|
Security Issues
and Fixes: 151.108.233.3
|
|
Type
|
Port
|
Issue and Fix
|
|
Warning
|
echo (7/tcp)
|
The 'echo' port is
open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.
Risk factor : Low
Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103
|
|
Informational
|
echo (7/tcp)
|
an echo server is running on this
port
|
|
Warning
|
daytime (13/tcp)
|
The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.
In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
|
|
Warning
|
chargen (19/tcp)
|
The chargen service is running.
The 'chargen' service should only be enabled when
testing the machine.
When contacted, chargen responds with some random
(something like all
the characters in the alphabet in row). When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.
An easy attack is 'pingpong' which IP spoofs a
packet between two machines
running chargen. They will commence spewing
characters at each other, slowing
the machines down and saturating the network.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
|
|
Informational
|
chargen (19/tcp)
|
Chargen is running on this port
|
|
Informational
|
ftp (21/tcp)
|
a FTP server is running on this port.
Here is its banner :
220 unknown FTP server ready.
|
|
Informational
|
ftp (21/tcp)
|
Remote FTP server banner :
unknown FTP server ready.
|
|
Warning
|
ssh (22/tcp)
|
You are running a version of SSH which is older than 3.1.2
and newer or equal to 3.0.0.
There is a vulnerability in this release that may,
under
some circumstances, allow users to authenticate using a
password whereas it is not explicitly listed as a valid
authentication mechanism.
An attacker may use this flaw to attempt to brute force
a password using a dictionary attack (if the passwords
used are weak).
Solution :
Upgrade to version 3.1.2 of SSH which solves this problem.
Risk factor : Low
|
|
Warning
|
ssh (22/tcp)
|
You are running a version of SSH which is
older than (or as old as) version 1.2.27.
If you compiled ssh with kerberos
support,
then an attacker may eavesdrop your users
kerberos tickets, as sshd
will set
the environment variable KRB5CCNAME to
'none', so kerberos tickets will be stored
in the current working directory of the
user, as 'none'.
If you have nfs/smb shared disks, then an
attacker
may eavesdrop the kerberos
tickets of your
users using this flaw.
*** If you are not using kerberos, then
*** ignore this warning.
Risk factor : Serious
Solution : use ssh 1.2.28 or newer
CVE : CVE-2000-0575
|
|
Warning
|
ssh (22/tcp)
|
You are running a version of SSH which is
older than (or as old as) version 1.2.27.
If this version was compiled against the
RSAREF library, then it is very likely to
be vulnerable to a buffer overflow which
may be exploited by an attacker to gain
root on your system.
To determine if you compiled ssh against
the RSAREF library, type 'ssh -V' on the
remote host.
Risk factor : High
Solution : Use ssh 2.x, or do not compile ssh
against the RSAREF library
CVE : CVE-1999-0834
|
|
Informational
|
ssh (22/tcp)
|
a ssh server is running on this port
|
|
Informational
|
ssh (22/tcp)
|
Remote SSH version :
SSH-2.0-Sun_SSH_1.0
|
|
Informational
|
ssh (22/tcp)
|
The remote SSH daemon supports the
following versions of the
SSH protocol :
. 1.99
. 2.0
|
|
Warning
|
telnet (23/tcp)
|
The Telnet service
is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the telnet client
and the telnet server. This includes logins
and passwords.
You should disable this service and use OpenSSH
instead.
(www.openssh.com)
Solution : Comment out the 'telnet' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0619
|
|
Informational
|
telnet (23/tcp)
|
a telnet server
seems to be running on this port
|
|
Informational
|
telnet (23/tcp)
|
Remote telnet banner :
SunOS 5.9
|
|
Warning
|
smtp (25/tcp)
|
The remote SMTP
server
answers to the EXPN and/or VRFY commands.
The EXPN command can be used to find
the delivery address of mail aliases, or
even the full name of the recipients, and
the VRFY command may be used to check the
validity of an account.
Your mailer should not allow remote users to
use any of these commands, because it gives
them too much information.
Solution : if you are using Sendmail,
add the
option
O PrivacyOptions=goaway
in /etc/sendmail.cf.
Risk factor : Low
CVE : CAN-1999-0531
|
|
Informational
|
smtp (25/tcp)
|
a SMTP server is
running on this port
Here is its banner :
220 unknown ESMTP Sendmail 8.12.2+Sun/8.12.2;
Thu, 11 Jul 2002 15:52:06 -0400 (EDT)
|
|
Informational
|
smtp (25/tcp)
|
Remote SMTP server banner :
unknown ESMTP Sendmail 8.12.2+Sun/8.12.2; Thu, 11 Jul 2002 15:57:53 -0400 (EDT)
214-2.0.0 This is sendmail version
8.12.2+Sun214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation contact Sun Microsystems
214-2.0.0 Technical Support.
214-2.0.0 For local information send email to
Postmaster at your site.
214 2.0.0 End of HELP info
|
|
Informational
|
smtp (25/tcp)
|
The EICAR test string was sent 2
times. Check your mailbox!
|
|
Warning
|
finger (79/tcp)
|
The 'finger' service
provides useful information
to attackers, since it allow them to gain usernames, check if a machine
is being used, and so on...
Risk factor : Low
Solution : comment out the 'finger' line in /etc/inetd.conf
CVE : CVE-1999-0612
|
|
Warning
|
finger (79/tcp)
|
The remote finger daemon accepts
to redirect requests. That is, users can perform
requests like :
finger user@host@victim
This allows an attacker to use your computer
as a relay to gather information on another
network, making the other network think you
are making the requests.
Solution: disable your finger daemon (comment out
the finger line in /etc/inetd.conf) or
install a more secure one.
Risk factor : Low
CVE : CAN-1999-0105
|
|
Warning
|
exec (512/tcp)
|
The rexecd service is open.
Because rexecd does not provide any good
means of authentication, it can be
used by an attacker to scan a third party
host, giving you troubles or bypassing
your firewall.
Solution : comment out the 'exec' line
in /etc/inetd.conf.
Risk factor : Medium
CVE : CAN-1999-0618
|
|
Warning
|
login (513/tcp)
|
The rlogin service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rlogin client
and the rlogin server. This includes logins
and passwords.
You should disable this service and use openssh instead
(www.openssh.com)
Solution : Comment out the 'rlogin' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0651
|
|
Warning
|
shell (514/tcp)
|
The rsh service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rsh client
and the rsh server. This includes logins
and passwords.
You should disable this service and use ssh
instead.
Solution : Comment out the 'rsh'
line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0651
|
|
Informational
|
submission (587/tcp)
|
a SMTP server is running on this port
Here is its banner :
220 unknown ESMTP Sendmail 8.12.2+Sun/8.12.2;
Thu, 11 Jul 2002 15:52:41 -0400 (EDT)
|
|
Vulnerability
|
unknown (898/tcp)
|
The remote web
server seems to be vulnerable to the Cross Site Scripting vulnerability.
The vulnerability is caused
by the result returned to the user when a non-existing file is requested
(e.g. the result contains the JavaScript provided
in the request).
The vulnerability would allow an attacker to make the server present the
user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the
trust
level of the server (for example, the trust level of banks, shopping
centers, etc. would usually be high).
Risk factor : Medium
Solutions:
Allaire/Macromedia Jrun:
http://www.macromedia.com/software/jrun/download/update/
http://www.securiteam.com/windowsntfocus/Allaire_fixes_Cross-Site_Scripting_security_vulnerability.html
Microsoft IIS:
http://www.securiteam.com/windowsntfocus/IIS_Cross-Site_scripting_vulnerability__Patch_available_.html
Apache:
http://httpd.apache.org/info/css-security/
General:
http://www.securiteam.com/exploits/Security_concerns_when_developing_a_dynamically_generated_web_site.html
http://www.cert.org/advisories/CA-2000-02.html
|
|
Vulnerability
|
unknown (898/tcp)
|
Older versions of JServ (including the version shipped with Oracle9i App
Server v1.0.2) are vulnerable to a cross site scripting attack using a
request for a
non-existent .JSP file.
Solution:
Upgrade to that latest (and final) version of JServ
(available at java.apache.org), or, for preference use TomCat
as JServ is no longer maintained.
Risk factor : Medium
|
|
Informational
|
unknown (898/tcp)
|
a web server is
running on this port
|
|
Informational
|
unknown (898/tcp)
|
The remote web
server type is :
Tomcat/2.1
We recommend that you configure your web server to return
bogus versions in order to not leak information
|
|
Informational
|
unknown (898/tcp)
|
The following directories were
discovered:
/images, /servlet
|
|
Informational
|
unknown (5988/tcp)
|
a web server is
running on this port
|
|
Informational
|
unknown (5988/tcp)
|
The remote web server type is :
Java/1.4.0_00 javax.wbem.client.adapter.http.transport.HttpServerConnection
We recommend that you configure your web server to return
bogus versions in order to not leak information
|
|
Warning
|
x11 (6000/tcp)
|
This X server does *not* allow any
client to connect to it
however it is recommended that you filter incoming connections
to this port as attacker may send garbage data and slow down
your X session or even kill the server.
Here is the server version : 11.0
Here is the message we received : Client is not authorized to connect to
Server
Solution : filter incoming connections to ports 6000-6009
Risk factor : Low
CVE : CVE-1999-0526
|
|
Vulnerability
|
unknown (6112/tcp)
|
The 'dtspcd' service is running.
Some versions of this daemon are vulnerable to
a buffer overflow attack which allows an attacker
to gain root privileges
*** This warning might be a false positive,
*** as no real overflow was performed
Solution : See http://www.cert.org/advisories/CA-2001-31.html
to determine if you are vulnerable or deactivate
this service (comment out the line 'dtspc' in
/etc/inetd.conf)
Risk factor : High
CVE : CVE-2001-0803
|
|
Informational
|
general/tcp
|
Nmap only scanned
15000 TCP ports out of 65535.
Nmap did not do a UDP scan, I guess.
|
|
Informational
|
general/tcp
|
QueSO has found out that the remote host OS is
* Standard: Solaris 2.x, Linux 2.1.???, Linux 2.2, MacOS
CVE : CAN-1999-0454
|
|
Informational
|
general/tcp
|
The plugin PC_anywhere_tcp.nasl
was too slow to finish - the server killed it
|
|
Vulnerability
|
snmp (161/udp)
|
;;SNMP Agent
responded as expected with community name: public
CVE : CAN-1999-0517
|
|
Informational
|
snmp (161/udp)
|
Using SNMP, we could determine that
the remote operating system is :
Sun SNMP Agent, Ultra-5_10
|
|
Warning
|
daytime (13/udp)
|
The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.
In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
|
|
Warning
|
echo (7/udp)
|
The 'echo' port is open.
This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.
Risk factor : Low
Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103
|
|
Warning
|
general/icmp
|
The remote host answered to an ICMP_MASKREQ
query and sent us its netmask (255.255.254.0)
An attacker can use this information to
understand how your network is set up
and how the routing is done. This may
help him to bypass your filters.
Solution : reconfigure the remote host so
that it does not answer to those requests.
Set up filters that deny ICMP packets of
type 17.
Risk factor : Low
CVE : CAN-1999-0524
|
|
Warning
|
general/icmp
|
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentication protocols.
Solution : filter out the ICMP timestamp
requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
|
|
Informational
|
general/udp
|
For your information, here is the traceroute to 151.108.233.3 :
151.108.233.3
|
|
Warning
|
xdmcp (177/udp)
|
The plugin sends a XDMCP QUERY request to see if
the remote
host is running XDM (or similar display manager) with XDMCP
protocol enabled.
This protocol was used to provide X display connections for old
X terminals. XDMCP is completely insecure, since the traffic and
passwords are not encrypted.
Risk factor : Medium
Solution : Disable XDMCP
|