| Security Issues and Fixes: 172.16.100.250 |
| Type |
Port |
Issue and Fix |
| Vulnerability |
ssh (22/tcp) |
You are running a version of OpenSSH which is older than 3.4
There is a flaw in this version that can be exploited remotely to
give an attacker a shell on this host.
Solution : Upgrade to OpenSSH 3.4
Risk factor : High |
| Warning |
ssh (22/tcp) |
The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.
These protocols are not completely cryptographically
safe so they should not be used.
Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'
Risk factor : Low |
| Informational |
ssh (22/tcp) |
a ssh server is running on this port |
| Informational |
ssh (22/tcp) |
Remote SSH version : SSH-1.99-OpenSSH_3.2.3p1 |
| Informational |
ssh (22/tcp) |
The remote SSH daemon supports the following versions of the
SSH protocol :
. 1.33
. 1.5
. 1.99
. 2.0
|
| Vulnerability |
smtp (25/tcp) |
The remote SMTP server did not complain when issued the
command :
MAIL FROM: |testing
This probably means that it is possible to send mail
that will be bounced to a program, which is
a serious threat, since this allows anyone to execute
arbitrary commands on this host.
*** This security hole might be a false positive, since
*** some MTAs will not complain to this test, but instead
*** just drop the message silently
Solution : upgrade your MTA or change it.
Risk factor : High
CVE : CVE-1999-0203
|
| Vulnerability |
smtp (25/tcp) |
The remote SMTP server did not complain when issued the
command :
MAIL FROM: root@this_host
RCPT TO: /tmp/nessus_test
This probably means that it is possible to send mail directly
to files, which is a serious threat, since this allows
anyone to overwrite any file on the remote server.
*** This security hole might be a false positive, since
*** some MTAs will not complain to this test, but instead
*** just drop the message silently.
*** Check for the presence of file 'nessus_test' in /tmp !
Solution : upgrade your MTA or change it.
Risk factor : High
CVE : CVE-1999-0096
|
| Vulnerability |
smtp (25/tcp) |
The remote SMTP server did not complain when issued the
command :
MAIL FROM: root@this_host
RCPT TO: |testing
This probably means that it is possible to send mail directly
to programs, which is a serious threat, since this allows
anyone to execute arbitrary commands on this host.
*** This security hole might be a false positive, since
*** some MTAs will not complain to this test, but instead
*** just drop the message silently.
Solution : upgrade your MTA or change it.
Risk factor : High
CVE : CAN-1999-0163
|
| Warning |
smtp (25/tcp) |
The remote SMTP server allows the relaying. This means that
it allows spammers to use your mail server to send their mails to
the world, thus wasting your network bandwidth.
Risk factor : Low/Medium
Solution : configure your SMTP server so that it can't be used as a relay
any more.
CVE : CAN-1999-0512
|
| Warning |
smtp (25/tcp) |
The remote SMTP server is vulnerable to a redirection
attack. That is, if a mail is sent to :
user@hostname1@victim
Then the remote SMTP server (victim) will happily send the
mail to :
user@hostname1
Using this flaw, an attacker may route a message
through your firewall, in order to exploit other
SMTP servers that can not be reached from the
outside.
*** THIS WARNING MAY BE A FALSE POSITIVE, SINCE
SOME SMTP SERVERS LIKE POSTFIX WILL NOT
COMPLAIN BUT DROP THIS MESSAGE ***
Solution : if you are using sendmail, then at the top
of ruleset 98, in /etc/sendmail.cf, insert :
R$*@$*@$* $#error $@ 5.7.1 $: '551 Sorry, no redirections.'
Risk factor : Low |
| Informational |
smtp (25/tcp) |
a SMTP server is running on this port
Here is its banner :
220 MTA Server - ESMTP
|
| Informational |
smtp (25/tcp) |
Remote SMTP server banner :
MTA Server - ESMTP
214 qmail home page: http://pobox.com/~djb/qmail.html |
| Informational |
smtp (25/tcp) |
Nessus sent several emails containing the EICAR
test strings in them to the postmaster of
the remote SMTP server.
The EICAR test string is a fake virus which
triggers anti-viruses, in order to make sure
they run.
Nessus attempted to e-mail this string five times,
with different codings each time, in order to attempt
to fool the remote anti-virus (if any).
If there is an antivirus filter, these messages should
all be blocked.
*** To determine if the remote host is vulnerable, see
*** if any mail arrived to the postmaster of this host
Solution: Install an antivirus / upgrade it
Risk factor : Low |
| Informational |
http (80/tcp) |
a web server is running on this port |
| Informational |
http (80/tcp) |
The remote web server type is :
Apache/1.3.26 (Unix) PHP/4.2.2
We recommend that you configure your web server to return
bogus versions in order to not leak information
|
| Informational |
pop3 (110/tcp) |
a pop3 server is running on this port |
| Informational |
pop3 (110/tcp) |
The remote POP server banner is :
+OK <4425.1028923736@mail.server.com>
|
| Vulnerability |
mysql (3306/tcp) |
Your MySQL database is not password protected.
Anyone can connect to it and do whatever he wants to your data
(deleting a database, adding bogus entries, ...)
We could collect the list of databases installed on the remote host :
. 0
Solution : Log into this host, and set a password for the root user
through the command 'mysql -u root password <newpassword>'
Read the MySQL manual (available on www.mysql.com) for details.
In addition to this, it is not recommanded that you let your MySQL
daemon listen to request from anywhere in the world. You should filter
incoming connections to this port.
Risk factor : High |
| Warning |
x11 (6000/tcp) |
This X server does *not* allow any client to connect to it
however it is recommended that you filter incoming connections
to this port as attacker may send garbage data and slow down
your X session or even kill the server.
Here is the server version : 11.0
Here is the message we received : Client is not authorized to connect to Server
Solution : filter incoming connections to ports 6000-6009
Risk factor : Low
CVE : CVE-1999-0526
|
| Warning |
unknown (10000/tcp) |
The remote server is running Webmin.
Webmin is a web-based interface for system administration for Unix.
Solution: Stop Webmin service if not needed or configure the access
See menu [Webmin Configuration][IP Access Control]
and/or [Webmin Configuration][Port and Address]
For more info see http://www.webmin.net/
Risk factor : Medium |
| Informational |
unknown (10000/tcp) |
a web server is running on this port |
| Informational |
unknown (10000/tcp) |
The remote web server does not respect the HTTP protocol in that
it does not send 404 error codes when a client requests a non-existent
page.
You are very likely to get false positives for the web checks.
|
| Informational |
unknown (10000/tcp) |
The remote web server type is :
MiniServ/0.01
We recommend that you configure your web server to return
bogus versions in order to not leak information
|
| Informational |
unknown (10000/tcp) |
For your information, here is the list of CGIs
that are used by the remote host, as well as their arguments :
Syntax: cginame (arguments [default value])
/session_login.cgi ( page ['/'] user [''] pass save [1] ) |
| Informational |
unknown (10000/tcp) |
The Webmin version is : HTTP/1.0 200 Document follows
Date: Fri, 9 Aug 2002 20:02:56 GMT
Server: MiniServ/0.01
Connection: close
Set-Cookie: testing=1; path=/
pragma: no-cache
Content-type: text/html; Charset=iso-8859-1
<!doctype html public "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<meta http-equiv="Content-Type" content="text/html; Charset=iso-8859-1">
<head>
<link rel='icon' href='images/webmin_icon.png' type='image/png'>
<title></title>
<body bgcolor=#6696bc link=#000000 vlink=#000000 text=#000000 leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" onLoad='document.forms[0].pass.value = ""; document.forms[0].user.focus()'><table width="100%" border="0" cellspacing="0" cellpadding="0" background="/images/nav/bottom_shadow.jpg">
<tr>
<td width="100%" nowrap><img src="/images/nav/bottom_shadow.jpg" width="43" height="9"></td>
</tr>
</table><br><hr>
<center>
<form action=/session_login.cgi method=post>
<input type=hidden name=page value='/'>
<table border width=40%>
<tr bgcolor=#7f7f7f> <td><b>Login to Webmin</b></td> </tr>
<tr bgcolor=#b7b7b7> <td align=center><table cellpadding=3>
<tr> <td colspan=2 align=center>You must enter a username and password to login to the Webmin server on <tt></tt>.</td> </tr>
<tr> <td><b>Username</b></td>
<td><input name=user size=20 value=''></td> </tr>
<tr> <td><b>Password</b></td>
<td><input name=pass size=20 type=password></td> </tr>
<tr> <td colspan=2 align=center><input type=submit value='Login'>
<input type=reset value='Clear'><br>
<input type=checkbox name=save value=1> Remember login permanently?
</td> </tr>
</table></td></tr></table><p><hr>
</form></center>
<table border=0 width=100% align=center cellspacing=0 cellpadding=0 bgcolor=#6696bc><tr><td>
</td></tr></table>
<br>
</body></html>
|
| Informational |
general/tcp |
Nmap found that this host is running Linux Kernel 2.4.0 - 2.4.17 (X86)
|
| Warning |
general/icmp |
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentication protocols.
Solution : filter out the ICMP timestamp
requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
|