| Security Issues and Fixes: 216.125.250.155 |
| Type |
Port |
Issue and Fix |
| Vulnerability |
ftp (21/tcp) |
The remote host is running a version of ProFTPd which seems
to be vulnerable to a buffer overflow when a user downloads
a malformed ASCII file.
An attacker with upload privileges on this host may abuse this
flaw to gain a root shell on this host.
*** The author of ProFTPD did not increase the version number
*** of his product when fixing this issue, so it might be false
*** positive.
Solution : Upgrade to ProFTPD 1.2.9 when available or to 1.2.8p
Risk factor : High
BID : 8679
Nessus ID : 11849 |
| Warning |
ftp (21/tcp) |
It is possible to force the FTP server to connect to third parties hosts by using
the PORT command.
This problem allows intruders to use your network resources to scan other hosts, making
them think the attack comes from your network, or it can even allow them to go through
your firewall.
Solution : Upgrade to the latest version of your FTP server, or use another FTP server.
Risk factor : Medium
CVE : CVE-1999-0017
BID : 126
Nessus ID : 10081 |
| Warning |
ftp (21/tcp) |
The remote host is using ProFTPD, a free, FTP server for Unix and
Linux.
According to its banner, the version of ProFTPD installed on the
remote host suffers from multiple format string vulnerabilities, one
involving the 'ftpshut' utility and the other in mod_sql's
'SQLShowInfo' directive. Exploitation of either requires involvement
on the part of a site administrator and can lead to information
disclosure, denial of service, and even a compromise of the affected
system.
See also : http://www.proftpd.org/docs/RELEASE_NOTES-1.3.0rc2
Solution : Upgrade to ProFTPD version 1.3.0rc2 or later.
Risk factor : Low
BID : 14380, 14381
Nessus ID : 19302 |
| Warning |
ftp (21/tcp) |
The remote ProFTPd server is as old or older than 1.2.10
It is possible to determine which user names are valid on the remote host
based on timing analysis attack of the login procedure.
An attacker may use this flaw to set up a list of valid usernames for a
more efficient brute-force attack against the remote host.
Solution : Upgrade to a newer version
Risk factor : Low
CVE : CVE-2004-1602
BID : 11430
Nessus ID : 15484 |
| Informational |
ftp (21/tcp) |
An FTP server is running on this port.
Here is its banner :
220 ProFTPD 1.2.8 Server (ProFTPD Default Installation) [surt.csit.parkland.edu]
Nessus ID : 10330 |
| Informational |
ftp (21/tcp) |
Synopsis :
A FTP server is listening on this port
Description :
It is possible to obtain the banner of the remote FTP server
by connecting to the remote port.
Risk factor :
None
Plugin output :
The remote FTP banner is :
220 ProFTPD 1.2.8 Server (ProFTPD Default Installation) [surt.csit.parkland.edu]
Nessus ID : 10092 |
| Informational |
ftp (21/tcp) |
Synopsis :
Anonymous logins are allowed on the remote FTP server.
Description :
This FTP service allows anonymous logins. If you do not want to share data
with anyone you do not know, then you should deactivate the anonymous account,
since it can only cause troubles.
Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Plugin output :
The content of the remote FTP root is :
-rw-r--r-- 1 root root 61 Oct 6 2003 anonymousftp
-rw-r--r-- 1 root root 24 Oct 6 2003 file1
drwxr-xr-x 2 root root 4096 Oct 7 2003 seans
CVE : CVE-1999-0497
Nessus ID : 10079 |
| Informational |
ftp (21/tcp) |
identd reveals that this service is running as user 0
Nessus ID : 14674 |
| Warning |
ssh (22/tcp) |
The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.
These protocols are not completely cryptographically
safe so they should not be used.
Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'
Risk factor : Low
Nessus ID : 10882 |
| Informational |
ssh (22/tcp) |
An ssh server is running on this port
Nessus ID : 10330 |
| Informational |
ssh (22/tcp) |
Remote SSH version : SSH-1.99-OpenSSH_3.5p1
Remote SSH supported authentication : publickey,password,keyboard-interactive
Nessus ID : 10267 |
| Informational |
ssh (22/tcp) |
identd reveals that this service is running as user 0
Nessus ID : 14674 |
| Informational |
ssh (22/tcp) |
The remote SSH daemon supports the following versions of the
SSH protocol :
. 1.33
. 1.5
. 1.99
. 2.0
SSHv1 host key fingerprint : 8b:c7:2a:20:64:88:4d:41:19:c3:1b:8b:3d:da:b2:2c
SSHv2 host key fingerprint : 4d:fa:da:5c:0c:d3:a9:18:84:3a:26:f7:9a:5e:84:a1
Nessus ID : 10881 |
| Warning |
smtp (25/tcp) |
The remote SMTP server answers to the EXPN and/or VRFY commands.
The EXPN command can be used to find the delivery address of mail aliases, or
even the full name of the recipients, and the VRFY command may be used to check the validity of an account.
Your mailer should not allow remote users to use any of these commands,
because it gives them too much information.
Solution : if you are using Sendmail, add the option :
O PrivacyOptions=goaway
in /etc/sendmail.cf.
Risk factor : Low
CVE : CVE-1999-0531
Nessus ID : 10249 |
| Informational |
smtp (25/tcp) |
An SMTP server is running on this port
Here is its banner :
220 surt.csit.parkland.edu ESMTP Sendmail 8.12.8/8.12.8; Mon, 6 Feb 2006 12:58:11 -0600
Nessus ID : 10330 |
| Informational |
smtp (25/tcp) |
Synopsis :
An SMTP server is listening on the remote port.
Description :
The remote host is running a mail (SMTP) server on this port.
Since SMTP servers are the targets of spammers, it is recommended you
disable it if you do not use it.
Solution :
Disable this service if you do not use it, or filter incoming traffic
to this port.
Risk factor :
None
Plugin output :
Remote SMTP server banner :
220 surt.csit.parkland.edu ESMTP Sendmail 8.12.8/8.12.8; Mon, 6 Feb 2006 12:58:11 -0600
Nessus ID : 10263 |
| Informational |
smtp (25/tcp) |
identd reveals that this service is running as user 0
Nessus ID : 14674 |
| Informational |
time (37/tcp) |
A time server seems to be running on this port
Nessus ID : 10330 |
| Informational |
time (37/tcp) |
identd reveals that this service is running as user 0
Nessus ID : 14674 |
| Warning |
domain (53/tcp) |
The remote name server allows DNS zone transfers to be performed.
A zone transfer will allow the remote attacker to instantly populate
a list of potential targets. In addition, companies often use a naming
convention which can give hints as to a servers primary application
(for instance, proxy.company.com, payroll.company.com, b2b.company.com, etc.).
As such, this information is of great use to an attacker who may use it
to gain information about the topology of your network and spot new
targets.
Solution: Restrict DNS zone transfers to only the servers that absolutely
need it.
Risk factor : Medium
CVE : CVE-1999-0532
Nessus ID : 10595 |
| Informational |
domain (53/tcp) |
A DNS server is running on this port. If you do not use it, disable it.
Risk factor : Low
Nessus ID : 11002 |
| Informational |
domain (53/tcp) |
It was possible to determine that the remote BIND
server is running bind 9.x by querying it for the AUTHORS
map.
It is recommended you change the source code to prevent
attackers from fingerprinting your server.
Risk factor : Low
Nessus ID : 10728 |
| Informational |
domain (53/tcp) |
identd reveals that this service is running as user 2
Nessus ID : 14674 |
| Warning |
finger (79/tcp) |
The 'finger' service provides useful information to attackers, since it allows
them to gain usernames, check if a machine is being used, and so on...
Here is the output we obtained for 'root' :
Login: root Name: (null)
Directory: /root Shell: /bin/bash
Last login Mon Feb 6 12:45 (CST) on tty1
Mail last read Thu Jan 26 20:39 2006 (CST)
No Plan.
Solution : comment out the 'finger' line in /etc/inetd.conf
Risk factor : Low
CVE : CVE-1999-0612
Nessus ID : 10068 |
| Informational |
finger (79/tcp) |
A finger server seems to be running on this port
Nessus ID : 10330 |
| Informational |
finger (79/tcp) |
identd reveals that this service is running as user 0
Nessus ID : 14674 |
| Vulnerability |
http (80/tcp) |
The remote host appears to be running a version of Apache which is older
than 1.3.29
There are several flaws in this version, which may allow an attacker to
possibly execute arbitrary code through mod_alias and mod_rewrite.
You should upgrade to 1.3.29 or newer.
*** Note that Nessus solely relied on the version number
*** of the remote server to issue this warning. This might
*** be a false positive
Solution : Upgrade to version 1.3.29
See also : http://www.apache.org/dist/httpd/Announcement.html
Risk factor : High
CVE : CVE-2003-0542
BID : 8911
Nessus ID : 11915 |
| Vulnerability |
http (80/tcp) |
The remote host is using a version of mod_ssl which is
older than 2.8.18.
This version is vulnerable to a flaw which may allow an attacker to disable
the remote web site remotely, or to execute arbitrary code on the remote
host.
*** Note that several Linux distributions patched the old version of
*** this module. Therefore, this alert might be a false positive. Please
*** check with your vendor to determine if you really are vulnerable to
*** this flaw
Solution : Upgrade to version 2.8.18 (Apache 1.3) or to Apache 2.0.50
Risk factor : Low
CVE : CVE-2004-0488
BID : 10355
Other references : OSVDB:6472
Nessus ID : 12255 |
| Vulnerability |
http (80/tcp) |
The remote host is using a version vulnerable of mod_ssl which is
older than 2.8.19. There is a format string condition in the
log functions of the remote module which may allow an attacker to
execute arbitrary code on the remote host.
*** Some vendors patched older versions of mod_ssl, so this
*** might be a false positive. Check with your vendor to determine
*** if you have a version of mod_ssl that is patched for this
*** vulnerability
Solution : Upgrade to version 2.8.19 or newer
Risk factor : High
CVE : CVE-2004-0700
BID : 10736
Nessus ID : 13651 |
| Warning |
http (80/tcp) |
The remote host is using a version of OpenSSL which is
older than 0.9.6j or 0.9.7b
This version is vulnerable to a timing based attack which may
allow an attacker to guess the content of fixed data blocks and
may eventually be able to guess the value of the private RSA key
of the server.
An attacker may use this implementation flaw to sniff the
data going to this host and decrypt some parts of it, as well
as impersonate your server and perform man in the middle attacks.
*** Nessus solely relied on the banner of the remote host
*** to issue this warning
See also : http://www.openssl.org/news/secadv_20030219.txt
http://lasecwww.epfl.ch/memo_ssl.shtml
http://eprint.iacr.org/2003/052/
Solution : Upgrade to version 0.9.6j (0.9.7b) or newer
Risk factor : Medium
CVE : CVE-2003-0078, CVE-2003-0131, CVE-2003-0147
BID : 6884, 7148
Other references : RHSA:RHSA-2003:101-01, SuSE:SUSE-SA:2003:024
Nessus ID : 11267 |
| Warning |
http (80/tcp) |
The remote web server appears to be running a version of Apache that is older
than version 1.3.32.
This version is vulnerable to a heap based buffer overflow in proxy_util.c
for mod_proxy. This issue may lead remote attackers to cause a denial of
service and possibly execute arbitrary code on the server.
Solution: Don't use mod_proxy or upgrade to a newer version.
Risk factor: Medium
CVE : CVE-2004-0492
BID : 10508
Nessus ID : 15555 |
| Informational |
http (80/tcp) |
A web server is running on this port
Nessus ID : 10330 |
| Informational |
http (80/tcp) |
The following directories were discovered:
/cgi-bin, /icons, /manual
While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards
Other references : OWASP:OWASP-CM-006
Nessus ID : 11032 |
| Informational |
http (80/tcp) |
The remote web server type is :
Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7a
Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
Nessus ID : 10107 |
| Informational |
http (80/tcp) |
Synopsis :
The remote Apache server can be used to guess the presence of a given user
name on the remote host.
Description :
When configured with the 'UserDir' option, requests to URLs containing a tilde
followed by a username will redirect the user to a given subdirectory in the
user home.
For instance, by default, requesting /~root/ displays the HTML contents from
/root/public_html/.
If the username requested does not exist, then Apache will reply with a
different error code. Therefore, an attacker may exploit this vulnerability
to guess the presence of a given user name on the remote host.
Solution :
In httpd.conf, set the 'UserDir' to 'disabled'.
Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
CVE : CVE-2001-1013
BID : 3335
Nessus ID : 10766 |
| Informational |
http (80/tcp) |
identd reveals that this service is running as user 99
Nessus ID : 14674 |
| Informational |
http (80/tcp) |
Synopsis :
Debuging functions are enabled on the remote HTTP server.
Description :
The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when
used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give
him their credentials.
Solution :
Disable these methods.
See also :
http://www.kb.cert.org/vuls/id/867593
Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Plugin output :
Solution :
Add the following lines for each virtual host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
CVE : CVE-2004-2320
BID : 9506, 9561, 11604
Nessus ID : 11213 |
| Informational |
pop3 (110/tcp) |
A pop3 server is running on this port
Nessus ID : 10330 |
| Informational |
pop3 (110/tcp) |
identd reveals that this service is running as user 0
Nessus ID : 14674 |
| Informational |
sunrpc (111/tcp) |
The RPC portmapper is running on this port.
An attacker may use it to enumerate your list
of RPC services. We recommend you filter traffic
going to this port.
Risk factor : Low
CVE : CVE-1999-0632, CVE-1999-0189
BID : 205
Nessus ID : 10223 |
| Informational |
sunrpc (111/tcp) |
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111 |
| Informational |
sunrpc (111/tcp) |
identd reveals that this service is running as user 32
Nessus ID : 14674 |
| Informational |
auth (113/tcp) |
An identd server is running on this port
Nessus ID : 10330 |
| Informational |
auth (113/tcp) |
The remote host is running an ident (also known as 'auth') daemon.
The 'ident' service provides sensitive information to potential
attackers. It mainly says which accounts are running which services.
This helps attackers to focus on valuable services (those
owned by root). If you do not use this service, disable it.
Solution : Under Unix systems, comment out the 'auth' or 'ident'
line in /etc/inetd.conf and restart inetd
Risk factor : Low
CVE : CVE-1999-0629
Nessus ID : 10021 |
| Informational |
auth (113/tcp) |
identd reveals that this service is running as user 99
Nessus ID : 14674 |
| Vulnerability |
netbios-ssn (139/tcp) |
The remote Samba server, according to its version number, is vulnerable
to a remote file access vulnerability.
This vulnerability allows an attacker to access arbitrary files which exist
outside of the shares's defined path.
An attacker needs a valid account to exploit this flaw.
Solution : Upgrade to Samba 2.2.11 or 3.0.7
Risk factor : High
CVE : CVE-2004-0815
BID : 11216, 11281
Nessus ID : 15394 |
| Vulnerability |
netbios-ssn (139/tcp) |
The remote Samba server, according to its version number,
is vulnerable to a buffer overflow if the option 'mangling method' is
set to 'hash' in smb.conf (which is not the case by default).
An attacker may exploit this flaw to execute arbitrary commands on the remote
host.
Solution : upgrade to Samba 2.2.10 or 3.0.5
See also : http://us1.samba.org/samba/whatsnew/samba-2.2.10.html
See also : http://us1.samba.org/samba/whatsnew/samba-3.0.5.html
Risk factor : High
CVE : CVE-2004-0686
BID : 10781
Other references : OSVDB:8191
Nessus ID : 13657 |
| Vulnerability |
netbios-ssn (139/tcp) |
The remote Samba server, according to its version number, is vulnerable to
a remote buffer overrun resulting from an integer overflow vulnerability.
To exploit this flaw, an attacker would need to send to the remote host
a malformed packet containing hundreds of thousands of ACLs, which would
in turn cause an integer overflow resulting in a small pointer being allocated.
An attacker needs a valid account or enough credentials to exploit this
flaw.
Solution : Upgrade to Samba 3.0.10 when available
Risk factor : High
CVE : CVE-2004-1154
BID : 11973
Nessus ID : 15985 |
| Vulnerability |
netbios-ssn (139/tcp) |
The remote Samba server is vulnerable to a buffer overflow
when it processes the function trans2open().
An attacker may exploit this flaw to gain a root shell on
this host.
Solution : upgrade to Samba 2.2.8a or 3.0.0
Risk factor : High
CVE : CVE-2003-0201, CVE-2003-0196
BID : 7294, 7295
Other references : RHSA:RHSA-2003:137-02, SuSE:SUSE-SA:2003:025
Nessus ID : 11523 |
| Informational |
netbios-ssn (139/tcp) |
An SMB server is running on this port
Nessus ID : 11011 |
| Informational |
netbios-ssn (139/tcp) |
Synopsis :
It is possible to obtain information about the remote os.
Description :
It is possible to get the remote operating system name and
version (Windows and/or Samba) byt sending an authentication
request to port 139 or 445.
Risk factor :
None
Plugin output :
The remote Operating System is : Unix
The remote native lan manager is : Samba 2.2.8
The remote SMB Domain Name is : CSC130
Nessus ID : 10785 |
| Informational |
netbios-ssn (139/tcp) |
Synopsis :
It is possible to logon on the remote host.
Description :
The remote host is running one of the Microsoft Windows operating
system. It was possible to logon using one of the following
account :
- NULL session
- Guest account
- Given Credentials
See Also :
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP
Risk Factor :
none
Plugin output :
- NULL sessions are enabled on the remote host
CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394 |
| Informational |
netbios-ssn (139/tcp) |
Sysnopsis :
It is possible to obtain network information.
Description :
It was possible to obtain the browse list of the remote
Windows system by send a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems
of the remote host.
Risk factor :
None
Plugin output :
Here is the browse list of the remote host :
SURT ( os: 0.0 )
Nessus ID : 10397 |
| Informational |
netbios-ssn (139/tcp) |
identd reveals that this service is running as user 0
Nessus ID : 14674 |
| Informational |
imap (143/tcp) |
An IMAP server is running on this port
Nessus ID : 10330 |
| Informational |
imap (143/tcp) |
Synopsis :
An IMAP server is running on the remote host.
Description :
An IMAP (Internet Message Access Protocol) server is
installed and running on the remote host.
Risk factor :
None
Plugin output :
The remote imap server banner is :
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS AUTH=LOGIN] surt.csit.parkland.edu IMAP4rev1 2002.336 at Mon, 6 Feb 2006 12:58:11 -0600 (CST)
Nessus ID : 11414 |
| Informational |
imap (143/tcp) |
identd reveals that this service is running as user 0
Nessus ID : 14674 |
| Vulnerability |
https (443/tcp) |
The remote host appears to be running a version of Apache which is older
than 1.3.29
There are several flaws in this version, which may allow an attacker to
possibly execute arbitrary code through mod_alias and mod_rewrite.
You should upgrade to 1.3.29 or newer.
*** Note that Nessus solely relied on the version number
*** of the remote server to issue this warning. This might
*** be a false positive
Solution : Upgrade to version 1.3.29
See also : http://www.apache.org/dist/httpd/Announcement.html
Risk factor : High
CVE : CVE-2003-0542
BID : 8911
Nessus ID : 11915 |
| Vulnerability |
https (443/tcp) |
The remote host is using a version of mod_ssl which is
older than 2.8.18.
This version is vulnerable to a flaw which may allow an attacker to disable
the remote web site remotely, or to execute arbitrary code on the remote
host.
*** Note that several Linux distributions patched the old version of
*** this module. Therefore, this alert might be a false positive. Please
*** check with your vendor to determine if you really are vulnerable to
*** this flaw
Solution : Upgrade to version 2.8.18 (Apache 1.3) or to Apache 2.0.50
Risk factor : Low
CVE : CVE-2004-0488
BID : 10355
Other references : OSVDB:6472
Nessus ID : 12255 |
| Vulnerability |
https (443/tcp) |
The remote host is using a version vulnerable of mod_ssl which is
older than 2.8.19. There is a format string condition in the
log functions of the remote module which may allow an attacker to
execute arbitrary code on the remote host.
*** Some vendors patched older versions of mod_ssl, so this
*** might be a false positive. Check with your vendor to determine
*** if you have a version of mod_ssl that is patched for this
*** vulnerability
Solution : Upgrade to version 2.8.19 or newer
Risk factor : High
CVE : CVE-2004-0700
BID : 10736
Nessus ID : 13651 |
| Warning |
https (443/tcp) |
The remote host is using a version of OpenSSL which is
older than 0.9.6j or 0.9.7b
This version is vulnerable to a timing based attack which may
allow an attacker to guess the content of fixed data blocks and
may eventually be able to guess the value of the private RSA key
of the server.
An attacker may use this implementation flaw to sniff the
data going to this host and decrypt some parts of it, as well
as impersonate your server and perform man in the middle attacks.
*** Nessus solely relied on the banner of the remote host
*** to issue this warning
See also : http://www.openssl.org/news/secadv_20030219.txt
http://lasecwww.epfl.ch/memo_ssl.shtml
http://eprint.iacr.org/2003/052/
Solution : Upgrade to version 0.9.6j (0.9.7b) or newer
Risk factor : Medium
CVE : CVE-2003-0078, CVE-2003-0131, CVE-2003-0147
BID : 6884, 7148
Other references : RHSA:RHSA-2003:101-01, SuSE:SUSE-SA:2003:024
Nessus ID : 11267 |
| Warning |
https (443/tcp) |
The remote web server appears to be running a version of Apache that is older
than version 1.3.32.
This version is vulnerable to a heap based buffer overflow in proxy_util.c
for mod_proxy. This issue may lead remote attackers to cause a denial of
service and possibly execute arbitrary code on the server.
Solution: Don't use mod_proxy or upgrade to a newer version.
Risk factor: Medium
CVE : CVE-2004-0492
BID : 10508
Nessus ID : 15555 |
| Informational |
https (443/tcp) |
A SSLv2 server answered on this port
Nessus ID : 10330 |
| Informational |
https (443/tcp) |
A web server is running on this port through SSL
Nessus ID : 10330 |
| Informational |
https (443/tcp) |
The following directories were discovered:
/cgi-bin, /icons, /manual
While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards
Other references : OWASP:OWASP-CM-006
Nessus ID : 11032 |
| Informational |
https (443/tcp) |
The remote web server type is :
Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7a
Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
Nessus ID : 10107 |
| Informational |
https (443/tcp) |
Here is the SSLv2 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Illinois, L=Champaign, O=Parkland CSIT, OU=CSC Security Courses, CN=secure.csit.parkland.edu/emailAddress=smauney@parkland.edu
Validity
Not Before: Oct 13 20:45:34 2004 GMT
Not After : Oct 13 20:45:34 2006 GMT
Subject: C=US, ST=Illinois, L=Champaign, O=Parkland CSIT, OU=CSC Security Courses, CN=secure.csit.parkland.edu/emailAddress=smauney@parkland.edu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c0:09:bd:16:34:e9:d8:56:e7:c3:67:b6:82:82:
54:72:45:16:c8:a4:db:9d:d3:2b:33:c4:59:13:ac:
e7:c9:25:75:be:5f:83:81:b5:9f:69:eb:57:3a:6c:
f0:53:b9:a5:09:29:58:1a:b8:0e:06:17:44:7c:fe:
da:06:f0:f5:47:92:11:32:93:1b:35:9b:12:02:18:
01:21:c1:15:33:1a:39:8b:f6:14:44:2b:f4:eb:0c:
ce:b0:3b:f5:1e:6b:a8:53:af:a3:88:40:5b:11:5d:
7a:d4:ec:8d:86:f3:e7:4f:cc:84:14:2f:a6:d0:70:
74:31:2e:6a:fb:dd:f8:e7:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
00:96:CC:99:9B:8F:86:25:32:59:4F:AD:E9:99:EE:32:28:77:C3:5D
X509v3 Authority Key Identifier:
keyid:00:96:CC:99:9B:8F:86:25:32:59:4F:AD:E9:99:EE:32:28:77:C3:5D
DirName:/C=US/ST=Illinois/L=Champaign/O=Parkland CSIT/OU=CSC Security Courses/CN=secure.csit.parkland.edu/emailAddress=smauney@parkland.edu
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
67:e0:e8:19:76:30:17:17:4f:bc:89:9a:ed:73:b7:db:45:1e:
39:62:64:ef:77:9f:f9:49:3d:12:58:9e:ed:02:91:26:63:26:
ef:e5:c4:c0:ec:77:4e:56:ef:1a:c0:f8:19:27:7e:be:d8:bd:
d9:f3:cc:bc:45:d3:9f:b0:1b:b7:e9:fe:1b:b6:1d:1a:c0:fd:
58:e8:84:51:cf:2b:a1:9b:34:70:04:eb:03:04:0c:9e:be:6f:
4e:d1:4b:9d:40:60:50:89:11:75:07:bb:9c:a4:14:83:5e:2b:
8e:d5:1c:8a:03:ea:7b:41:b7:b8:e6:9a:85:c6:fe:06:4d:a9:
00:c6
Here is the list of available SSLv2 ciphers:
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
DES-CBC-MD5
DES-CBC3-MD5
RC4-64-MD5
The SSLv2 server offers 5 strong ciphers, but also
0 medium strength and 2 weak "export class" ciphers.
The weak/medium ciphers may be chosen by an export-grade
or badly configured client software. They only offer a
limited protection against a brute force attack
Solution: disable those ciphers and upgrade your client
software if necessary.
See http://support.microsoft.com/default.aspx?scid=kb;en-us;216482
or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite
This SSLv2 server also accepts SSLv3 connections.
This SSLv2 server also accepts TLSv1 connections.
Nessus ID : 10863 |
| Informational |
https (443/tcp) |
Synopsis :
The remote Apache server can be used to guess the presence of a given user
name on the remote host.
Description :
When configured with the 'UserDir' option, requests to URLs containing a tilde
followed by a username will redirect the user to a given subdirectory in the
user home.
For instance, by default, requesting /~root/ displays the HTML contents from
/root/public_html/.
If the username requested does not exist, then Apache will reply with a
different error code. Therefore, an attacker may exploit this vulnerability
to guess the presence of a given user name on the remote host.
Solution :
In httpd.conf, set the 'UserDir' to 'disabled'.
Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
CVE : CVE-2001-1013
BID : 3335
Nessus ID : 10766 |
| Informational |
https (443/tcp) |
Synopsis :
The remote service encrypts traffic using a protocol with known
weaknesses.
Description :
The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit these
issues to conduct man-in-the-middle attacks or decrypt communications
between the affected service and clients.
See also :
http://www.schneier.com/paper-ssl.pdf
Solution :
Consult the application's documentation to disable SSL 2.0 and use SSL
3.0 or TLS 1.0 instead.
Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Nessus ID : 20007 |
| Informational |
https (443/tcp) |
identd reveals that this service is running as user 99
Nessus ID : 14674 |
| Informational |
https (443/tcp) |
Synopsis :
Debuging functions are enabled on the remote HTTP server.
Description :
The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when
used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give
him their credentials.
Solution :
Disable these methods.
See also :
http://www.kb.cert.org/vuls/id/867593
Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Plugin output :
Solution :
Add the following lines for each virtual host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
CVE : CVE-2004-2320
BID : 9506, 9561, 11604
Nessus ID : 11213 |
| Warning |
printer (515/tcp) |
LPRng seems to be running.
This daemon has a flaw (until version 3.6.24 at least) that would
let anyone to remotely execute arbitrary commands on the server.
*** Nessus could not remotely determine with certainty that the
version of LPRng this machine is running is vulnerable or not.
Solution: Make sure that you are running version 3.6.25 or newer
and filter incoming connections to TCP port 515.
Risk factor : High
CVE : CVE-2000-0917
BID : 1712
Nessus ID : 10522 |
| Informational |
printer (515/tcp) |
identd reveals that this service is running as user 4
Nessus ID : 14674 |
| Informational |
submission (587/tcp) |
An SMTP server is running on this port
Here is its banner :
220 surt.csit.parkland.edu ESMTP Sendmail 8.12.8/8.12.8; Mon, 6 Feb 2006 12:58:15 -0600
Nessus ID : 10330 |
| Informational |
submission (587/tcp) |
Synopsis :
An SMTP server is listening on the remote port.
Description :
The remote host is running a mail (SMTP) server on this port.
Since SMTP servers are the targets of spammers, it is recommended you
disable it if you do not use it.
Solution :
Disable this service if you do not use it, or filter incoming traffic
to this port.
Risk factor :
None
Plugin output :
Remote SMTP server banner :
220 surt.csit.parkland.edu ESMTP Sendmail 8.12.8/8.12.8; Mon, 6 Feb 2006 12:58:15 -0600
Nessus ID : 10263 |
| Informational |
submission (587/tcp) |
identd reveals that this service is running as user 0
Nessus ID : 14674 |
| Informational |
unknown (669/tcp) |
RPC program #100011 version 1 'rquotad' (rquotaprog quota rquota) is running on this port
RPC program #100011 version 2 'rquotad' (rquotaprog quota rquota) is running on this port
Nessus ID : 11111 |
| Informational |
unknown (669/tcp) |
identd reveals that this service is running as user 0
Nessus ID : 14674 |
| Informational |
unknown (901/tcp) |
A web server is running on this port
Nessus ID : 10330 |
| Informational |
unknown (901/tcp) |
Synopsis :
The remote host is running a web server for Samba administration.
Description :
The remote host is running SWAT, the Samba Web Administration Tool.
SWAT is a web-based configuration tool for Samba administration that
also allows for network-wide MS Windows network password management.
See also :
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/SWAT.html
Solution :
Either disable SWAT or limit access to authorized users and ensure that
it is set up with stunnel to encrypt network traffic.
Risk factor :
None
Nessus ID : 10273 |
| Informational |
unknown (901/tcp) |
This port was detected as being open by a port scanner but is now closed.
This service might have been crashed by a port scanner or by a plugin
Nessus ID : 10919 |
| Informational |
unknown (32768/tcp) |
RPC program #100005 version 1 'mountd' (mount showmount) is running on this port
RPC program #100005 version 2 'mountd' (mount showmount) is running on this port
RPC program #100005 version 3 'mountd' (mount showmount) is running on this port
Nessus ID : 11111 |
| Informational |
unknown (32769/tcp) |
RPC program #100024 version 1 'status' is running on this port
Nessus ID : 11111 |
| Informational |
sunrpc (111/udp) |
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111 |
| Informational |
doom (666/udp) |
RPC program #100011 version 1 'rquotad' (rquotaprog quota rquota) is running on this port
RPC program #100011 version 2 'rquotad' (rquotaprog quota rquota) is running on this port
Nessus ID : 11111 |
| Vulnerability |
nfs (2049/udp) |
The following NFS shares could be mounted :
+ /tmp
+ Contents of /tmp :
- .
- ..
- .X11-unix
- kde-root
- pico.716100
- ksocket-root
- .ICE-unix
- mcop-root
- kde-smauney
- ksocket-smauney
- mcop-smauney
- PacketSnifferLab.txt
- go.doc
- goillini.doc
- dfostersig.txt
- Ethereal.lnk
- ie
- index.html
- kde-hostmgr
- ksocket-hostmgr
- mcop-hostmgr
- screenshots
- screen_captures
- pico.227703
- Sean Mauney.asc
- COMMAND.COM
- encrypted.txt
- kde-crohlfing1
- ksocket-crohlfing1
- mcop-crohlfing1
- Certificate Screen Capture.doc
- certificates
- CSC250screenshot.bmp
- certificates-again
- Jarnold screen capture
- certificates-jb
Make sure the proper access lists are set
Risk factor : High
CVE : CVE-1999-0170, CVE-1999-0211, CVE-1999-0554
Nessus ID : 11356 |
| Informational |
nfs (2049/udp) |
RPC program #100003 version 2 'nfs' (nfsprog) is running on this port
RPC program #100003 version 3 'nfs' (nfsprog) is running on this port
Nessus ID : 11111 |
| Informational |
sometimes-rpc6 (32771/udp) |
RPC program #100021 version 1 'nlockmgr' is running on this port
RPC program #100021 version 3 'nlockmgr' is running on this port
RPC program #100021 version 4 'nlockmgr' is running on this port
Nessus ID : 11111 |
| Informational |
sometimes-rpc8 (32772/udp) |
RPC program #100005 version 1 'mountd' (mount showmount) is running on this port
RPC program #100005 version 2 'mountd' (mount showmount) is running on this port
RPC program #100005 version 3 'mountd' (mount showmount) is running on this port
Nessus ID : 11111 |
| Informational |
sometimes-rpc10 (32773/udp) |
RPC program #100024 version 1 'status' is running on this port
Nessus ID : 11111 |
| Informational |
general/icmp |
Synopsis :
It is possible to determine the exact time set on the remote host.
Description :
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor :
None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
CVE : CVE-1999-0524
Nessus ID : 10114 |
| Warning |
domain (53/udp) |
Synopsis :
The remote name server allows recursive queries to be performed
by the host running nessusd.
Description :
It is possible to query the remote name server for third party names.
If this is your internal nameserver, then forget this warning.
If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.
If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.
See also :
http://www.cert.org/advisories/CA-1997-22.html
Solution :
Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).
If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf
If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command
Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'
For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf
If you are using another name server, consult its documentation.
Risk factor :
Medium / CVSS Base Score : 4
(AV:R/AC:L/Au:NR/C:N/A:N/I:P/B:I)
CVE : CVE-1999-0024
BID : 136, 678
Nessus ID : 10539 |
| Informational |
domain (53/udp) |
A DNS server is running on this port. If you do not use it, disable it.
Risk factor : Low
Nessus ID : 11002 |
| Informational |
domain (53/udp) |
The remote name server could be fingerprinted as being one of the following :
ISC BIND 9.2.1
ISC BIND 9.2.2
Nessus ID : 11951 |
| Informational |
general/tcp |
Synopsis :
It is possible to obtain the version number of the remote DNS server.
Description :
The remote host is running BIND, an open-source DNS server. It is possible
to extract the version number of the remote installation by sending
a special DNS request for the text 'version.bind' in the domain 'chaos'.
Solution :
It is possible to hide the version number of bind by using the 'version'
directive in the 'options' section in named.conf
Risk factor :
None
Plugin output:
The version of the remote BIND server is : 9.2.2
Nessus ID : 10028 |
| Informational |
general/tcp |
The remote host is running one of these operating systems :
Linux Kernel 2.6
Linux Kernel 2.4
Nessus ID : 11936 |
| Informational |
general/tcp |
Synopsis :
It may be possible to bypass firewall rules
Description :
The remote host does not discard TCP SYN packets which have
the FIN flag set.
Depending on the kind of firewall you are using, an attacker
may use this flaw to bypass its rules.
See also :
http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
Solution :
Contact your vendor for a patch
Risk factor :
None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
BID : 7487
Nessus ID : 11618 |
| Informational |
general/tcp |
Information about this scan :
Nessus version : 2.2.6
Plugin feed version : 200511080815
Type of plugin feed : Registered (7 days delay)
Scanner IP : 216.125.250.104
Port scanner(s) : nmap nessus_tcp_scanner
Port range : 1-6000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Scan Start Date : 2006/2/6 11:42
Scan duration : 466 sec
Nessus ID : 19506 |
| Informational |
netbios-ns (137/tcp) |
Synopsis :
It is possible to obtain the network name of the remote host.
Description :
The remote host listens on udp port 137 and replies to NetBIOS
nbtscan requests.
By sending a wildcard request it is possible to obtain the name of
the remote system and the name of its domain.
Risk factor :
None
Plugin output :
The following 9 NetBIOS names have been gathered :
SURT = Computer name
SURT = Messenger Service / Username
SURT = File Server Service
__MSBROWSE__ = Master Browser
CSC130 = Workgroup / Domain name
CSC130 = Domain Master Browser
CSC130 = Unknown usage
CSC130 = Master Browser
CSC130 = Browser Service Elections
This SMB server seems to be a SAMBA server (MAC address is NULL).
CVE : CVE-1999-0621
Nessus ID : 10150 |
| Informational |
nfs (2049/tcp) |
Here is the export list of 216.125.250.155 :
/tmp (mountable by everyone)
CVE : CVE-1999-0554, CVE-1999-0548
Nessus ID : 10437 |
| Informational |
general/udp |
For your information, here is the traceroute to 216.125.250.155 :
216.125.250.104
216.125.250.155
Nessus ID : 10287 |