| Security Issues and Fixes: www.hote.com |
| Type |
Port |
Issue and Fix |
| Warning |
echo
(7/tcp) |
The 'echo' port is open. This
port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.
Risk factor : Low
Solution : comment out 'echo' in /etc/inetd.conf
CVE
: CVE-1999-0103
|
| Informational |
echo
(7/tcp) |
An echo server is running on this
port |
| Warning |
daytime
(13/tcp) |
The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.
In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE
: CVE-1999-0103
|
| Warning |
qotd
(17/tcp) |
The quote service (qotd) is running.
A server listens for TCP connections on TCP port 17. Once
a connection
is established a short message is sent out the connection
(and any
data received is thrown away). The service closes the connection
after sending the quote.
Another quote of the day service is defined as a datagram
based
application on UDP. A server listens for UDP datagrams on
UDP port 17.
When a datagram is received, an answering datagram is sent
containing
a quote (the data in the received datagram is ignored).
An easy attack is 'pingpong' which IP spoofs a packet between
two machines
running qotd. They will commence spewing characters at each
other, slowing
the machines down and saturating the network.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE
: CVE-1999-0103
|
| Warning |
chargen
(19/tcp) |
The chargen service is running.
The 'chargen' service should only be enabled when testing
the machine.
When contacted, chargen responds with some random (something
like all
the characters in the alphabet in row). When contacted via
UDP, it
will respond with a single UDP packet. When contacted via
TCP, it will
continue spewing characters until the client closes the connection.
An easy attack is 'pingpong' which IP spoofs a packet between
two machines
running chargen. They will commence spewing characters at
each other, slowing
the machines down and saturating the network.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE
: CVE-1999-0103
|
| Informational |
chargen
(19/tcp) |
Chargen is running on this port |
| Vulnerability |
ftp
(21/tcp) |
It may be possible to make the
remote FTP server crash
by sending the command 'STAT *?AAA...AAA.
An attacker may use this flaw to prevent your site from distributing
files
*** Warning : we could not verify this vulnerability.
*** Nessus solely relied on the banner of this server
Solution : Apply the relevant hotfix from Microsoft
See:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
Risk factor : High
CVE
: CAN-2002-0073
|
| Informational |
ftp
(21/tcp) |
An FTP server is running on this
port.
Here is its banner :
220 srvhote Microsoft FTP Service (Version 5.0). |
| Informational |
ftp
(21/tcp) |
Remote FTP server banner :
220 srvhote Microsoft FTP Service (Version 5.0). |
| Vulnerability |
http
(80/tcp) |
The IIS server appears to have the .SHTML ISAPI filter mapped.
At least one remote vulnerability has been discovered for
the
.SHTML filter. This is detailed in Microsoft Advisory MS02-018
and results in a denial of service access to the web server.
It is recommended that even if you have patched this vulnerability
that
you unmap the .SHTML extension, and any other unused ISAPI
extensions
if they are not required for the operation of your site.
An attacker may use this flaw to prevent the remote service
from working properly.
*** Nessus reports this vulnerability using only
*** information that was gatherered. Use caution
*** when testing without safe checks enabled
Solution: See
http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
and/or unmap the shtml/shtm isapi filters.
To unmap the .shtml extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context
menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory ->
Configuration
and remove the reference to .shtml/shtm and sht from the list.
Risk factor : Medium
CVE
: CAN-2002-0072
|
| Warning |
http
(80/tcp) |
The remote web server appears to be running with
Frontpage extensions.
You should double check the configuration since
a lot of security problems have been found with
FrontPage when the configuration file is
not well set up.
Risk factor : High if your configuration file is
not well set up
CVE
: CAN-2000-0114
|
| Warning |
http
(80/tcp) |
IIS web server may allow remote users to read sensitive information
from .cnf files.
Example, http://target/_vti_pvt%5csvcacl.cnf
Solution: If you do not need .cnf files, then delete them,
otherwise use
suitable access control lists to ensure that the .cnf files
are not
world-readable. The files found on the server are as follows:
/_vti_pvt%5caccess.cnf
/_vti_pvt%5csvcacl.cnf
/_vti_pvt%5cwriteto.cnf
/_vti_pvt%5cservice.cnf
/_vti_pvt%5cservices.cnf was found on web server.
.cnf files can give away confidential information regarding
server configurationRisk factor : Medium |
| Warning |
http
(80/tcp) |
The IIS server appears to have the .IDA ISAPI filter mapped.
At least one remote vulnerability has been discovered for
the .IDA
(indexing service) filter. This is detailed in Microsoft Advisory
MS01-033, and gives remote SYSTEM level access to the web
server.
It is recommended that even if you have patched this vulnerability
that
you unmap the .IDA extension, and any other unused ISAPI extensions
if they are not required for the operation of your site.
Solution:
To unmap the .IDA extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context
menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory ->
Configuration
and remove the reference to .ida from the list.
Risk factor : Medium
CVE
: CAN-2002-0071
|
| Informational |
http
(80/tcp) |
A web server is running on this
port |
| Informational |
http
(80/tcp) |
The remote web server type is
:
Microsoft-IIS/5.0
Solution : You can use urlscan to change reported server for
IIS. |
| Vulnerability |
netbios-ssn
(139/tcp) |
. It was possible to log into the remote host using a NULL
session.
The concept of a NULL session is to provide a null username
and
a null password, which grants the user the 'guest' access
To prevent null sessions, see MS KB Article Q143474 (NT 4.0)
and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but
will
prevent them from connecting to IPC$
. All the smb tests will be done as ''/'' in domain |
| Warning |
netbios-ssn
(139/tcp) |
The domain SID can be obtained
remotely. Its value is :
XXXXX : X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
An attacker can use it to obtain the list of the local users
of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low
CVE
: CVE-2000-1200
|
| Warning |
netbios-ssn
(139/tcp) |
The host SID can be obtained remotely.
Its value is :
XXXXX : X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
An attacker can use it to obtain the list of the local users
of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low
CVE
: CVE-2000-1200
|
| Warning |
netbios-ssn
(139/tcp) |
The domain SID could be used to
enumerate the names of the users
of this domain.
(we only enumerated users name whose ID is between 1000 and
1020
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrateur (id 500)
- Guest account name : Invit (id 501)
- TsInternetUser (id 1000)
- IUSR_HOTE (id 1001)
- IWAM_HOTE (id 1002)
- HOTE$ (id 1006)
Risk factor : Medium
Solution : filter incoming connections this port
CVE
: CVE-2000-1200
|
| Warning |
netbios-ssn
(139/tcp) |
The guest user belongs to groups other than
guest users or domain guests.
As guest should not have any privilege, you should
fix this.
Risk factor : Medium |
| Warning |
netbios-ssn
(139/tcp) |
The following accounts have never
changed their password :
TsInternetUser
IUSR_HOTE
IWAM_HOTE
To minimize the risk of break-in, users should
change their password regularly |
| Warning |
netbios-ssn
(139/tcp) |
The following accounts have never
logged in :
Invit
TsInternetUser
Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium |
| Warning |
netbios-ssn
(139/tcp) |
The following accounts have passwords
which never expire :
Administrateur
Invit
TsInternetUser
IUSR_HOTE
IWAM_HOTE
Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium |
| Warning |
netbios-ssn
(139/tcp) |
Here is the browse list of the
remote host :
HOTE -
This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check
for
Solution : filter incoming traffic to this port
Risk factor : Low
|
| Informational |
netbios-ssn
(139/tcp) |
The remote native lan manager
is : Windows 2000 LAN Manager
The remote Operating System is : Windows 5.0
The remote SMB Domain Name is : HOTE
|
| Informational |
netbios-ssn
(139/tcp) |
The following users are in the
domain administrator group :
. Administrateur
You should make sure that only the proper users are member
of this
group
Risk factor : Low |
| Informational |
netbios-ssn
(139/tcp) |
The following accounts are disabled
:
Invit
To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low |
| Warning |
unknown
(593/tcp) |
This detects the http-rpc-epmap
service by connecting
to the port 593 and processing the buffer received.
This endpoint mapper provides CIS (COM+ Internet Services)
parameters like port 135 (epmap) for RPC.
Solution:
Deny incoming traffic from the Internet to TCP port 593
as it may become a security threat in the future, if a
vulnerability is discovered.
For more information about CIS:
http://msdn.microsoft.com/library/en-us/dndcom/html/cis.asp
Risk factor : Low |
| Warning |
unknown
(1029/tcp) |
There is a CIS (COM+ Internet
Services) on this port
Server banner :
ncacn_http/1.0 |
| Informational |
socks
(1080/tcp) |
An unknown service is running
on this port.
It is usually reserved for SOCKS |
| Informational |
unknown
(3269/tcp) |
The service closed the connection
after 1 seconds without sending any data
It might be protected by some TCP wrapper
|
| Informational |
unknown
(3389/tcp) |
The Terminal Services are enabled on the remote host.
Terminal Services allow a Windows user to remotely obtain
a graphical login (and therefore act as a local user on the
remote host).
If an attacker gains a valid login and password, he may
be able to use this service to gain further access
on the remote host.
Solution : Disable the Terminal Services if you do not use
them
Risk factor : Low |
| Informational |
general/tcp |
Nmap found that this host is running
Windows Millennium Edition (Me), Win 2000, or WinXP
|
| Warning |
netbios-ns
(137/udp) |
. The following 12 NetBIOS names
have been gathered :
HOTE
HOTE
HOTE05
HOTE05
HOTE05
HOTE
HOTE05
HOTE05
__MSBROWSE__
INet~Services
IS~SRVHOTE
ADMINISTRATEUR
. The remote host has the following MAC address on its adapter
:
0xXX 0xXX 0xXX 0xXX 0xXX 0xXX
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this
port.
Risk factor : Medium |
| Warning |
chargen
(19/udp) |
The chargen service is running.
The 'chargen' service should only be enabled when testing
the machine.
When contacted, chargen responds with some random (something
like all
the characters in the alphabet in row). When contacted via
UDP, it
will respond with a single UDP packet. When contacted via
TCP, it will
continue spewing characters until the client closes the connection.
An easy attack is 'pingpong' which IP spoofs a packet between
two machines
running chargen. They will commence spewing characters at
each other, slowing
the machines down and saturating the network.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE
: CVE-1999-0103
|
| Warning |
daytime
(13/udp) |
The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.
In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE
: CVE-1999-0103
|
| Warning |
echo
(7/udp) |
The 'echo' port is open. This
port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.
Risk factor : Low
Solution : comment out 'echo' in /etc/inetd.conf
CVE
: CVE-1999-0103
|
| Warning |
qotd
(17/udp) |
The quote service (qotd) is running.
A server listens for TCP connections on TCP port 17. Once
a connection
is established a short message is sent out the connection
(and any
data received is thrown away). The service closes the connection
after sending the quote.
Another quote of the day service is defined as a datagram
based
application on UDP. A server listens for UDP datagrams on
UDP port 17.
When a datagram is received, an answering datagram is sent
containing
a quote (the data in the received datagram is ignored).
An easy attack is 'pingpong' which IP spoofs a packet between
two machines
running qotd. They will commence spewing characters at each
other, slowing
the machines down and saturating the network.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE
: CVE-1999-0103
|
| Informational |
general/udp |
For your information, here is
the traceroute to XXX.XXX.XXX.XXX :
XXX.X.X.XXX
XXX.XXX.XXX.XXX
|
| Warning |
ntp
(123/udp) |
An NTP server is running on the remote host. Make sure that
you are running the latest version of your NTP server,
has some versions have been found out to be vulnerable to
buffer overflows.
*** Nessus reports this vulnerability using only
*** information that was gathered. Use caution
*** when testing without safe checks enabled.
If you happen to be vulnerable : upgrade
Solution : Upgrade
Risk factor : High
CVE
: CVE-2001-0414
|
