Nessus Scan Report ------------------ SUMMARY - Number of hosts which were alive during the test : 1 - Number of security holes found : 6 - Number of security warnings found : 15 - Number of security notes found : 46 TESTED HOSTS 151.108.232.190 (Security holes found) DETAILS + 151.108.232.190 : . List of open ports : o smtp (25/tcp) (Security warnings found) o http (80/tcp) (Security hole found) o loc-srv (135/tcp) (Security warnings found) o netbios-ssn (139/tcp) (Security hole found) o https (443/tcp) (Security notes found) o microsoft-ds (445/tcp) (Security notes found) o NFS-or-IIS (1025/tcp) (Security notes found) o LSA-or-nterm (1026/tcp) (Security notes found) o ms-lsa (1029/tcp) (Security notes found) o unknown (2803/tcp) (Security warnings found) o msdtc (3372/tcp) (Security notes found) o general/udp (Security notes found) o general/tcp (Security notes found) o general/icmp (Security warnings found) o netbios-ns (137/udp) (Security warnings found) o iad1 (1030/udp) (Security notes found) o unknown (1027/udp) (Security notes found) . Warning found on port smtp (25/tcp) The remote SMTP server is vulnerable to a flaw in its authentication process. This vulnerability allows any unauthorized user to successfully authenticate and use the remote SMTP server. An attacker may use this flaw to use this SMTP server as a spam relay. Solution : see http://www.microsoft.com/technet/security/bulletin/MS01-037.asp. Risk factor : High CVE : CVE-2001-0504 BID : 2988 . Warning found on port smtp (25/tcp) It is possible to authenticate to the remote SMTP service by logging in as a NULL session. An attacker may use this flaw to use your SMTP server as a spam relay. Solution : http://www.microsoft.com/technet/security/bulletin/MS02-011.asp Risk factor : Medium CVE : CVE-2002-0054 BID : 4205 . Warning found on port smtp (25/tcp) It is possible to make the remote SMTP server fail and restart by sending it malformed input. The service will restart automatically, but all the connections established at the time of the attack will be dropped. An attacker may use this flaw to make mail delivery to your site less efficient. Solution : http://www.microsoft.com/technet/security/bulletin/MS02-012.asp Risk factor : Medium CVE : CVE-2002-0055 BID : 4204 . Information found on port smtp (25/tcp) An SMTP server is running on this port Here is its banner : 220 test-angzauqoig Microsoft ESMTP MAIL Service, Version: 5.0.2195.2966 ready at Mon, 31 Mar 2003 11:21:37 -0800 . Information found on port smtp (25/tcp) Remote SMTP server banner : 220 test-angzauqoig Microsoft ESMTP MAIL Service, Version: 5.0.2195.2966 ready at Mon, 31 Mar 2003 11:22:06 -0800 This is probably: Microsoft Exchange version 5.0.2195.2966 ready at Mon, 31 Mar 2003 11:22:06 -0800 . Information found on port smtp (25/tcp) For some reason, we could not send the EICAR test string to this MTA . Vulnerability found on port http (80/tcp) : The IIS server appears to have the .HTR ISAPI filter mapped. At least one remote vulnerability has been discovered for the .HTR filter. This is detailed in Microsoft Advisory MS02-018, and gives remote SYSTEM level access to the web server. It is recommended that even if you have patched this vulnerability that you unmap the .HTR extension, and any other unused ISAPI extensions if they are not required for the operation of your site. Solution: To unmap the .HTR extension: 1.Open Internet Services Manager. 2.Right-click the Web server choose Properties from the context menu. 3.Master Properties 4.Select WWW Service -> Edit -> HomeDirectory -> Configuration and remove the reference to .htr from the list. Risk factor : High CVE : CAN-2002-0071 BID : 4474 . Vulnerability found on port http (80/tcp) : When IIS receives a user request to run a script, it renders the request in a decoded canonical form, then performs security checks on the decoded request. A vulnerability results because a second, superfluous decoding pass is performed after the initial security checks are completed. Thus, a specially crafted request could allow an attacker to execute arbitrary commands on the IIS Server. Solution: See MS advisory MS01-026(Superseded by ms01-044) See http://www.microsoft.com/technet/security/bulletin/ms01-044.asp Risk factor : High CVE : CVE-2001-0507, CVE-2001-0333 BID : 2708 . Vulnerability found on port http (80/tcp) : The remote host has FrontPage Server Extensions (FPSE) installed. There is a denial of service / buffer overflow condition in the program 'shtml.exe' which comes with it. However, no public detail has been given regarding this issue yet, so it's not possible to remotely determine wether you are vulnerable to this flaw or not. If you are, an attacker may use it to crash your web server (FPSE 2000) or execute arbitrary code (FPSE 2002). Please see the Microsoft Security Bulletin MS02-053 to determine if you are vulnerable or not. *** Nessus did not actually check for this flaw, so this *** might be a false positive Solution : See http://www.microsoft.com/technet/security/bulletin/ms02-053.asp Risk factor : High CVE : CAN-2002-0692 BID : 5804 . Vulnerability found on port http (80/tcp) : There's a buffer overflow in the remote web server through the ISAPI filter. It is possible to overflow the remote web server and execute commands as user SYSTEM. Solution: See http://www.microsoft.com/technet/security/bulletin/ms01-044.asp Risk factor : High CVE : CVE-2001-0544, CVE-2001-0545, CAN-2001-0506, CVE-2001-0507, CAN-2001-0508, CVE-2001-0500 BID : 2690, 3190, 3194, 3195 . Vulnerability found on port http (80/tcp) : The IIS server appears to have the .SHTML ISAPI filter mapped. At least one remote vulnerability has been discovered for the .SHTML filter. This is detailed in Microsoft Advisory MS02-018 and results in a denial of service access to the web server. It is recommended that even if you have patched this vulnerability that you unmap the .SHTML extension, and any other unused ISAPI extensions if they are not required for the operation of your site. An attacker may use this flaw to prevent the remote service from working properly. *** Nessus reports this vulnerability using only *** information that was gatherered. Use caution *** when testing without safe checks enabled Solution: See http://www.microsoft.com/technet/security/bulletin/ms02-018.asp and/or unmap the shtml/shtm isapi filters. To unmap the .shtml extension: 1.Open Internet Services Manager. 2.Right-click the Web server choose Properties from the context menu. 3.Master Properties 4.Select WWW Service -> Edit -> HomeDirectory -> Configuration and remove the reference to .shtml/shtm and sht from the list. Risk factor : Medium CVE : CAN-1999-1376, CVE-2000-0226, CAN-2002-0072 BID : 4479 . Warning found on port http (80/tcp) Your webserver supports the TRACE and/or TRACK methods. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for 'Cross-Site-Tracing', when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. Solution: Disable these methods. If you are using Apache, add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy. See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html Risk factor : Medium . Warning found on port http (80/tcp) The remote web server appears to be running with Frontpage extensions. You should double check the configuration since a lot of security problems have been found with FrontPage when the configuration file is not well set up. Risk factor : High if your configuration file is not well set up CVE : CAN-2000-0114 . Warning found on port http (80/tcp) The IIS server appears to have the .IDA ISAPI filter mapped. At least one remote vulnerability has been discovered for the .IDA (indexing service) filter. This is detailed in Microsoft Advisory MS01-033, and gives remote SYSTEM level access to the web server. It is recommended that even if you have patched this vulnerability that you unmap the .IDA extension, and any other unused ISAPI extensions if they are not required for the operation of your site. Solution: To unmap the .IDA extension: 1.Open Internet Services Manager. 2.Right-click the Web server choose Properties from the context menu. 3.Master Properties 4.Select WWW Service -> Edit -> HomeDirectory -> Configuration and remove the reference to .ida from the list. Risk factor : Medium CVE : CAN-2002-0500 BID : 2880 . Warning found on port http (80/tcp) This IIS Server appears to vulnerable to one of the cross site scripting attacks described in MS02-018. The default '404' file returned by IIS uses scripting to output a link to top level domain part of the url requested. By crafting a particular URL it is possible to insert arbitrary script into the page for execution. The presence of this vulnerability also indicates that you are vulnerable to the other issues identified in MS02-018 (various remote buffer overflow and cross site scripting attacks...) References: http://www.microsoft.com/technet/security/bulletin/MS02-018.asp http://jscript.dk/adv/TL001/ Risk factor : Medium CVE : CAN-2002-0074 BID : 4483 . Warning found on port http (80/tcp) IIS 5 has support for the Internet Printing Protocol(IPP), which is enabled in a default install. The protocol is implemented in IIS5 as an ISAPI extension. At least one security problem (a buffer overflow) has been found with that extension in the past, so we recommend you disable it if you do not use this functionality. Solution: To unmap the .printer extension: 1.Open Internet Services Manager. 2.Right-click the Web server choose Properties from the context menu. 3.Master Properties 4.Select WWW Service -> Edit -> HomeDirectory -> Configuration and remove the reference to .printer from the list. Reference : http://online.securityfocus.com/archive/1/181109 Risk factor : Low . Information found on port http (80/tcp) A web server is running on this port . Information found on port http (80/tcp) The remote web server type is : Microsoft-IIS/5.0 Solution : You can use urlscan to change reported server for IIS. . Warning found on port loc-srv (135/tcp) DCE services running on the remote can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Solution : filter incoming traffic to this port. Risk factor : Low . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncalrpc[LRPC000001ec.00000001] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncalrpc[LRPC000001ec.00000001] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncalrpc[LRPC000001ec.00000001] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncalrpc[LRPC000001ec.00000001] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint: ncalrpc[LRPC000002b4.00000001] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 Endpoint: ncalrpc[LRPC000002b4.00000001] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncalrpc[ntsvcs] Annotation: Messenger Service . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_np:\\TEST-ANGZAUQOIG[\PIPE\ntsvcs] Annotation: Messenger Service . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_np:\\TEST-ANGZAUQOIG[\PIPE\scerpc] Annotation: Messenger Service . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2 Endpoint: ncalrpc[OLE5] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2 Endpoint: ncalrpc[INETINFO_LPC] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2 Endpoint: ncacn_np:\\TEST-ANGZAUQOIG[\PIPE\INETINFO] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3 Endpoint: ncalrpc[OLE5] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3 Endpoint: ncalrpc[INETINFO_LPC] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3 Endpoint: ncacn_np:\\TEST-ANGZAUQOIG[\PIPE\INETINFO] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3 Endpoint: ncalrpc[SMTPSVC_LPC] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3 Endpoint: ncacn_np:\\TEST-ANGZAUQOIG[\PIPE\SMTPSVC] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1 Endpoint: ncalrpc[OLE5] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1 Endpoint: ncalrpc[INETINFO_LPC] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1 Endpoint: ncacn_np:\\TEST-ANGZAUQOIG[\PIPE\INETINFO] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1 Endpoint: ncalrpc[SMTPSVC_LPC] . Information found on port loc-srv (135/tcp) A DCE service is listening on this host UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1 Endpoint: ncacn_np:\\TEST-ANGZAUQOIG[\PIPE\SMTPSVC] . Vulnerability found on port netbios-ssn (139/tcp) : . It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the 'guest' access To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and Q246261 (Windows 2000). Note that this won't completely disable null sessions, but will prevent them from connecting to IPC$ Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html . All the smb tests will be done as ''/'' CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222 BID : 990 . Warning found on port netbios-ssn (139/tcp) The domain SID can be obtained remotely. Its value is : WORKGROUP : 0-0-0-0-0 An attacker can use it to obtain the list of the local users of this host Solution : filter the ports 137 to 139 and 445 Risk factor : Low CVE : CVE-2000-1200 BID : 959 . Warning found on port netbios-ssn (139/tcp) The host SID can be obtained remotely. Its value is : TEST-ANGZAUQOIG : 5-21-1708537768-706699826-2146802419 An attacker can use it to obtain the list of the local users of this host Solution : filter the ports 137 to 139 and 445 Risk factor : Low CVE : CVE-2000-1200 BID : 959 . Warning found on port netbios-ssn (139/tcp) Here is the browse list of the remote host : INTSERVTEST01 - RIVERA-LAP - TEST-ANGZAUQO - This is potentially dangerous as this may help the attack of a potential hacker by giving him extra targets to check for Solution : filter incoming traffic to this port Risk factor : Low . Information found on port netbios-ssn (139/tcp) The remote native lan manager is : Windows 2000 LAN Manager The remote Operating System is : Windows 5.0 The remote SMB Domain Name is : WORKGROUP . Information found on port https (443/tcp) An unknown service is running on this port. It is usually reserved for HTTPS . Information found on port microsoft-ds (445/tcp) A CIFS server is running on this port . Information found on port NFS-or-IIS (1025/tcp) A DCE service is listening on this port UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncacn_ip_tcp:151.108.232.190[1025] . Information found on port NFS-or-IIS (1025/tcp) A DCE service is listening on this port UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncacn_ip_tcp:151.108.232.190[1025] . Information found on port NFS-or-IIS (1025/tcp) A DCE service is listening on this port UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncacn_ip_tcp:151.108.232.190[1025] . Information found on port NFS-or-IIS (1025/tcp) A DCE service is listening on this port UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncacn_ip_tcp:151.108.232.190[1025] . Information found on port LSA-or-nterm (1026/tcp) A DCE service is listening on this port UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint: ncacn_ip_tcp:151.108.232.190[1026] . Information found on port LSA-or-nterm (1026/tcp) A DCE service is listening on this port UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 Endpoint: ncacn_ip_tcp:151.108.232.190[1026] . Information found on port ms-lsa (1029/tcp) A DCE service is listening on this port UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2 Endpoint: ncacn_ip_tcp:151.108.232.190[1029] . Information found on port ms-lsa (1029/tcp) A DCE service is listening on this port UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3 Endpoint: ncacn_ip_tcp:151.108.232.190[1029] . Information found on port ms-lsa (1029/tcp) A DCE service is listening on this port UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1 Endpoint: ncacn_ip_tcp:151.108.232.190[1029] . Warning found on port unknown (2803/tcp) This IIS Server appears to vulnerable to one of the cross site scripting attacks described in MS02-018. The default '404' file returned by IIS uses scripting to output a link to top level domain part of the url requested. By crafting a particular URL it is possible to insert arbitrary script into the page for execution. The presence of this vulnerability also indicates that you are vulnerable to the other issues identified in MS02-018 (various remote buffer overflow and cross site scripting attacks...) References: http://www.microsoft.com/technet/security/bulletin/MS02-018.asp http://jscript.dk/adv/TL001/ Risk factor : Medium CVE : CAN-2002-0074 BID : 4483 . Information found on port unknown (2803/tcp) A web server is running on this port . Information found on port unknown (2803/tcp) The remote web server type is : Microsoft-IIS/5.0 Solution : You can use urlscan to change reported server for IIS. . Information found on port msdtc (3372/tcp) An unknown server is running on this port. If you know what it is, please send this banner to the Nessus team: 00: 60 3e 0a `>. . Information found on port general/udp For your information, here is the traceroute to 151.108.232.190 : 151.108.232.190 . Information found on port general/tcp Remote OS guess : Windows Millennium Edition (Me), Win 2000, or WinXP CVE : CAN-1999-0454 . Warning found on port general/icmp The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : Low CVE : CAN-1999-0524 . Warning found on port netbios-ns (137/udp) . The following 7 NetBIOS names have been gathered : TEST-ANGZAUQOIG WORKGROUP TEST-ANGZAUQOIG TEST-ANGZAUQOIG WORKGROUP INet~Services IS~ST-ANGZAUQOI . The remote host has the following MAC address on its adapter : 0x00 0x50 0xda 0x5a 0x26 0x11 If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port. Risk factor : Medium CVE : CAN-1999-0621 . Information found on port iad1 (1030/udp) A DCE service is listening on this port UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1 Endpoint: ncadg_ip_udp:151.108.232.190[1030] . Information found on port unknown (1027/udp) A DCE service is listening on this port UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncadg_ip_udp:151.108.232.190[1027] Annotation: Messenger Service ------------------------------------------------------ This file was generated by the Nessus Security Scanner