|
Security Issues and Fixes: 151.108.233.3
|
|
Type
|
Port
|
Issue and Fix
|
|
Warning
|
echo (7/tcp)
|
The 'echo'
port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.
Risk factor : Low
Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103
|
|
Informational
|
echo (7/tcp)
|
an echo
server is running on this port
|
|
Warning
|
daytime
(13/tcp)
|
The daytime
service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.
In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.
Solution : disable
this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
|
|
Warning
|
chargen (19/tcp)
|
The chargen service is running.
The 'chargen' service should only be enabled when testing
the machine.
When contacted, chargen responds with some random (something like
all
the characters in the alphabet in row). When contacted via UDP,
it
will respond with a single UDP packet. When contacted via TCP, it
will
continue spewing characters until the client closes the connection.
An easy attack is 'pingpong' which IP spoofs a packet between two
machines
running chargen. They will commence spewing
characters at each other, slowing
the machines down and saturating the network.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
|
|
Informational
|
chargen (19/tcp)
|
Chargen is running
on this port
|
|
Informational
|
ftp (21/tcp)
|
a FTP server
is running on this port.
Here is its banner :
220 unknown FTP server ready.
|
|
Informational
|
ftp (21/tcp)
|
Remote FTP
server banner :
unknown FTP server ready.
|
|
Warning
|
ssh (22/tcp)
|
You are running a version of SSH which is older than 3.1.2
and newer or equal to 3.0.0.
There is a vulnerability in this release
that may, under
some circumstances, allow users to authenticate using a
password whereas it is not explicitly listed as a valid
authentication mechanism.
An attacker may use this flaw to attempt to brute force
a password using a dictionary attack (if the passwords
used are weak).
Solution :
Upgrade to version 3.1.2 of SSH which solves this problem.
Risk factor : Low
|
|
Warning
|
ssh (22/tcp)
|
You are running a version of SSH which is
older than (or as old as) version 1.2.27.
If you compiled ssh with kerberos
support,
then an attacker may eavesdrop your users
kerberos tickets, as sshd will set
the environment variable KRB5CCNAME to
'none', so kerberos tickets will be stored
in the current working directory of the
user, as 'none'.
If you have nfs/smb shared disks, then an attacker
may eavesdrop the kerberos tickets of your
users using this flaw.
*** If you are not using kerberos, then
*** ignore this warning.
Risk factor : Serious
Solution : use ssh 1.2.28 or newer
CVE : CVE-2000-0575
|
|
Warning
|
ssh (22/tcp)
|
You are running a version of SSH which is
older than (or as old as) version 1.2.27.
If this version was compiled against the
RSAREF library, then it is very likely to
be vulnerable to a buffer overflow which
may be exploited by an attacker to gain
root on your system.
To determine if you compiled ssh against
the RSAREF library, type 'ssh -V' on the
remote host.
Risk factor : High
Solution : Use ssh 2.x, or do not compile ssh
against the RSAREF library
CVE : CVE-1999-0834
|
|
Informational
|
ssh (22/tcp)
|
a ssh server is running on this port
|
|
Informational
|
ssh (22/tcp)
|
Remote SSH
version : SSH-2.0-Sun_SSH_1.0
|
|
Informational
|
ssh (22/tcp)
|
The remote
SSH daemon supports the following versions of the
SSH protocol :
. 1.99
. 2.0
|
|
Warning
|
telnet (23/tcp)
|
The Telnet
service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the telnet client
and the telnet server. This includes logins
and passwords.
You should disable this service and use OpenSSH
instead.
(www.openssh.com)
Solution : Comment out the 'telnet' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0619
|
|
Informational
|
telnet (23/tcp)
|
a telnet
server seems to be running on this port
|
|
Informational
|
telnet (23/tcp)
|
Remote telnet
banner :
SunOS 5.9
|
|
Warning
|
smtp (25/tcp)
|
The remote
SMTP server
answers to the EXPN and/or VRFY commands.
The EXPN command can be used to find
the delivery address of mail aliases, or
even the full name of the recipients, and
the VRFY command may be used to check the
validity of an account.
Your mailer should not allow remote users to
use any of these commands, because it gives
them too much information.
Solution : if you are using Sendmail,
add the
option
O PrivacyOptions=goaway
in /etc/sendmail.cf.
Risk factor : Low
CVE : CAN-1999-0531
|
|
Informational
|
smtp (25/tcp)
|
a SMTP server
is running on this port
Here is its banner :
220 unknown ESMTP Sendmail 8.12.2+Sun/8.12.2;
Thu, 11 Jul 2002 15:52:06 -0400 (EDT)
|
|
Informational
|
smtp (25/tcp)
|
Remote SMTP
server banner :
unknown ESMTP Sendmail 8.12.2+Sun/8.12.2; Thu, 11 Jul 2002 15:57:53 -0400 (EDT)
214-2.0.0 This is sendmail version 8.12.2+Sun214-2.0.0
Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation contact Sun Microsystems
214-2.0.0 Technical Support.
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
|
|
Informational
|
smtp (25/tcp)
|
The EICAR
test string was sent 2 times. Check your mailbox!
|
|
Warning
|
finger (79/tcp)
|
The 'finger'
service provides useful information
to attackers, since it allow them to gain usernames, check if a
machine
is being used, and so on...
Risk factor : Low
Solution : comment out the 'finger' line in /etc/inetd.conf
CVE : CVE-1999-0612
|
|
Warning
|
finger (79/tcp)
|
The remote
finger daemon accepts
to redirect requests. That is, users can perform
requests like :
finger user@host@victim
This allows an attacker to use your computer
as a relay to gather information on another
network, making the other network think you
are making the requests.
Solution: disable your finger daemon (comment out
the finger line in /etc/inetd.conf) or
install a more secure one.
Risk factor : Low
CVE : CAN-1999-0105
|
|
Warning
|
exec (512/tcp)
|
The rexecd service
is open.
Because rexecd does not provide any good
means of authentication, it can be
used by an attacker to scan a third party
host, giving you troubles or bypassing
your firewall.
Solution : comment out the 'exec' line
in /etc/inetd.conf.
Risk factor : Medium
CVE : CAN-1999-0618
|
|
Warning
|
login (513/tcp)
|
The rlogin
service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rlogin client
and the rlogin server. This includes logins
and passwords.
You should disable this service and use openssh instead
(www.openssh.com)
Solution : Comment out the 'rlogin' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0651
|
|
Warning
|
shell (514/tcp)
|
The rsh service
is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rsh client
and the rsh server. This includes logins
and passwords.
You should disable this service and use ssh instead.
Solution : Comment out the 'rsh'
line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0651
|
|
Informational
|
submission
(587/tcp)
|
a SMTP server
is running on this port
Here is its banner :
220 unknown ESMTP Sendmail 8.12.2+Sun/8.12.2;
Thu, 11 Jul 2002 15:52:41 -0400 (EDT)
|
|
Vulnerability
|
unknown
(898/tcp)
|
The remote
web server seems to be vulnerable to the Cross Site Scripting vulnerability.
The vulnerability is caused
by the result returned to the user when a non-existing file is requested
(e.g. the result contains the JavaScript provided
in the request).
The vulnerability would allow an attacker to make the server present
the user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give
it the trust
level of the server (for example, the trust level of banks, shopping
centers, etc. would usually be high).
Risk factor : Medium
Solutions:
Allaire/Macromedia Jrun:
http://www.macromedia.com/software/jrun/download/update/
http://www.securiteam.com/windowsntfocus/Allaire_fixes_Cross-Site_Scripting_security_vulnerability.html
Microsoft IIS:
http://www.securiteam.com/windowsntfocus/IIS_Cross-Site_scripting_vulnerability__Patch_available_.html
Apache:
http://httpd.apache.org/info/css-security/
General:
http://www.securiteam.com/exploits/Security_concerns_when_developing_a_dynamically_generated_web_site.html
http://www.cert.org/advisories/CA-2000-02.html
|
|
Vulnerability
|
unknown
(898/tcp)
|
Older versions
of JServ (including the version shipped
with Oracle9i App Server v1.0.2) are vulnerable to a cross site
scripting attack using a request for a
non-existent .JSP file.
Solution:
Upgrade to that latest (and final) version of JServ
(available at java.apache.org), or, for preference use TomCat as JServ is no
longer maintained.
Risk factor : Medium
|
|
Informational
|
unknown
(898/tcp)
|
a web server
is running on this port
|
|
Informational
|
unknown
(898/tcp)
|
The remote
web server type is :
Tomcat/2.1
We recommend that you configure your web server to return
bogus versions in order to not leak information
|
|
Informational
|
unknown
(898/tcp)
|
The following
directories were discovered:
/images, /servlet
|
|
Informational
|
unknown
(5988/tcp)
|
a web server
is running on this port
|
|
Informational
|
unknown
(5988/tcp)
|
The remote
web server type is :
Java/1.4.0_00 javax.wbem.client.adapter.http.transport.HttpServerConnection
We recommend that you configure your web server to return
bogus versions in order to not leak information
|
|
Warning
|
x11 (6000/tcp)
|
This X server
does *not* allow any client to connect to it
however it is recommended that you filter incoming connections
to this port as attacker may send garbage data and slow down
your X session or even kill the server.
Here is the server version : 11.0
Here is the message we received : Client is not authorized to connect
to Server
Solution : filter incoming connections to ports 6000-6009
Risk factor : Low
CVE : CVE-1999-0526
|
|
Vulnerability
|
unknown
(6112/tcp)
|
The 'dtspcd' service
is running.
Some versions of this daemon are vulnerable to
a buffer overflow attack which allows an attacker
to gain root privileges
*** This warning might be a false positive,
*** as no real overflow was performed
Solution : See http://www.cert.org/advisories/CA-2001-31.html
to determine if you are vulnerable or deactivate
this service (comment out the line 'dtspc'
in /etc/inetd.conf)
Risk factor : High
CVE : CVE-2001-0803
|
|
Informational
|
general/tcp
|
Nmap only
scanned 15000 TCP ports out of 65535.
Nmap did not do a UDP scan, I guess.
|
|
Informational
|
general/tcp
|
QueSO has found
out that the remote host OS is
* Standard: Solaris 2.x, Linux 2.1.???, Linux 2.2, MacOS
CVE : CAN-1999-0454
|
|
Informational
|
general/tcp
|
The plugin PC_anywhere_tcp.nasl was too slow to finish -
the server killed it
|
|
Vulnerability
|
snmp (161/udp)
|
;;SNMP Agent
responded as expected with community name: public
CVE : CAN-1999-0517
|
|
Informational
|
snmp (161/udp)
|
Using SNMP,
we could determine that the remote operating system is :
Sun SNMP Agent, Ultra-5_10
|
|
Warning
|
daytime
(13/udp)
|
The daytime
service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.
In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.
Solution : disable
this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
|
|
Warning
|
echo (7/udp)
|
The 'echo'
port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.
Risk factor : Low
Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103
|
|
Warning
|
general/icmp
|
The remote host answered to an ICMP_MASKREQ
query and sent us its netmask (255.255.254.0)
An attacker can use this information to
understand how your network is set up
and how the routing is done. This may
help him to bypass your filters.
Solution : reconfigure the remote host so
that it does not answer to those requests.
Set up filters that deny ICMP packets of
type 17.
Risk factor : Low
CVE : CAN-1999-0524
|
|
Warning
|
general/icmp
|
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentication protocols.
Solution : filter
out the ICMP timestamp
requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
|
|
Informational
|
general/udp
|
For your
information, here is the traceroute to 151.108.233.3
:
151.108.233.3
|
|
Warning
|
xdmcp (177/udp)
|
The plugin sends a XDMCP QUERY request
to see if the remote
host is running XDM (or similar display manager) with XDMCP
protocol enabled.
This protocol was used to provide X display connections for old
X terminals. XDMCP is completely insecure, since the traffic and
passwords are not encrypted.
Risk factor : Medium
Solution : Disable XDMCP
|
