Vulnerability found on port smtp (25/tcp)
Vulnerability found on port smtp (25/tcp)
Warning found on port smtp (25/tcp)
The remote SMTP server answers to the EXPN and/or VRFY commands.
The EXPN command can be used to find the delivery address of mail aliases, or
even the full name of the recipients, and the VRFY command may be used to check the validity of an account.
Your mailer should not allow remote users to use any of these commands,
because it gives them too much information.
Solution : if you are using Sendmail, add the option :
O PrivacyOptions=goaway
in /etc/sendmail.cf.
Risk factor : Low
CVE : CAN-1999-0531
Nessus ID : 10249
Information found on port smtp (25/tcp)
An SMTP server is running on this port
Here is its banner :
220 n-adm.rush.epita.fr ESMTP Sendmail 8.12.3/8.12.3/Debian-6.6; Sat, 3 Apr 2004 20:34:30 +0200; (No UCE/UBE) logging access from: n-ids.rush.epita.fr(OK)-n-ids.rush.epita.fr [192.168.20.1]
Nessus ID : 10330
Information found on port smtp (25/tcp)
Remote SMTP server banner :
220 n-adm.rush.epita.fr ESMTP Sendmail 8.12.3/8.12.3/Debian-6.6; Sat, 3 Apr 2004 20:34:51 +0200; (No UCE/UBE) logging access from: n-ids.rush.epita.fr(OK)-n-ids.rush.epita.fr [192.168.20.1]
This is probably: Sendmail version 8.12.3
Nessus ID : 10263
Information found on port smtp (25/tcp)
smtpscan was not able to reliably identify this server. It might be:
Sendmail 8.11.7/8.11.4/VUT Brno
The fingerprint differs from these known signatures on 1 point(s)
If you known precisely what it is, please send this fingerprint
to smtp-signatures@nessus.org :
:553:501:501:250:553:553:503:214:250:250:502:502:502:250:250
Nessus ID : 11421
Vulnerability found on port ssh (22/tcp)
Warning found on port ssh (22/tcp)
You are running OpenSSH-portable 3.6.1p1 or older.
If PAM support is enabled, an attacker may use a flaw in this version
to determine the existence or a given login name by comparing the times
the remote sshd daemon takes to refuse a bad password for a non-existent
login compared to the time it takes to refuse a bad password for a
valid login.
An attacker may use this flaw to set up a brute force attack against
the remote host.
*** Nessus did not check whether the remote SSH daemon is actually
*** using PAM or not, so this might be a false positive
Solution : Upgrade to OpenSSH-portable 3.6.1p2 or newer
Risk Factor : Low
CVE : CAN-2003-0190
BID : 7482, 7467, 7342
Other references : RHSA:RHSA-2003:222-01
Nessus ID : 11574
Warning found on port ssh (22/tcp)
You are running OpenSSH-portable 3.6.1 or older.
There is a flaw in this version which may allow an attacker to
bypass the access controls set by the administrator of this server.
OpenSSH features a mechanism which can restrict the list of
hosts a given user can log from by specifying a pattern
in the user key file (ie: *.mynetwork.com would let a user
connect only from the local network).
However there is a flaw in the way OpenSSH does reverse DNS lookups.
If an attacker configures his DNS server to send a numeric IP address
when a reverse lookup is performed, he may be able to circumvent
this mechanism.
Solution : Upgrade to OpenSSH 3.6.2 when it comes out
Risk Factor : Low
CVE : CAN-2003-0386
BID : 7831
Nessus ID : 11712
Information found on port ssh (22/tcp)
An ssh server is running on this port
Nessus ID : 10330
Information found on port ssh (22/tcp)
The remote SSH daemon supports the following versions of the
SSH protocol :
. 1.99
. 2.0
Nessus ID : 10881
Information found on port ssh (22/tcp)
Remote SSH version : SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
Nessus ID : 10267
Vulnerability found on port ftp (21/tcp)
Vulnerability found on port ftp (21/tcp)
Warning found on port ftp (21/tcp)
This FTP service allows anonymous logins. If you do not want to share data
with anyone you do not know, then you should deactivate the anonymous account,
since it may only cause troubles.
The content of the remote FTP root is :
total 20
d--x--x--x 2 0 0 4096 Apr 1 14:26 bin
d--x--x--x 2 0 0 4096 Apr 1 14:26 etc
d--x--x--x 2 0 0 4096 Apr 1 14:26 lib
dr-xr-xr-x 3 0 0 4096 Apr 2 18:50 pub
-rw-r--r-- 1 0 0 346 Apr 1 14:26 welcome.msg
Risk factor : Low
CVE : CAN-1999-0497
Nessus ID : 10079
Information found on port ftp (21/tcp)
An FTP server is running on this port.
Here is its banner :
220 n-adm FTP server (Version wu-2.6.2(1) Wed Mar 3 22:51:51 UTC 2004) ready.
Nessus ID : 10330
Information found on port ftp (21/tcp)
Remote FTP server banner :
220 n-adm FTP server (Version wu-2.6.2(1) Wed Mar 3 22:51:51 UTC 2004) ready.
Nessus ID : 10092
Vulnerability found on port domain (53/tcp)
Warning found on port domain (53/tcp)
The remote name server allows recursive queries to be performed
by the host running nessusd.
If this is your internal nameserver, then forget this warning.
If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.
If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.
See also : http://www.cert.org/advisories/CA-1997-22.html
Solution : Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).
If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf
If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command
Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'
For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf
If you are using another name server, consult its documentation.
Risk factor : Serious
CVE : CVE-1999-0024
BID : 678
Nessus ID : 10539
Warning found on port domain (53/tcp)
The remote name server allows DNS zone transfers to be performed.
A zone transfer will allow the remote attacker to instantly populate
a list of potential targets. In addition, companies often use a naming
convention which can give hints as to a servers primary application
(for instance, proxy.company.com, payroll.company.com, b2b.company.com, etc.).
As such, this information is of great use to an attacker who may use it
to gain information about the topology of your network and spot new
targets.
Solution: Restrict DNS zone transfers to only the servers that absolutely
need it.
Risk factor : Medium
CVE : CAN-1999-0532
Nessus ID : 10595
Information found on port domain (53/tcp)
BIND 'NAMED' is an open-source DNS server from ISC.org.
Many proprietary DNS servers are based on BIND source code.
The BIND based NAMED servers (or DNS servers) allow remote users
to query for version and type information. The query of the CHAOS
TXT record 'version.bind', will typically prompt the server to send
the information back to the querying source.
The remote bind version is : 9.2.1
Solution :
Using the 'version' directive in the 'options' section will block
the 'version.bind' query, but it will not log such attempts.
Nessus ID : 10028
Information found on port domain (53/tcp)
A DNS server is running on this port. If you do not use it, disable it.
Risk factor : Low
Nessus ID : 11002
Vulnerability found on port http (80/tcp)
Vulnerability found on port http (80/tcp)
Warning found on port http (80/tcp)
The remote host is running a version of PHP earlier than 4.2.2.
The mail() function does not properly sanitize user input.
This allows users to forge email to make it look like it is
coming from a different source other than the server.
Users can exploit this even if SAFE_MODE is enabled.
Solution : Contact your vendor for the latest PHP release.
Risk factor : Medium
CVE : CAN-2002-0985
BID : 5562
Nessus ID : 11444
Warning found on port http (80/tcp)
The remote host is running a version of PHP which is
older than 4.3.2
There is a flaw in this version which may allow an attacker who has the
ability to inject an arbitrary argument to the function socket_iovec_alloc()
to crash the remote service and possibly to execute arbitrary code.
For this attack to work, PHP has to be compiled with the option
--enable-sockets (which is disabled by default), and an attacker needs to
be able to pass arbitrary values to socket_iovec_alloc().
Other functions are vulnerable to such flaws : openlog(), socket_recv(),
socket_recvfrom() and emalloc()
Solution : Upgrade to PHP 4.3.2
Risk factor : Low
CVE : CAN-2003-0172
BID : 7187, 7197, 7198, 7199, 7210, 7256, 7259
Nessus ID : 11468
Warning found on port http (80/tcp)
Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.
Solution: Disable these methods.
If you are using Apache, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE
requests or to permit only the methods needed to meet site requirements
and policy.
If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the
following to the default object section in obj.conf:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>
If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile
the NSAPI plugin located at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
http://www.kb.cert.org/vuls/id/867593
Risk factor : Medium
Nessus ID : 11213
Warning found on port http (80/tcp)
The remote host appears to be running a version of
Apache which is older than 1.3.27
There are several flaws in this version, you should
upgrade to 1.3.27 or newer.
*** Note that Nessus solely relied on the version number
*** of the remote server to issue this warning. This might
*** be a false positive
Solution : Upgrade to version 1.3.27
See also : http://www.apache.org/dist/httpd/Announcement.html
Risk factor : Medium
CVE : CAN-2002-0839, CAN-2002-0840, CAN-2002-0843
BID : 5847, 5884, 5995, 5996
Nessus ID : 11137
Information found on port http (80/tcp)
A web server is running on this port
Nessus ID : 10330
Information found on port http (80/tcp)
The following directories were discovered:
/cgi-bin, /icons
While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards
Nessus ID : 11032
Information found on port http (80/tcp)
The following CGI have been discovered :
Syntax : cginame (arguments [default value])
/icons/debian/ (D [A] M [A] N [D] S [A] )
/icons/ (D [A] M [A] N [D] S [A] )
Directory index found at /icons/debian/
Directory index found at /icons/
Nessus ID : 10662
Information found on port http (80/tcp)
This web server was fingerprinted as Apache/1.3.26 (FreeBSD) or Apache/1.3.23 (Red-Hat/Linux)
which is consistent with the displayed banner: Apache/1.3.26 (Unix) Debian GNU/Linux PHP/4.1.2
Nessus ID : 11919
Information found on port http (80/tcp)
The remote web server type is :
Apache/1.3.26 (Unix) Debian GNU/Linux PHP/4.1.2
Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
Nessus ID : 10107
Information found on port pop3 (110/tcp)
A pop3 server is running on this port
Nessus ID : 10330
Vulnerability found on port submission (587/tcp)
Vulnerability found on port submission (587/tcp)
Information found on port submission (587/tcp)
An SMTP server is running on this port
Here is its banner :
220 n-adm.rush.epita.fr ESMTP Sendmail 8.12.3/8.12.3/Debian-6.6; Sat, 3 Apr 2004 20:34:35 +0200; (No UCE/UBE) logging access from: n-ids.rush.epita.fr(OK)-n-ids.rush.epita.fr [192.168.20.1]
Nessus ID : 10330
Information found on port submission (587/tcp)
Remote SMTP server banner :
220 n-adm.rush.epita.fr ESMTP Sendmail 8.12.3/8.12.3/Debian-6.6; Sat, 3 Apr 2004 20:34:52 +0200; (No UCE/UBE) logging access from: n-ids.rush.epita.fr(OK)-n-ids.rush.epita.fr [192.168.20.1]
This is probably: Sendmail version 8.12.3
Nessus ID : 10263
Information found on port submission (587/tcp)
smtpscan was not able to reliably identify this server. It might be:
Sendmail 8.11.7/8.11.4/VUT Brno
The fingerprint differs from these known signatures on 1 point(s)
If you known precisely what it is, please send this fingerprint
to smtp-signatures@nessus.org :
:553:501:501:250:553:553:503:214:250:250:502:502:502:250:250
Nessus ID : 11421
Information found on port domain (53/udp)
The remote name server could be fingerprinted as being one of the following :
ISC BIND 9.2.1
ISC BIND 9.2.2
Nessus ID : 11951
Information found on port domain (53/udp)
A DNS server is running on this port. If you do not use it, disable it.
Risk factor : Low
Nessus ID : 11002
Warning found on port general/icmp
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114
Information found on port general/udp
For your information, here is the traceroute to 192.168.20.2 :
192.168.31.4
192.168.31.1
10.251.3.194
192.168.20.2
Nessus ID : 10287
Warning found on port general/tcp
The remote host does not discard TCP SYN packets which
have the FIN flag set.
Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
Nessus ID : 11618
Information found on port general/tcp
Nessus was not able to reliably identify the remote operating system. It might be:
Linux Kernel 2.4
The fingerprint differs from these known signatures on 1 points.
If you know what operating system this host is running, please send this signature to
os-signatures@nessus.org :
:1:1:0:255:1:255:1:0:255:1:0:255:1:>64:255:0:1:2:1:1:1:1:1:0:64:5792:MSTNW:0:1:1
Nessus ID : 11936
Information found on port ntp (123/udp)
It is possible to determine a lot of information about the remote host
by querying the NTP (Network Time Protocol) variables - these include
OS descriptor, and time settings.
It was possible to gather the following information from the remote NTP host :
version='ntpd 4.1.0 Mon Mar 25 23:39:47 UTC 2002 (2)', processor='i686',
system='Linux2.4.18-bf2.4', leap=3, stratum=16, precision=-16,
rootdelay=0.000, rootdispersion=365.055, peer=0, refid=0.0.0.0,
reftime=0x00000000.00000000, poll=4, clock=0xc419823d.9cba51a0, state=1,
offset=0.000, frequency=0.000, jitter=0.015, stability=0.000
Quickfix: Set NTP to restrict default access to ignore all info packets:
restrict default ignore
Risk factor : Low
Nessus ID : 10884