
Risk factor : Low
Warning found on port smtp (25/tcp)
The remote SMTP server allows the relaying. This means that
it allows spammers to use your mail server to send their mails to
the world, thus wasting your network bandwidth.
Risk factor : Low/Medium
Solution : configure your SMTP server so that it can't be used as a relay
any more.
CVE : CAN-1999-0512
Warning found on port finger (79/tcp)
The 'finger' service provides useful informations
to crackers, since it allow them to gain usernames, check if a machine
is being used, and so on...
Risk factor : Low.
Solution : comment out the 'finger' line in /etc/inetd.conf
CVE : CVE-1999-0612
Vulnerability found on port www (80/tcp)
The 'piranha' package is installed on the remote host.
This package, as it is distributed with Linux RedHat 6.2,
comes with the login/password combination 'piranha/q'
(or piranha/piranha)
An attacker may use it to reconfigure your Linux Virtual Servers
(LVS).
Solution : upgrade the packages piranha-gui, piranha and piranha-docs to
version 0.4.13
Risk factor : High
CVE : CAN-2000-0248
Warning found on port www (80/tcp)
Warning found on port linuxconf (98/tcp)
Warning found on port auth (113/tcp)
The 'ident' service provides sensitives informations
to the intruders : it mainly says which accounts are running which
services. This helps attackers to focus on valuable services [those
owned by root]. If you don't use this service, disable it.
Risk factor : Low.
Solution : comment out the 'auth' line in /etc/inetd.conf
CVE : CAN-1999-0629
Warning found on port exec (512/tcp)
The rexecd service is open.
Because rexecd does not provide any good
means of authentification, it can be
used by crackers to scan a third party
host, giving you troubles or bypassing
your firewall.
Solution : comment out the 'exec' line
in /etc/inetd.conf.
Risk factor : Medium
CVE : CAN-1999-0618
Warning found on port login (513/tcp)
The rlogin service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rlogin client
and the rlogin server. This includes logins
and passwords.
You should disable this service and use openssh instead
(www.openssh.com)
Solution : Comment out the 'rlogin' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0651
Warning found on port shell (514/tcp)
The rsh service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rsh client
and the rsh server. This includes logins
and passwords.
You should disable this service and use ssh instead.
Solution : Comment out the 'rsh' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0651
Warning found on port swat (901/tcp)
Warning found on port swat (901/tcp)
SWAT (Samba Web Administration Tool) is running
on this port.
SWAT allows Samba users to change their passwords,
and offers to the sysadmin an easy-to-use
GUI to configure Samba.
However, it is not recommanded to let SWAT
be accessed by the world, as it allows an
intruder to attempt to brute force some
accounts passwords.
In addition to this, the traffic between
SWAT and web clients is not ciphered, so
an eavesdropper can gain clear text passwords
easily.
Solution: Disable SWAT access from the outside
network by making your firewall filter this
port.
If you do not need SWAT, disable it by
commenting the relevant /etc/inetd.conf line.
Risk factor : Medium
Warning found on port unknown (3001/tcp)
Nessus Daemon open on port TCP:3001, NessusD version: NTP/1.2
Vulnerability found on port unknown (6000/tcp)
This X server accepts clients from anywhere. This
allows a cracker to connect to it and record any of your keystrokes
Here is the server type :
The XFree86 Project, Inc
Solution : use xauth or MIT cookies to restrict the access to this server
Risk factor : High
CVE : CVE-1999-0526
Warning found on port general/tcp
Warning found on port general/udp
For your information, here is the traceroute to 192.168.1.5 :
192.168.1.5
Warning found on port netbios-ns (137/udp)
. The following 7 NetBIOS names have been gathered :
PROF = This is the computer name registered for workstation services by a WINS client.
PROF = Computer name that is registered for the messenger service on a computer that is a WINS client.
PROF
��__MSBROWSE__�
WORKGROUP = Workgroup / Domain name
WORKGROUP
WORKGROUP
. This SMB server seems to be a SAMBA server (this is not a security
risk, this is for your information). This can be told because this server
claims to have a null MAC address
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
Risk factor : Medium
Warning found on port unknown (782/udp)
The rquotad RPC service is running.
If you do not use this service, then
disable it as it may become a security
threat in the future, if a vulnerability
is discovered.
Risk factor : Low
CVE : CAN-1999-0625
Warning found on port unknown (2049/udp)
The nfsd RPC service is running.
There is a bug in older versions of
this service that allow an intruder to
execute arbitrary commands on your system.
Make sure that you have the latest version
of nfsd
Risk factor : High
CVE : CAN-1999-0832
Warning found on port ntalk (518/udp)
talkd is running (talkd is the server that notifies a user
that someone else wants to initiate a conversation)
Malicious hackers may use it to abuse legitimate
users by conversing with them with a false identity
(social engineering).
In addition to this, crackers may use this service
to execute arbitrary code on your system.
Solution: Disable talkd access from the network by adding the
approriate rule on your firewall. If you do not
need talkd, comment out the relevant line in /etc/inetd.conf.
See aditional information regarding the dangers of keeping
this port open:
http://www.cert.org/advisories/CA-97.04.talkd.html
Risk factor : Medium
CVE : CVE-1999-0048
Warning found on port ntalk (518/udp)
Warning found on port echo (7/udp)
The 'echo' port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.
Risk factor : Low.
Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103
Warning found on port daytime (13/udp)
The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.
In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
Warning found on port chargen (19/udp)
The chargen service is running.
The 'chargen' service should only be enabled when testing the machine.
When contacted, chargen responds with some random (something like all
the characters in the alphabet in row). When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.
An easy attack is 'pingpong' which IP spoofs a packet between two machines
running chargen. They will commence spewing characters at each other, slowing
the machines down and saturating the network.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
Warning found on port unknown (2049/tcp)
Here is the list of the exported filesystems :
Export list for prof.fr.nessus.org:
/home/renaud *.fr.nessus.org
CVE : CAN-1999-0554
dormeur.fr.nessus.org :
List of open ports :
Vulnerability found on port general/tcp
The TCP sequence numbers of the remote host
depends on the time, so they can be
guessed rather easily. A cracker may use
this flaw to spoof TCP connections easily.
Solution : contact your vendor for a patch
Risk factor : High
Warning found on port general/tcp
Warning found on port general/tcp
If numbers are close together, or rise by the same number all the time,
it means that the amount of traffic can be predicted by monitoring
changes in the idetification numbers (since these aren't randomized
enough).
This may help attackers with several other attacks, such as Session
Hijacking or with Session Spoofing, where in those cases the attacker
needs to predict certain charactistics of the attacked computer (such
as traffic size).
The IP Identification numbers retrieved and their relative size were:
ID: 2387
ID: 2643 relative size: 256
ID: 2899 relative size: 256
ID: 3155 relative size: 256
ID: 3411 relative size: 256
ID: 3667 relative size: 256
ID: 3923 relative size: 256
ID: 4179 relative size: 256
ID: 4435 relative size: 256
ID: 4691 relative size: 256
Warning found on port general/udp
For your information, here is the traceroute to 192.168.1.6 :
192.168.1.6
Warning found on port netbios-ns (137/udp)
. The following 4 NetBIOS names have been gathered :
DORMEUR = This is the computer name registered for workstation services by a WINS client.
INTRANET = Workgroup / Domain name
DORMEUR = Computer name that is registered for the messenger service on a computer that is a WINS client.
DORMEUR = A unique name that is registered for Network dynamic data exchange (DDE) when the NetDDE service is started on the
computer.
. The remote host has the following MAC address on its adapter :
0x52 0x54 0x00 0xe5 0x4a 0x95
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
Risk factor : Medium
Warning found on port general/icmp
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentifications protocols.
Solution : filter out the icmp timestamp
requests (13), and the outgoing icmp
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
Warning found on port general/icmp
The remote host answered to an ICMP_MASKREQ
query and sent us its netmask.
An attacker can use this information to
understand how your network is set up
and how the routing is done. This may
help him to bypass your filters.
Solution : reconfigure the remote host so
that it does not answer to those requests.
Set up filters that deny ICMP packets of
type 17.
Risk factor : Low
CVE : CAN-1999-0524
gateway.fr.nessus.org :
List of open ports :
Warning found on port ssh (22/tcp)
Vulnerability found on port domain (53/tcp)
The remote BIND server, according to its
version number, is vulnerable to several
attacks that can allow an attacker to gain
root on this system.
Solution : upgrade to bind 8.2.2-P3
Risk factor : High
CVE : CVE-1999-0833
Warning found on port domain (53/tcp)
Warning found on port webcache (8080/tcp)
Warning found on port general/tcp
Warning found on port general/tcp
Predictable TCP sequence number :
If numbers are close together, or rise by the same number all the time,
it means that it is easy to predict the next sequence number that will
be used by the computer (since these aren't randomized enough).
This may help attackers with several other attacks, such as Session
Hijacking or with Session Spoofing, where in those cases the attacker
needs to predict certain charactistics of the attacked computer.
The TCP sequence numbers retrieved and their relative size were:
SEQ: 1164183870
SEQ: 1164189330 relative size: 5460
SEQ: 1164193178 relative size: 3848
SEQ: 1164204108 relative size: 10930
SEQ: 1164208848 relative size: 4740
SEQ: 1164212824 relative size: 3976
SEQ: 1164219609 relative size: 6785
SEQ: 1164223500 relative size: 3891
SEQ: 1164228532 relative size: 5032
SEQ: 1164232472 relative size: 3940
CVE : CVE-1999-0077
Warning found on port general/tcp
If numbers are close together, or rise by the same number all the time,
it means that the amount of traffic can be predicted by monitoring
changes in the idetification numbers (since these aren't randomized
enough).
This may help attackers with several other attacks, such as Session
Hijacking or with Session Spoofing, where in those cases the attacker
needs to predict certain charactistics of the attacked computer (such
as traffic size).
The IP Identification numbers retrieved and their relative size were:
ID: 63321
ID: 63322 relative size: 1
ID: 63323 relative size: 1
ID: 63324 relative size: 1
ID: 63327 relative size: 3
ID: 63328 relative size: 1
Warning found on port general/udp
For your information, here is the traceroute to 192.168.1.7 :
192.168.1.7
Warning found on port general/icmp
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentifications protocols.
Solution : filter out the icmp timestamp
requests (13), and the outgoing icmp
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
grincheux.fr.nessus.org :
List of open ports :
Warning found on port ftp (21/tcp)
grincheux.fr.nessus.org ftp server (version wu-2.4.2-academ[beta-15](1) sun mar 1 01:06:14 est 1998) ready.
500 'get / http/1.0': command not understood.
500 '': command not understood.
Warning found on port ftp (21/tcp)
The FTP service allows anonymous logins. If you do not
want to share data with anyone you do not know, then you should deactivate
the anonymous account, since it can only cause troubles.
Under most Unix system, doing :
echo ftp >> /etc/ftpusers
will correct this.
Risk factor : Low
CVE : CAN-1999-0497
Warning found on port ftp (21/tcp)
It is possible to gather the
real path of the public area of the ftp server
(like /home/ftp) by issuing the following
command :
CWD
This problem may help an attacker to find where
to put a .rhost file using other security
flaws.
Risk factor : Low
Warning found on port ssh (22/tcp)
Warning found on port telnet (23/tcp)
Warning found on port telnet (23/tcp)
The Telnet service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the telnet client
and the telnet server. This includes logins
and passwords.
You should disable this service and use OpenSSH instead.
(www.openssh.com)
Solution : Comment out the 'telnet' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0619
Warning found on port smtp (25/tcp)
grincheux.fr.nessus.org ESMTP Sendmail 8.8.8/8.8.8
Sat, 13 May 2000 20:05:34 +0200
214-This is Sendmail version 8.8.8
Warning found on port smtp (25/tcp)
The remote SMTP server
answers to the EXPN and/or VRFY commands.
The EXPN command can be used to find
the delivery adress of mail aliases, or
even the full name of the recipients, and
the VRFY command may be used to check the
validity of an account.
Your mailer should not allow remote users to
use any of these commands, because it gives
them too much informations.
Solution : if you are using sendmail, add the
option
O PrivacyOptions=goaway
in /etc/sendmail.cf.
Risk factor : Low
CVE : CAN-1999-0531
Warning found on port smtp (25/tcp)
The remote STMP server seems to allow remote users to
send mail anonymously by providing a too long argument
to the HELO command (more than 1024 chars).
This problem may allow bad guys to send hate
mail, or threatening mail using your server
and keep their anonymity.
Risk factor : Low.
Solution : If you are using sendmail, upgrade to
version 8.9.x. If you do not run sendmail, contact
your vendor.
CVE : CAN-1999-0098
Warning found on port www (80/tcp)
Warning found on port login (513/tcp)
The rlogin service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rlogin client
and the rlogin server. This includes logins
and passwords.
You should disable this service and use openssh instead
(www.openssh.com)
Solution : Comment out the 'rlogin' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0651
Warning found on port shell (514/tcp)
The rsh service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rsh client
and the rsh server. This includes logins
and passwords.
You should disable this service and use ssh instead.
Solution : Comment out the 'rsh' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0651
Warning found on port unknown (2049/tcp)
Here is the list of the exported filesystems :
Export list for grincheux.fr.nessus.org:
CVE : CAN-1999-0554
Warning found on port general/tcp
Warning found on port general/tcp
Predictable TCP sequence number :
If numbers are close together, or rise by the same number all the time,
it means that it is easy to predict the next sequence number that will
be used by the computer (since these aren't randomized enough).
This may help attackers with several other attacks, such as Session
Hijacking or with Session Spoofing, where in those cases the attacker
needs to predict certain charactistics of the attacked computer.
The TCP sequence numbers retrieved and their relative size were:
SEQ: 4150065037
SEQ: 4150075083 relative size: 10046
SEQ: 4150085079 relative size: 9996
SEQ: 4150095107 relative size: 10028
SEQ: 4150105083 relative size: 9976
SEQ: 4150115082 relative size: 9999
SEQ: 4150125084 relative size: 10002
SEQ: 4150135080 relative size: 9996
SEQ: 4150145083 relative size: 10003
SEQ: 4150164953 relative size: 19870
CVE : CVE-1999-0077
Warning found on port general/udp
For your information, here is the traceroute to 192.168.1.1 :
192.168.1.1
Warning found on port unknown (2049/udp)
The nfsd RPC service is running.
There is a bug in older versions of
this service that allow an intruder to
execute arbitrary commands on your system.
Make sure that you have the latest version
of nfsd
Risk factor : High
CVE : CAN-1999-0832
Warning found on port general/icmp
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentifications protocols.
Solution : filter out the icmp timestamp
requests (13), and the outgoing icmp
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
This file was generated by Nessus, the open-sourced security scanner.